Data Protection and Cloud Computing: an Overview of the Legal Issues

Similar documents
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Article 29 Working Party Issues Opinion on Cloud Computing

Application of Data Protection Concepts to Cloud Computing

AIRBUS GROUP BINDING CORPORATE RULES

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

The HR Skinny: Effectively managing international employee data flows

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

Commission on E-Business, IT and Telecoms Task Force on Privacy and the Protection of Personal Data

Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister

Data Processing Agreement for Oracle Cloud Services

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

GSK Public policy positions

The eighth data protection principle and international data transfers

Cloud Computing. Introduction

The problem of cloud data governance

Membership of the US Safe Harbor Program by Data Processors

technical factsheet 176

Data protection legislation influence on cloud computing from local as well as EU perspective

LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS

ARTICLE 29 DATA PROTECTION WORKING PARTY

Data transfers in the Cloud

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union

The potential legal consequences of a personal data breach

ECSA EuroCloud Star Audit Data Privacy Audit Guide

Data Protection Act Guidance on the use of cloud computing

(a) the kind of data and the harm that could result if any of those things should occur;

Important aspects of the new Regulation third country data transfers

Data protection issues on an EU outsourcing

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

Cloud Security under the EU Data Protection Directive and draft General Data Protection Regulation

Office 365 Data Processing Agreement with Model Clauses

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Draft Code of Conduct on privacy for mobile health applications

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Big Data for Mutuals. Marc Dautlich 25 November 2013

Cloud Computing and Privacy Laws! Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School

Data Privacy and Information Security Group Client Alert: Safe Harbor Briefing Note

GDPR & Service Providers ( Cloud Focus )

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda?

White Paper: Data Protection In The Cloud. Data Protection In The Cloud

Legal issues in the Cloud

Overview. Data protection in a swirl of change Cloud computing. Software as a service. Infrastructure as a service. Platform as a service

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

Johnson Controls Privacy Notice

ARTICLE 29 DATA PROTECTION WORKING PARTY

Appendix 11 - Swiss Data Protection Act

Data Protection in Ireland

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

Microsoft Online Services - Data Processing Agreement

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Australia s unique approach to trans-border privacy and cloud computing

Accountability: Data Governance for the Evolving Digital Marketplace 1

European Privacy Officers Forum

Data protection policy

ARTICLE 29 DATA PROTECTION WORKING PARTY

CERTIFICATE IN DATA PROTECTION DATA SECURITY & DATA PROTECTION. Presented by Sophie More O Ferrall 9 February 2015

Corporate Compliance: A Global Perspective

The impact of the personal data security breach notification law

Cloud computing and the legal framework

AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

GDPR & Cloud Providers Keynote Presentation

Privacy & Data Security: The Future of the US-EU Safe Harbor

Data Security Council of India (DSCI) Response to

Privacy and Cloud Computing for Australian Government Agencies

INFORMATION GOVERNANCE HANDBOOK

1. General questions. 2. Personal data protection rights of employees PERSONAL DATA PROTECTION FAQ

OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012)

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

APPLICANT VERIFICATION SERVICES TERMS AND CONDITIONS OF USE

Information Sheet: Cloud Computing

Data Protection Act. Privacy & Security in the Information Age. April 26, Ministry of Communications, Ghana

Recommendations for companies planning to use Cloud computing services

EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014

How To Protect Your Data In The Cloud

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

The supplier shall have appropriate policies and procedures in place to ensure compliance with

Response to Justice Select Committee's Call for Evidence on the EU Data Protection Framework Proposals. Cloud Legal Project 17 August 2012

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

EU Data Protection Compliance Trends - What US Companies Need to Know. 30 January 2013

PRIVACY MANAGEMENT ACTIVITIES

AlixPartners, LLP. General Data Protection Statement

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Cloud Computing Legal Considerations for Data Controllers

Data Protection, Software Licenses and other Legal Issues in the Cloud

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

By Emily Hay and Jan Dhont, Data Privacy Department, Lorenz Brussels.

International Working Group on Data Protection in Telecommunications

Personal Data Protection Policy

Offshoring and Privacy Aspects A case study under Dutch law from the perspective of an IT provider

Clause 1. Definitions and Interpretation

Transcription:

Data Protection and Cloud Computing: an Overview of the Legal Issues Christopher Kuner Partner, Hunton & Williams, Brussels Research Assistant, University of Copenhagen Nordic IT Law Conference Copenhagen, 12 November 2010

Topics What is cloud computing? Data protection (DP) issues (not exhaustive!) Applicable law and jurisdiction Legal bases for data processing Data controllers and processors International data transfers Data security Contractual issues Views of DPAs Will discuss legal issues from an EU (not a national) point of view 2

What is cloud computing? Data in the cloud are: Stored in multi-tenant environments, like renting space in an apartment Accessed by parties having differing trust levels (users, tenants, privileged cloud administrators) Located in various countries Enforced by various contractual obligations Governed by various regulations and industry best practices Secured by multiple technologies and services Not necessarily new, but represents an intensification of distributed computing, and a set of new business models 3

Applicable law and jurisdiction (1) EU DP law applies to data processing carried out by: Data controller established in a Member State, irrespective of where the data are processed; and Non-EEA controller using equipment based in EEA Note: data controller/processor distinction is key Legal obligations: For data controller: full range of EU DP obligations (registration, information to individuals, etc.) For data processors: ensure adequate security of processing Raises many questions: What happens when multiple laws apply? To whom can individuals and authorities turn in case of problems, and what are their rights and obligations? What happens when an individual uses for private purposes a cloud provider established outside the EEA,, does EU law apply? 4

Applicable law and jurisdiction (2) Applicable and jurisdiction for data protection issues cannot be wholly allocated by contract Moves by EU Commission for more harmonization of national law may help lesson the burden on companies Further discussion: Kuner, Data Protection Law and International Jurisdiction on the Internet (Parts 1 and 2), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=14 96847 and http://papers.ssrn.com/sol3/papers.cfm?abstract_id=16 89495 5

Legal bases for data processing Important in particular when registering data processing with DPAs Processing of personal data is allowed only when specific legal grounds apply Various legal bases may apply in the case of cloud computing: Consent Performance of a contract between the data subject and the data controller Balancing of interests test Each one of these legal bases raises significant issues 6

Data controllers and processors Distinction between the two terms is crucial in order to properly allocate responsibility and liability, and to determine applicable law Companies outsourcing data to the cloud will normally be considered data controllers Vendors are likely to be considered data processors, with (mostly) no DP compliance obligations, but with data security obligations Status of parties is often an issue in contract negotiations However, DPAs may reclassify data processors as controllers (see SWIFT case and WP 29 Opinion 1/2010) 7

International data transfers (1) Personal data may not be transferred from Europe without adequate data protection (Arts. 25 and 26 of Directive 95/46) Some Member States (e.g., Germany) restrict the transfer of certain types of personal data under commercial law as well Over 30 other countries around the world also restrict international data transfers See Kuner, Regulation of Transborder Data Flows under Data Protection and Privacy Law: Past, Present, and Future, http://ssrn.com/abstract=1689483 Features of cloud computing that impact on international data transfers: How to identify the importing jurisdiction (data may be processed in and be accessible from many jurisdictions) How to identify the importing entity (may be any affiliate or sub-processor of the cloud vendor) How to satisfy EU data transfer requirements Some vendors have begun offering EU clouds Political risk issues (e.g., China, law enforcement access) 8

International data transfers (2) New tool to use when data are transferred between data processors (e.g., in cloud computing): new set of EU-approved standard contractual clauses for controller-to-processor transfers (proposed by ICC) Commission adequacy decision issued on 5 February 2010 See Kuner, The New EU Standard Contractual Clauses for International Data Transfers to Data Processors, http://www.hunton.com/files/tbl_s47details/fileupload265/2865/eu_standard _Contractual_Clauses_Intl_Data_Processors.pdf Important to note: New clauses replace existing EU-approved clauses for controller to processor transfers Clauses cover transfers from the EU to a data processor outside the EU, but not from a data processor in the EU to a subprocessor outside the EU (but DPAs may allow use of the new clauses in such situations as well) Clauses allow for processor-to-processor transfers (require consent of data controller, written contract between processor and subprocessor) Possible use of clauses: master agreement signed by original data controller (customer) and co-signed by cloud computing provider and all its entities and vendors 9

Data security EU Directives 95/46 and 2002/58 require appropriate technical and organisational measures to protect data against accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access Numerous data breaches demonstrate that data security is perhaps the greatest risk of cloud computing Features of cloud computing that impact on security: Proliferation of vendors, with lack of clear quality standards Immature market with rapid developments Risk of insolvency Requires intensive due diligence by customers Many important issues need to be covered by contract, e.g.: Audit rights Mandatory cooperation in case of breach Growing number of breach notification laws (and possibility for EU-wide requirement as Directive 95/46 is revised) 10

Contractual issues Certain provisions should be included in the outsourcing contract in order to address data protection issues Examples Clear description of the processing Purpose of processing Duty of service provider to comply with instructions Data security measures Cooperation between the parties Any sub-contracting Duty to inform the customer upon violations Deletion of data after the project ends 11

Views of data protection authorities Many DPAs are sceptical of cloud computing and the risks it presents Example: Berlin DPA, Yearbook 2008, pp. 15-17 Some national laws may restrict the use of cloud computing Key is ensuring that data protection responsibility is not diluted Use of cloud computing may become a labor law issue as well (works councils) 12

Future directions Business models for cloud computing will evolve and will also affect the data protection issues Possible changes to Directive 95/46 to deal with cloud computing issues, e.g.: Clarifying applicable law rules Breach notification requirement Stronger rights for individuals Binding corporate rules (BCRs) may provide one set of answers to legal issues, at least for processing within the same corporate group 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information