Cloud Computing and Privacy Laws! Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School

Size: px
Start display at page:

Download "Cloud Computing and Privacy Laws! 17.7. 22.7. 2011 Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School"

Transcription

1 DEUTSCH-FRANZÖSISCHE SOMMERUNIVERSITÄT! FÜR NACHWUCHSWISSENSCHAFTLER 2011! CLOUD COMPUTING : HERAUSFORDERUNGEN UND MÖGLICHKEITEN UNIVERSITÉ DʼÉTÉ FRANCO-ALLEMANDE POUR JEUNES CHERCHEURS 2011! CLOUD COMPUTING : DÉFIS ET OPPORTUNITÉS Cloud Computing and Privacy Laws! Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School 1

2 Agenda I. Characterization of Cloud Computing for legal purposes 1. Cloud Computing vs. Traditional Client- Server solutions 2. Cloud types 3. Cloud applications II. III. IV. General legal issues of cloud computing The paramount importance of privacy for Cloud Computing 1. Privacy as a success factor for new technologies 2. Privacy as a legal obligation The foundations of privacy laws in Europe V. Relevance of privacy laws for Cloud Computing 1. Storage of personal data in the cloud 2. Processing of personal data in the cloud VI. Outlook 2 2

3 Characterization of Cloud Computing for legal purposes Traditional Client-Server Solution 3 3

4 Characterization of Cloud Computing for legal purposes Grid Computing 4 4

5 Characterization of Cloud Computing for legal purposes 5 5

6 Cloud types Private Cloud Public Cloud Hybride Cloud 6 6

7 Application types Software (as-a-service SaaS) Platform (as-a-service PaaS) Infrastructure (as-a-service IaaS) Cloud provider offers processing of data in the the cloud Computation-as-a-Service Cloud provider offers storage of data in the cloud Storage-as-a-Service 7 7

8 Application types involved parties Cloud provider Cloud user Data subject Cloud service provider, e.g. amazon, salesforce Company, e.g. insurance company Individual, e.g. customer 8

9 Legal implications of cloud computing Cloud provider Cloud user Data subject Cloud service provider, e.g. amazon, salesforce Company, e.g. insurance company Individual, e.g. customer 9

10 Legal implications of cloud computing Cloud provider cloud user Contractual questions Service Level Agreements Accessibility and reliability of the cloud service Maintenance of the cloud service Warranty in the case of data disruption Liability in the case of third-party attacks General contractual matters Liability in case of a treaty violation ( Data as a hostage ) Consequences of a merger or an acquisition of the cloud provider Consequences of a potential insolvency of the cloud provider 10

11 Legal implications of cloud computing Cloud provider cloud user Accounting 146 par. 2 of the German Tax Code (AO) requires tax payers to store tax records in Germany 146 par. 2a AO allows tax payers to store tax records within the European Union only if the German tax authorities declare their consent in advance 148 AO allows tax payers to store tax records outside the EU only if storing the data in Germany would create a hardship for the tax payer 257 par. 4 of the German Commercial Code (HGB) requires the storage of accounting documents and business letters in a way that they can be access at any time for 6 to 10 years 11

12 Legal implications of cloud computing Cloud provider cloud user Copyright law Legality of the transfer of copyright protected materials to the cloud Liability for copyright law infringements Criminal law Substantive criminal law Liability for uploading materials to the cloud that is potentially unlawful Duty by the cloud provider to control uploaded materials? Procedural criminal law Access of criminal investigators to information in the cloud Access of anti-terror agencies to information in the cloud 12

13 Legal implications of cloud computing Cloud provider cloud user Labor law Processing of personal data of employees in the cloud Usage of cloud services in combination with performance measuring technologies Administrative law Usage of cloud services by public authorities 13

14 Legal implications of cloud computing Cloud provider Cloud user Data subject Cloud service provider, e.g. amazon, salesforce Transfer of personal data of the data subject to the cloud Company, e.g. insurance company Personal data, e.g. banking data Individual, e.g. customer 14

15 The paramount importance of privacy for cloud computing Privacy concerns are still a major problem for the success of Internet applications Surveys show that customers are reluctant to the usage of personal data in the Internet Fear of data unauthorized attacks by third parties Sony, REWE Low trust towards cloud/internet providers T-Mobile Germany, T-Mobile USA Privacy is a key factor for the economic success of cloud computing 15

16 The paramount importance of privacy for cloud computing Data protection officers at least in Europe have raised major concerns towards cloud computing Some even questions the general permissibility of cloud computing under the current legal framework on privacy Compliance with privacy statutes is a inevitable legal necessity 16

17 The foundations of privacy laws in Europe The right to the protection of personal data (= privacy right) is rooted in the fundamental right to personal self-determination ( informational self-determination ) In Germany privacy rights are also based on Art. 1 GG ( human dignity ) which is at the apex of the German constitution Art. 8 Charter of Fundamental Rights of the European Union Strongly influenced by the German tradition which has to be seen against the background of German history During the Third Reich the individual and its personal data where irrelevant and therefore not protected by the law Central: Decision by the Bundesverfassungsgericht on the constitutionality of a census (BVerfGE 65, 1) 17

18 The foundations of privacy laws in Europe Unlike in the U.S. in Europe privacy laws are strongly linked to the personality of the data subject U.S.: Privacy is primarily a question of property rights U.S.: Right to be left alone U.S.: Rights that do not have a commercial value are less protected by the law U.S.: Privacy rights can be balances with other legally protected interests The European framework is much stricter than the U.S. framework 18

19 The foundations of privacy laws in Europe Core principle: Individuals must be able to control their personal data at any time Personal data must not be processed without either the consent of the individual or an explicit statutory permission The government must not intrude into the privacy of individuals AND it has a duty to protect the personal data of individuals against intrusion by other private parties Protected personal data: Any piece of information that is linked to an individual Name, address, bank information, credit history, preferences, age, sex, friends, order history Only data that has been anonymized (not sufficient pseudonymous data) is not captured by the fundamental right to informational selfdetermination 19

20 Storage as a Service Cloud-User Anonymisation of personal (customer) data Cloud-User Uploading of the anonymised data to the cloud infrastructure of the cloud provider Cloud- Provider Storage of anonymous data for which privacy laws can not be relevant by definition 20 20

21 Relevance of privacy laws for cloud computing For most cloud computing applications creating anonymous data is not an option Processing of data in the cloud requires the uncoded data Might change when homomorphous encryption technologies will further evolve Cloud computing usually falls within the scope of privacy laws 21

22 The foundations of privacy laws in Europe Based on the theoretical foundations the privacy framework has been harmonized by European Directives Directive 95/46/EC on the protection of individuals with regard to the processing of personal data of 1995(!) Applies to personal data = any information relating to a natural person Directive 2002/58/EC on privacy and electronic communication Applies only to telecommunications data (e.g. traffic data) Directive 2006/24/EC on the retention of telecommunications data Applies only to telecommunication data (e.g. traffic data, location data) 22

23 Jurisdiction Generally Application to cloud computing Principle of territoriality (Art. 4 Directive 95/46/EC) EU law applies if the processing of personal data takes place within the EU The controller is established within the EU and it processes personal data within in the EU The controller is established outside the EU but uses IT infrastructure within the EU Personal data is transferred (=processed) from the Union to a third country EU law applies to Clouds using at least partially servers that are located within the Union Saas, PaaS, IaaS Private clouds, public clouds, hybrid clouds European companies using cloud services Problem Enforcement of privacy laws in multinational clouds Leaves room for jurisdictional arbitrage at the expense of individuals 23 23

24 Permissibility to use a cloud for computation services under EU law Personal data must not be processed without either the consent of the individual or an explicit statutory permission Consent by the data subject? Not feasible since the consent by the data subject requires the full information of the data subject in advance on questions like where is my personal data stored at any given time Privacy laws allow the processing of personal data by third parties on behalf of the controller 24

25 Responsibility Contract data processing Cloud provider Cloud user Data subject Processor Controller Individual, e.g. customer 25

26 Responsibility Art. 6 par. 2 Directive 95/46/EC It shall be for the controller to ensure that the obligations constituted by the Directive are complied with Art. 2 lit. d) and e) Directive 95/46/EC Controller shall mean the legal person which determines the purposes and means of the processing of the personal data Processor shall mean the legal person which processes personal data on behalf of the controller 26 26

27 Obligations Generally Data security, Art. 17 par. 2 Directive 95/46/EC Controller must ensure that the processor provides for appropriate technical and organizational measures to protect personal data It must be guaranteed that the processor acts only on instructions by the controller Application to cloud computing Company that uses service of a cloud provider must ensure that the cloud provider provides for appropriate technical and organizational measures for its entire IT to protect personal data acts only on instructions from the client Problem How should a cloud user be able to ensure this if it is not necessarily predictable what infrastructure is used and where it is located? 27 27

28 Obligations 11 par. 2 BDSG The processor shall be chosen carefully, with special attention to the suitability of the technical and organizational measures applied by the processor. The work to be carried out by the processor shall be specified in writing, including in particular the following: 1. the subject and duration of the work to be carried out, 2. the extent, type and purpose of the intended collection, processing or use of data, the type of data and category of data subjects, 3. the technical and organizational measures to be taken under Section 9, 4. the rectification, erasure and blocking of data, 5. the processor s obligations under subsection 4, in particular monitoring, 6. any right to issue subcontracts, 7. the controller s rights to monitor and the processor s corresponding obligations to accept and cooperate, 8. violations by the processor or its employees of provisions to protect personal data or of the terms specified by the controller which are subject to the obligation to notify, 9. the extent of the controller s authority to issue instructions to the processor, 10. the return of data storage media and the erasure of data recorded by the processor after the work has been carried out. The controller shall verify compliance with the technical and organizational measures taken by the processor before data processing begins and regularly thereafter. The result shall be documented. 28

29 Obligations for processor (to be surveyed by the controller) Where personal data are processed or used in automated form, the internal organization of authorities or enterprises is to be such that it meets the specific requirements of data protection. In particular, measures suited to the type of personal data or categories of data to be protected shall be taken 1. to prevent unauthorized persons from gaining access to data processing systems for processing or using personal data (access control), 2. to prevent data processing systems from being used without authorization (access control), 3. to ensure that persons authorized to use a data processing system have access only to those data they are authorized to access, and that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording (access control), 4. to ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred personal data using data transmission facilities (disclosure control), 5. to ensure that it is possible after the fact to check and ascertain whether personal data have been entered into, altered or removed from data processing systems and if so, by whom (input control), 6. to ensure that personal data processed on behalf of others are processed strictly in compliance with the controller s instructions (job control), 7. to ensure that personal data are protected against accidental destruction or loss (availability control), 8. to ensure that data collected for different purposes can be processed separately. 29

30 Computation as a service Cloud-User Uploading of anonymous data to the cloud is not feasible Cloud-User However: The use of a cloud service is permissble if the cloud user complies with the regulations on contract data processing Problem The provisions concerning contract data processing only apply if a European cloud service is used Art. 25 Data Protection Directive declares the transfer of personal data to third countries to be generally illegal 30 30

31 Computation as a service in a non- European cloud Cloud-User Uploading of anonymous data is not feasible Cloud-User Provisions on contract data processing are not applicable Possible solutions Exemptions from Art. 25 DPD Adequate level of data protection in the target country U.S.: Safe-Harbor-Provisions Standard EU contract Binding corporate rules Not: SAS 70 Type II audit certification 31 31

32 Computation as a Service in a non-european cloud 1. Adequate level of data protection Requires decision by the European Commission Argentina, Faroe Islands, Guernsey, Isle of Man, Canada, Switzerland 2. Safe-Harbor-Provisions A cloud provider uses servers that are located in the U.S. and has declared to follow the safe-harbor-provisions that have been negotiated between the EU and the U.S. 32

33 Computation as a Service in a non-european cloud 3. Standard EU contract If cloud provider and cloud user agree on the standard EU provisions on the protection of privacy laws Provisions on liability, technical and organizational standards 4. Corporate binding rules If a cloud provider issues binding rules on the protection of privacy rights and a national data protection agency in Europe approves these rules 33

34 Overview ( Storage-as-a-Service ) European Cloud Uploading anonymous data by cloud user Public Cloud / non-european cloud Uploading anonymous data by cloud user ( Computation-as-a-Service ) Contract data processing Careful choice and surveillance of cloud provider by cloud user Adequate level of privacy protection Standard EU provisions Corporate Binding Rules U.S.: Safe-Harbor 34 34

35 Guidelines under the current legal framework Only use European clouds Contract between cloud provider and cloud user should contain provisions what kind of servers will be used and where they are located Chose cloud provider carefully As a cloud user be transparent about the use of cloud services As a cloud provider be serious about privacy issues and make your privacy policies transparent 35

36 Need for a new framework? European privacy principles and cloud computing are not compatible Harmonization in Europe is not sufficient to create legal certainty There are several statements by German data protection officers that cloud computing is not compatible with EU Law Global efforts? Cyber Crime Convention? 36 36

37 Unsolved Problems Third-party access Foreign governments might be able to access data that has been shifted to the cloud U.S.: Homeland Security Financial agencies Some countries allow private parties to access data in order to enforce private laws Copyright infringements Technical safeguards recommended since a global legal solution is unlikely 37

38 Unsolved Problems Unlawful third-party access Potential for new attacks by cybercriminals Enforcement of privacy laws in third countries? Cloud providers should take any possible technical and organizational measures to prevent third-party access 38

39 Status quo Major companies offer cloud services Privacy policies are often not transparent Cloud providers do not pay attention to privacy issues Data protection officers seem to overreact Interdisciplinary work is required!!! 39

40 Efficient cloud computing under the current legal framework almost impossible! An adequate privacy framework for the cloud mission impossible? Thank you for your attention! Questions!?!!? Prof. Dr. Thomas Fetzer, LL.M. (Vanderbilt) Technische Universität Dresden School of Law 40 40

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data *) For the purposes of these Corporate Guidelines, Third Countries are all those countries, which do not

More information

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Binding Corporate Rules ( BCR ) Summary of Third Party Rights Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

Recommendations for companies planning to use Cloud computing services

Recommendations for companies planning to use Cloud computing services Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Code of Conduct. Corporate Data Protection. We make ICT strategies work

Code of Conduct. Corporate Data Protection. We make ICT strategies work Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work

More information

Data protection compliance checklist

Data protection compliance checklist Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing

More information

(a) the kind of data and the harm that could result if any of those things should occur;

(a) the kind of data and the harm that could result if any of those things should occur; Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

Data Protection and Cloud Computing: an Overview of the Legal Issues

Data Protection and Cloud Computing: an Overview of the Legal Issues Data Protection and Cloud Computing: an Overview of the Legal Issues Christopher Kuner Partner, Hunton & Williams, Brussels Research Assistant, University of Copenhagen Nordic IT Law Conference Copenhagen,

More information

Cloud Computing. Introduction

Cloud Computing. Introduction Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between

More information

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS December 2005 2 GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS I. OBJECTIVE... 1 II. SCOPE... 1 III. APPLICATION OF LOCAL LAWS...

More information

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data Terms Adopting company an OSRAM associated company in Germany or overseas

More information

on the transfer of personal data from the European Union

on the transfer of personal data from the European Union on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP

More information

GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES

GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES CONTENT 1. WHY A CLOUD COMPUTING GUIDE?... 2 2. WHAT IS CLOUD COMPUTING?... 4 3. WHAT ARE THE ROLES OF THE CLOUD SERVICES

More information

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL 1. Definition of Cloud Computing In the public consultation, CNIL defined

More information

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

Information Security Risks when going cloud. How to deal with data security: an EU perspective. Separating fact from fiction about new software licensing /SaaS/ cloud computing models: advantages, disadvantages and ethical implications. Information Security Risks when going cloud. How to deal with

More information

Binding Corporate Rules Privacy (BCRP) personal Telekom Group rights in the handling of personal data within the Deutsche Telekom Group

Binding Corporate Rules Privacy (BCRP) personal Telekom Group rights in the handling of personal data within the Deutsche Telekom Group Binding Corporate Rules Privacy (BCRP) Binding Corporate corporate Rules rules Privacy for (BCRP) the protection of personal Telekom Group rights in the handling of personal data within the Deutsche Telekom

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION CONFERENCE ON CROSS-BORDER DATA FLOW & PRIVACY October 15 16, 2007 Washington,

More information

Guidance for Data Users on the Collection and Use of Personal Data through the Internet 1

Guidance for Data Users on the Collection and Use of Personal Data through the Internet 1 Guidance for Data Users on the Collection and Use of Personal Data through the Internet Introduction Operating online businesses or services, whether by commercial enterprises, non-government organisations

More information

DATA PROTECTION ACT 2002 The Basics

DATA PROTECTION ACT 2002 The Basics DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and

More information

Data Protection Policy.

Data Protection Policy. Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data

More information

P1050 EMPLOYEE INTERNET USE, MONITORING AND FILTERING. Idaho statute states in part the Idaho Technology Authority shall:

P1050 EMPLOYEE INTERNET USE, MONITORING AND FILTERING. Idaho statute states in part the Idaho Technology Authority shall: Idaho Technology Authority (ITA) ENTERPRISE POLICY P1000 GENERAL POLICIES Category: P1050 EMPLOYEE INTERNET USE, MONITORING AND FILTERING CONTENTS: I. Authority II. Abstract III. Definitions IV. Policy

More information

AIRBUS GROUP BINDING CORPORATE RULES

AIRBUS GROUP BINDING CORPORATE RULES 1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

More information

Information Technology - Switzerland

Information Technology - Switzerland Newsletters Law Directory Deals News Subscribe Home Information Technology - Switzerland Data Protection - Key Issues Contributed by Homburger December 2 2003 Introduction No Free Flow of Data within a

More information

An overview of UK data protection law

An overview of UK data protection law An overview of UK data protection law Our team Vinod Bange Partner +44 (0)20 7300 4600 v.bange@taylorwessing.com Graham Hann Partner +44 (0)20 7300 4839 g.hann@taylorwessing.com Chris Jeffery Partner +44

More information

AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM

AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM On 25 January 2012, the European Commission published a proposal to reform the European data protection legal regime. One

More information

Johnson Controls Privacy Notice

Johnson Controls Privacy Notice Johnson Controls Privacy Notice Johnson Controls, Inc. and its affiliated companies (collectively Johnson Controls, we, us or our) care about your privacy and are committed to protecting your personal

More information

Legal Aspects of Cloud Computing. Dr. Susann Wolfgram & Ulrike Weinbrenner Dr. Alexander Duisberg (Bird&Bird)

Legal Aspects of Cloud Computing. Dr. Susann Wolfgram & Ulrike Weinbrenner Dr. Alexander Duisberg (Bird&Bird) Legal Aspects of Cloud Computing Dr. Susann Wolfgram & Ulrike Weinbrenner Dr. Alexander Duisberg (Bird&Bird) Agenda Cloud Computing Overview Role Play on Hot Topics SAAS versus on-premise software licensing

More information

Cloud Computing Contracts. October 11, 2012

Cloud Computing Contracts. October 11, 2012 Cloud Computing Contracts October 11, 2012 Lorene Novakowski Karam Bayrakal Covering Cloud Computing Cloud Computing Defined Models Manage Cloud Computing Risk Mitigation Strategy Privacy Contracts Best

More information

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Acquia Comments on EU Recommendations for Data Processing in the Cloud Acquia Comments on EU Recommendations for Data Processing in the Cloud Executive Summary On July 1, 2012, European Union (EU) data protection regulators provided guidelines for service providers processing

More information

The eighth data protection principle and international data transfers

The eighth data protection principle and international data transfers Data Protection Act 1998 The eighth data protection principle and international data transfers The Information Commissioner s recommended approach to assessing adequacy including consideration of the issue

More information

Software as a Service (SaaS) Contract. I. Subject matter of the Contract. II. Software provision

Software as a Service (SaaS) Contract. I. Subject matter of the Contract. II. Software provision Software as a Service (SaaS) Contract By completing the registration form (ordering bexio), you shall become subject to the following General Terms and Conditions ("General Terms and Conditions"). I. Subject

More information

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively. Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012)

OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012) OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012) ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1

More information

ECSA EuroCloud Star Audit Data Privacy Audit Guide

ECSA EuroCloud Star Audit Data Privacy Audit Guide ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:

More information

Corporate Policy. Data Protection for Data of Customers & Partners.

Corporate Policy. Data Protection for Data of Customers & Partners. Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

Legal session: copyright status of statistical data, privacy issues

Legal session: copyright status of statistical data, privacy issues Legal session: copyright status of statistical data, privacy issues JISC Usage Statistics Workshop Pr o f. Dr. Mic h ael S ead l e 1 Statistics as Facts Copyright protects expression, not fact. Facts per

More information

PRIVACY AND DATA SECURITY MODULE

PRIVACY AND DATA SECURITY MODULE "This project has been funded under the fourth AAL call, AAL-2011-4. This publication [communication] reflects the views only of the author, and the Commission cannot be held responsible for any use which

More information

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential

More information

Cloud computing and the legal framework

Cloud computing and the legal framework Cloud computing and the legal framework - Guidance on legislative requirement and the contractual environment related to cloud computing Content 1. Introduction 3 2. The Danish Act on Processing of Personal

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Dr. Thilo Weichert Independent Center for Data Protection for the German State of Schleswig-Holstein

Dr. Thilo Weichert Independent Center for Data Protection for the German State of Schleswig-Holstein T h e Sedona Conference W o r k i n g Gro u p Series SM Cloud Computing & Data Privacy Dr. Thilo Weichert Independent Center for Data Protection for the German State of Schleswig-Holstein Translated from

More information

Data protection issues on an EU outsourcing

Data protection issues on an EU outsourcing Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process

More information

Table of contents: ***

Table of contents: *** Table of contents: *** In Europe the issue of personal data protection is settled by European Parliament s and European Council s Directive 95/46/WE of October 24, 1995 (which is basis of Polish regulations)

More information

Data Retention and Investigatory Powers Bill

Data Retention and Investigatory Powers Bill Data Retention and Investigatory Powers Bill CONTENTS Retention of relevant communications data 1 Powers for retention of relevant communications data subject to safeguards 2 Section 1: supplementary Investigatory

More information

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy) PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard

More information

Declaration of Internet Rights Preamble

Declaration of Internet Rights Preamble Declaration of Internet Rights Preamble The Internet has played a decisive role in redefining public and private space, structuring relationships between people and between people and institutions. It

More information

INERTIA ETHICS MANUAL

INERTIA ETHICS MANUAL SEVENTH FRAMEWORK PROGRAMME Smart Energy Grids Project Title: Integrating Active, Flexible and Responsive Tertiary INERTIA Grant Agreement No: 318216 Collaborative Project INERTIA ETHICS MANUAL Responsible

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

Position Paper: Berlin, 31 March 2014. Legislative intentions to increase IT Security

Position Paper: Berlin, 31 March 2014. Legislative intentions to increase IT Security Position Paper: Berlin, 31 March 2014 Legislative intentions to increase IT Security eco the Association of the sees itself as lobbyist and supporter of all companies that are involved in the economic

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information

Don t miss the Legal Aspects in Cloud Computing

Don t miss the Legal Aspects in Cloud Computing Don t miss the Legal Aspects in Cloud Computing Nicole Beranek Zanon Lic. iur., EMBA HSG 2 About me 3 Agenda 1 2 3 4 5 6 Why Cloud Computing? Risks & Responsibilities Overview on the most important legal

More information

Bates Technical College. Information Technology Acceptable Use Policy

Bates Technical College. Information Technology Acceptable Use Policy Bates Technical College Information Technology Acceptable Use Policy Consistent with policy adopted by the Board of Trustees, Bates Technical College, hereinafter referred to as the College, has a commitment

More information

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

ZIMPERIUM, INC. END USER LICENSE TERMS

ZIMPERIUM, INC. END USER LICENSE TERMS ZIMPERIUM, INC. END USER LICENSE TERMS THIS DOCUMENT IS A LEGAL CONTRACT. PLEASE READ IT CAREFULLY. These End User License Terms ( Terms ) govern your access to and use of the zanti and zips client- side

More information

WHITE PAPER Meeting European Data Protection and Security Requirements with CipherCloud Solutions

WHITE PAPER Meeting European Data Protection and Security Requirements with CipherCloud Solutions WHITE PAPER Meeting European Data Protection and Security Requirements with CipherCloud Solutions Meeting European Data Protection and Security Requirements with CipherCloud Solutions 2015 1 TABLE OF CONTENTS

More information

Cloud computing. Bc. Ondřej Švehla, demonstrator, Faculty of Business and Economics, Mendel University, dukeeenho@gmail.com

Cloud computing. Bc. Ondřej Švehla, demonstrator, Faculty of Business and Economics, Mendel University, dukeeenho@gmail.com Cloud computing Bc. Ondřej Švehla, demonstrator, Faculty of Business and Economics, Mendel University, dukeeenho@gmail.com Abstract This article deals problematic of the cloud computing. In the article

More information

Cloud Computing. Hot topics in relation to security, liability and privacy. Steven De Schrijver

Cloud Computing. Hot topics in relation to security, liability and privacy. Steven De Schrijver Cloud Computing Hot topics in relation to security, liability and privacy Steven De Schrijver Cloud Computing : who and what is involved? Data Cloud Service Provider (e.g. SaaS, PaaS, IaaS) Sub-contractor

More information

stacktools.io Services Device Account and Profile Information

stacktools.io Services Device Account and Profile Information Privacy Policy Introduction This Privacy Policy explains what information Super7ui LLC collect about you and why, what we do with that information, how we share it, and how we handle the content you place

More information

The Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems

The Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems Privacy PRESENTATION vs Data TITLE Protection: GOES HERE The Impact of EU Data Protection Legislation Thomas Rivera Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted

More information

Data Protection, Software Licenses and other Legal Issues in the Cloud

Data Protection, Software Licenses and other Legal Issues in the Cloud Data Protection, Software Licenses and other Legal Issues in the Cloud Dr. Hendrik Schöttle Rechtsanwalt, Fachanwalt für IT-Recht OSDC 2012, Nuremberg 26. April 2012 Overview Introduction Data Protection

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary

More information

SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014

SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014 SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014 This Notice sets forth the principles followed by United Technologies Corporation and its operating companies, subsidiaries, divisions

More information

Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid. Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment

More information

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Page 1 sur 155 Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Legal nature of the instrument Règlement Directive Directly applicable act in internal law 91 articles 34 articles Art.

More information

Legal issues in the Cloud

Legal issues in the Cloud Legal issues in the Cloud Renzo Marchini, Dechert LLP, London, UK Gene K. Landy, Ruberto, Israel & Weiner, PC Boston, MA, USA Portions 2010 Dechert LLP. Portions 2010 Ruberto, Israel & Weiner, PC. Attorneys

More information

Application of Data Protection Concepts to Cloud Computing

Application of Data Protection Concepts to Cloud Computing Application of Data Protection Concepts to Cloud Computing By Denitza Toptchiyska Abstract: The fast technological development and growing use of cloud computing services require implementation of effective

More information

Using AWS in the context of Australian Privacy Considerations October 2015

Using AWS in the context of Australian Privacy Considerations October 2015 Using AWS in the context of Australian Privacy Considerations October 2015 (Please consult https://aws.amazon.com/compliance/aws-whitepapers/for the latest version of this paper) Page 1 of 13 Overview

More information

Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010. Panel IV: Privacy and Cloud Computing

Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010. Panel IV: Privacy and Cloud Computing Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010 Panel IV: Privacy and Cloud Computing Data Protection and Cloud Computing under EU law Peter Hustinx European Data Protection

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

RPM INTERNATIONAL INC. AND ITS SUBSIDIARIES AND OPERATING COMPANIES SAFE HARBOR PRIVACY NOTICE. EFFECTIVE AS OF: August 12, 2015

RPM INTERNATIONAL INC. AND ITS SUBSIDIARIES AND OPERATING COMPANIES SAFE HARBOR PRIVACY NOTICE. EFFECTIVE AS OF: August 12, 2015 RPM INTERNATIONAL INC. AND ITS SUBSIDIARIES AND OPERATING COMPANIES SAFE HARBOR PRIVACY NOTICE EFFECTIVE AS OF: August 12, 2015 This Notice sets forth the principles followed by RPM International Inc.,

More information

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"

More information

Smart Grid and Privacy An International View

Smart Grid and Privacy An International View Smart Grid and Privacy An International View 27 November 2013 By: Nader Farah President ESTA International One US Consumer s Reaction in Texas! 2 Source: SmartGridNews.com July 20, 2012 ESTA International

More information

GSK Public policy positions

GSK Public policy positions Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable

More information

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES 4 April 2013 James Castro-Edwards Solicitor Monica Salgado Advogada / Portuguese Lawyer OUR TEAM Speechly Bircham is an ambitious, full-service law firm with

More information

CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES

CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES GLOBAL FORUM 2009 ICT & The Future of the Internet - Monday, October 19 th 2009 paolo.balboni@bakernet.com Introduction & Structure ENISA Working Group

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1 st 2012 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent

More information

7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data Akzo Nobel N.V. Executive Committee Rules 7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data Source Directive Content Owner Directive 7.08 Protection of Personal Data AkzoNobel Legal

More information

Last updated: 30 May 2016. Credit Suisse Privacy Policy

Last updated: 30 May 2016. Credit Suisse Privacy Policy Last updated: 30 May 2016 Credit Suisse Please read this privacy policy (the ) as it describes how we intend to collect, use, store, share, and safeguard your information. By accessing, visiting or using

More information

The HR Skinny: Effectively managing international employee data flows

The HR Skinny: Effectively managing international employee data flows The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study

More information

Doing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance

Doing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance About Canada Dispute Resolution Forms of Business Organization Aboriginal Law Competition Law Real Estate Securities and Corporate Finance Foreign Investment Public- Private Partnerships Restructuring

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information

FIRST DATA CORPORATION SUMMARY: BINDING CORPORATE RULES FOR DATA PRIVACY AND PROTECTION

FIRST DATA CORPORATION SUMMARY: BINDING CORPORATE RULES FOR DATA PRIVACY AND PROTECTION FIRST DATA CORPORATION SUMMARY: BINDING CORPORATE RULES FOR DATA PRIVACY AND PROTECTION SUMMARY: BINDING CORPORATE RULES FOR DATA PRIVACY AND PROTECTION v 1.3 Supersedes: v 1.2 Summary Owner: Corporate

More information

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012 Presentation by: Dr. Nathalie Moreno Partner Cloud Computing and Data Protection: an Update 4 October 2012 Our team Speechly Bircham is an ambitious, international mid-size fullservice law firm head-quartered

More information

Trust in the Cloud Legal and Regulatory Framework

Trust in the Cloud Legal and Regulatory Framework Trust in the Cloud Legal and Regulatory Framework Cloud Security Alliance San Francisco, CA February 26, 2014 Francoise Gilbert, JD, CIPP Managing Director IT Law Group 2014 IT Law Group All Rights Reserved

More information

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA: UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider

More information

Personal Data Act (1998:204);

Personal Data Act (1998:204); Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their

More information

2014 No. ELECTRONIC COMMUNICATIONS. The Data Retention Regulations 2014

2014 No. ELECTRONIC COMMUNICATIONS. The Data Retention Regulations 2014 Draft Regulations laid before Parliament under section 2(5) of the Data Retention and Investigatory Powers Act 2014, for approval by resolution of each House of Parliament. D R A F T S T A T U T O R Y

More information

Overview. Data protection in a swirl of change 28.03.2014. Cloud computing. Software as a service. Infrastructure as a service. Platform as a service

Overview. Data protection in a swirl of change 28.03.2014. Cloud computing. Software as a service. Infrastructure as a service. Platform as a service Data protection in a swirl of change Overview 1 Data protection issues in cloud computing 2 Consent for mobile applications Security Seminar 2014: Privacy Radboud University Nijmegen 3 The WhatsApp case

More information