Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012

Transcription

1 Presentation by: Dr. Nathalie Moreno Partner Cloud Computing and Data Protection: an Update 4 October 2012

2 Our team Speechly Bircham is an ambitious, international mid-size fullservice law firm head-quartered in London, with offices in Luxembourg and Zurich. We work with an alliance of partner law firms. We work with business across the UK and internationally and focus on the technology, the financial services, energy and environment, real estate and construction sectors. Our Data Protection & Information Law team provide a range of expertise on data privacy audit, compliance, risk management, information security and data breaches. We are listed in Chambers 2012 as a leading law firm for Data Protection and have advised on this area of law since We have a team of European specialised lawyers dealing with data protection matters globally. Our principal services for international companies include: Corporate Finance Corporate governance Intellectual property, technology & Data Competition law Commercial dispute resolution Employment advisory Pensions advisory work Real estate, construction & engineering..fantastic response times, the best business acumen and a strong team Legal 500

3 Data Protection and Information Law Data Protection Freedom of Information Public Sector Privacy Confidentiality International transfers Employment laws CCTV Direct marketing Cloud computing Outsourcing Private Sector Prejudice test and public interest analysis Data Protection and Information Law Compliance Surveillance, Interception and Monitoring RIPA Lawful business regulations Security Tracking and location data Sarbanes Oxley Ethical hotlines FCPA/OFAC/Bribery E-Discovery Rules Data retention Data destruction Records management

4 Presenter profile Dr Nathalie Moreno, Partner, IP, Technology & Data Nathalie is a highly qualified international TMT lawyer, with over eighteen years experience in advising clients operating in the communications, e-commerce and information technology sectors across EMEA and globally. A Harvard Law School graduate and a PhD in International law holder, she is currently the only dual qualified TMT partner, based in the United Kingdom regularly advising on all TMT matters both under English and French laws after practicing in several jurisdictions such as Belgium, France, USA and the UK. Nathalie advises multinational Information Technology and Information and Communication Technology (ICT) Service and Network Providers (including telecommunications operators) on transactions, ranging from commercial agreements to complex outsourcing deals. She has unique expertise in managing multi-jurisdictional projects on global data protection, as a one-stop solution service including: advising on EMEA data protection compliance projects including, crossborder data flows (CRM, HR, and Finance); audit and implementation projects; information management and security, risk management; outsourcing/in-sourcing and data protection and security compliance; data breach security incidents. She is ranked among the top lawyers in IT and Telecoms in the UK Legal Expert [email protected] Tel: +44 (0)

5 Overview Basics on Cloud Computing; What is the Data Life Cycle? What are the Key Data Protection Concerns? What are the implications of the 1995 Data Protection Directive for cloud computing? The impact of the proposed EU data protection regulation on cloud computing; Art. 29 Data Protection WP Opinion on the application of data protection to cloud computing and similar services; The New UK and EU guidance on the use of cloud computing.

6 Polling questions 1 1. Are you a provider or a consumer of cloud computing services? a. I am a provider of cloud computing services b. I am a consumer of cloud computing services c. Neither but I am a cloud user

7 Polling questions 2 2. Which way do you think that the new EU Data Protection Regulation will impact cloud computing: a. It will clarify and improve data protection rules b. It will create more complex rules albeit not necessary better data protection c. Data protection rules relating to cloud computing should be dealt with in a separate regulation d. No opinion

8 Polling questions 3 3. What is your main source of concern in relation to cloud computing services? a. Security concerns re potential breaches (e.g. unauthorised access) b. Business continuity concerns in the event of a service failure c. Control over data stored in the cloud

9 Introduction

10 Basics on Cloud Computing Definition Cloud computing is defined as access to computing resources, on demand, via a network: computing resources; on demand; via a network. The Players: Cloud provider; Cloud customer; Cloud user. Deployment models: Private cloud; Community cloud; Public cloud; Hybrid cloud. Service models: Infrastructure as a Service (IaaS); Platform as a Service (PaaS); Software as a Service (SaaS). => Layered services

11 What is the Data Life Cycle?

12 What are the Key Data Protection Concerns? Typically mix security and privacy Some considerations to be aware of: Who is responsible for protecting personal data? Applicable law and jurisdiction; Contractual issues; Legal basis for data processing; International Data transfers; Data security; Storage; Retention; Destruction; Auditing, monitoring and risk management; Data protection breaches. 12

13 What are the implications of the 1995 Data Protection Directive for cloud computing? Distinctions between "data controllers" and "data processors Contractual obligations on compliance for customers and providers Processing under customer s instructions; Technical and organisational security measures to prevent unauthorised or unlawful processing, accidental loss, destruction or damage. International data transfers

14 The impact of the proposed EU data protection regulation on cloud computing Draft European Union data protection regulation of January 2012 to replace Directive 95/46/EC in 2014 Provisions impacting cloud computing: Single rule throughout the EEA; Jurisdiction: when are Cloud Users and Providers subject to EU Data Protection Law? Security requirements when engaging a cloud provider; Data security and risk assessment requirements; Breach notification requirements.

15 Art. 29 Data Protection Working Party Opinion on the application of data protection to cloud computing and similar services Opinion WP196 of 1st July 2012 Two main risks associated to cloud computing services lack of control over the data and lack of information on data processing Cloud Computing Duties and Responsibilities Cloud clients (as data controllers) Cloud providers (as data processors) Subcontractors Cloud Services Contracts General Data Protection Principles International Data Transfers Risk Analysis and Checklist Future developments

16 New UK and EU Guidance on Cloud Computing Guidance on Cloud Computing of the ICO of 27 September 2012 Assess the risk of processing highly sensitive data in the cloud; Consider that moving data to the cloud may create additional types of data; Privacy impact assessments should be considered before engaging in large or complex cloud services; Assessment of the administrative, technical and physical controls of the cloud service provider is not a one-time event; Use third-party audits and certifications; Technical security measures of a cloud computing program should include: Access control Encryption of data Data retention and destruction procedures Limits on the cloud service provider s access Unleashing the potential of cloud computing in Europe of 27 September 2012 The EU Commission Communication outlines three main areas of action: Setting up the necessary standards; Contract Terms and Conditions; Open Cloud Partnership.

17 Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level» Fifth level Further Information For more information on our services, please contact: Dr. Nathalie Moreno +44 (0) Construction & Engineering 1 November