Privacy and cloud computing



Similar documents
Offshoring and Privacy Aspects A case study under Dutch law from the perspective of an IT provider

The eighth data protection principle and international data transfers

GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES

technical factsheet 176

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

An overview of UK data protection law

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

Recommendations for companies planning to use Cloud computing services

PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY. Introduction

Application of Data Protection Concepts to Cloud Computing

LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS

The HR Skinny: Effectively managing international employee data flows

Data transfers in the Cloud

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection in Ireland

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

Article 29 Working Party Issues Opinion on Cloud Computing

Cloud Computing Legal Considerations for Data Controllers

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012

Information Technology - Switzerland

COMMISSION STAFF WORKING DOCUMENT. on the existing EU legal framework applicable to lifestyle and wellbeing apps. Accompanying the document

BRING YOUR OWN DEVICE

Excellence in igaming (EiG), 22 October Quickfire Update on Dutch regulatory progress

Data Protection Policy Information for Clients

Privacy in the cloud. DNB has indicated that it considers cloud computing a form of outsourcing.

Corporate Policy. Data Protection for Data of Customers & Partners.

AIRBUS GROUP BINDING CORPORATE RULES

ARTICLE 29 DATA PROTECTION WORKING PARTY

Third European Cyber Security Awareness Day BSA, European Parliament, 13 April Panel IV: Privacy and Cloud Computing

Cloud Computing and Privacy Laws! Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

ARTICLE 29 DATA PROTECTION WORKING PARTY

Business process. Telecommunications. Public sector. Other. CROSS-BORDER HANDBOOKS 169

A list of CIArb subsidiaries relevant to this notice and their activities is set out below.

Cloud computing and the legal framework

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

New EU Data Protection legislation comes into force today. What does this mean for your business?

basic corporate documents, in particular the company s articles of association; The principle is applied.

ARTICLE 29 Data Protection Working Party

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Acquia Comments on EU Recommendations for Data Processing in the Cloud

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

Tilburg University. U.S. Subpoenas and European data protection legislation Moerel, Lokke; Jansen, Nani; Koëter, Jeroen

Cloud Computing and Risk: A look at the EU and the application of. Protection Directive to cloud computing

Corporate Compliance: A Global Perspective

ARTICLE 29 - DATA PROTECTION WORKING PARTY

Cloud Computing. Introduction

The transfer of personal data to third countries and international organisations by EU institutions and bodies. Position paper

The Århus Convention by Jens Hamer, ERA

How To Understand The Privacy Shield

How To Protect Your Data In European Law

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide

Investigation Report: HKA Holidays Limited Leaked Customers Personal Data through the Mobile Application TravelBud

Cookies and consent. The Article 29 Working Party has identified seven types of cookies that are not subject to the consent requirement.

Data protection issues on an EU outsourcing

TRANSLATION OF THE OFFICIAL PUBLICATION OF SINT MAARTEN (AB 2010, GT no. 2 )

Data Protection Policy.

Federated Access Management

European Privacy Reporter

Message 791 Communication from the Commission - SG(2012) D/50777 Directive 98/34/EC Notification: 2011/0188/D

Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation

Clause 1. Definitions and Interpretation

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

Council of the European Union Brussels, 28 July 2015 (OR. en)

DIRECTIVE 2009/38/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Inter-company credit: Decree n of 22 April 2016

GSK Public policy positions

Response to Justice Select Committee's Call for Evidence on the EU Data Protection Framework Proposals. Cloud Legal Project 17 August 2012

South East Asia: Data Protection Update

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Register of People with Significant Control. Guidance for Companies, Societates Europaeae and Limited Liability Partnerships

Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

How To Settle A Cross Border Dispute With Ancien De L'Ormonde (Cep)

on the Proposal for a Regulation of the European Parliament and of the Council laying

Dublin City University

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

PensionsEurope position paper on personal pension products

Data and Cyber Laws Up-date 9 July 2015

Implementing Privacy Compliant Hybrid Cloud Solutions

EUROPEAN COMMISSION Directorate General Internal Market and Services. CAPITAL AND COMPANIES Audit and Credit Rating Agencies

Privacy Rules for Customer, Supplier and Business Partner Data

COMMISSION OF THE EUROPEAN COMMUNITIES GREEN PAPER

(a) the kind of data and the harm that could result if any of those things should occur;

I. Personal data and its use in the business to business environment.

CCBE GUIDELINES ON THE USE OF CLOUD COMPUTING SERVICES BY LAWYERS

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE

TEMPLATE FOR COMMENTS

OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012)

singapore american school

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

Behavioral Targeting Legal Developments in Europe and the Netherlands

The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation. Initial Discussion Paper

Damages Fund for Violent Crimes Act

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

DIRECTIVE 2014/32/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Value added tax on financial services 1

THE POSSIBILITIES FOR PRIVATE ENFORCEMENT OF THE COMPETITION RULES IN THE NETHERLANDS

Transcription:

Privacy and cloud computing Protection of personal data in the cloud E-mail lends itself well to being a cloud service. The advantage is that it can be more efficient and less costly because there is no need for the IT department to set up its own mail server. Because the mail facility operates in a cloud, e- mails are now being exchanged outside the company network. The data is processed via the Internet without knowing where it actually is. If that data is personal data, privacy aspects will have to be considered when contracting a cloud computing provider. Several obligations under the Dutch Data Protection Act (Wet bescherming persoonsgegevens), such as those relating to the transfer of personal data, will clearly need to be addressed. As a first step, clients and cloud computing providers must clarify their division of roles in the context of privacy and the obligations incumbent upon them as a consequence. The Dutch Data Protection Act is based on the EU Privacy Directive 95/46. A draft proposal for an EU Privacy Regulation intended to replace the 1995 EU Privacy Directive in time - was leaked towards the end of 2011. This article focuses primarily on existing Dutch privacy law, with the qualification that we may be seeing a very different landscape in two or three years time. Although there may be an upsurge in interest in cloud computing, many people still do not know what it is. Wikipedia defines cloud computing as a parallel computer system which distributes the software amongst multiple computers on the Internet. The cloud means the Internet, in combination with those parts and actions of the application that do not occur on the end user s own equipment. Cloud computing obviates the need for the user to have extensive knowledge or control of the technology he is using. A distinction is often made in cloud computing between the different types of service model: Software as a Service (SaaS), Platform as a service (PaaS) and Infrastructure as a Service (IaaS). With SaaS the applications are offered as a service whereas PaaS offers a platform for software development. The IaaS model offers the IT infrastructure of an organisation as a service. Another common sub-division is based on the level of security or vulnerability of the cloud. There are four different models: public, community, private and hybrid. Public and community cloud computing entails outsourcing IT services to a cloud computer provider. The difference between the two types is that the provider's resources are shared with other users in a public cloud whereas in the community cloud, the hardware is dedicated. Private cloud computing uses technology within the organisation's data centre. Finally, hybrid cloud computing is a composition of public, community and private clouds. Van Doorne N.V. is gevestigd te Amsterdam en ingeschreven in het handelsregister onder nummer 34199342. Van Doorne N.V. is de enige opdrachtnemer van alle werkzaamheden. Op deze werkzaamheden en alle rechtsverhoudingen met derden zijn van toepassing de Algemene Voorwaarden van Van Doorne N.V. en haar dochtermaatschappijen, waarin een beperking van aansprakelijkheid is opgenomen. Deze Voorwaarden, die zijn gedeponeerd ter griffie van de rechtbank te Amsterdam, kunnen worden geraadpleegd op www.vandoorne.com en worden op verzoek toegezonden. Van Doorne N.V. has its registered offices in Amsterdam and is registered with the Commercial Register under number 34199342. Van Doorne N.V. is the exclusive contracting party in respect of all commissioned work. This work and all legal relations with third parties shall be governed by the General Terms of Van Doorne N.V. and its subsidiaries which include a limitation of liability. These Terms, which have been filed with the District Court at Amsterdam, may be consulted at www.vandoorne.com and will be forwarded upon request.

Personal data Personal data will inevitably be processed in the cloud, irrespective of the cloud computing model. The Dutch Data Protection Act defines personal data as data that are traceable to a living natural persons. They may be data that are directly traceable to a private person, for example their name, telephone number, address or e-mail address, but it could also be data that are only traceable to an individual in conjunction with other data, such as gender or date of birth. Some data, such as medical data, can also be more sensitive. However, the statutory regime which covers processing of this type of personal data is even stricter than the regime for processing "ordinary" personal data. In principle, the processing of special personal data is prohibited unless a statutory exception can be invoked. For instance, hospitals are permitted to process medical data (in a cloud), but most other organisations will only be permitted to process these data with the express permission of the individual concerned. Any action involving personal data, including collecting, recording, sorting, storing, amending, changing, requesting, consulting, using or supplying personal data, will automatically be regarded as processing. Even the deletion or destruction of personal data can be regarded as a processing operation. Such processing operations involving personal data are conceivable in cloud computing. The mere transmission of personal data, which can also occur in the cloud, does not constitute processing of personal data. In such cases, the privacy rules will not apply. Nor do the privacy rules apply to activities that are purely for personal or domestic purposes. However, European Court of Justice case law shows that this exception must be interpreted restrictively. For instance, it is accepted that placing personal data on a website does not fall under this exception because the data have been made publicly accessible. If data were placed in a cloud for personal purposes (for example a list of contacts) and were accessible by numerous individuals, it is unlikely that this exception could be invoked. In those circumstances, again, the privacy rules must be taken into account. Role of the cloud computing provider The most important privacy obligations are incumbent upon the data controller, i.e. the entity establishing the purposes and the means of the data processing. The data controller can outsource data processing to a data processor. Unlike the data controller, the data processor has no control over the data processing, but is contracted and instructed to carry out data processing by the data controller. A data processor processes the personal data on behalf of the data controller, without being subject to his direct authority. Assuming that cloud computing involves at least a client and the cloud computing provider, the roles could conceivably be divided as follows: the client is the data controller and the cloud computing provider is the data processor. After all, the cloud computing provider is offering the services under contract to and for the client. Nevertheless, qualification of the cloud computing provider as joint controller cannot be ruled out. According to the Opinion of the Article 29 Working Party, the European Commission advisory body on privacy, of February 2010 (WP 169) on interpretation of concepts such as controller" and "processor, it depends on how the parties process the data in practice. If the cloud computing provider also processes data for its own purposes, it is no longer a data processor, but also the data controller. In such circumstances the cloud computing provider must also comply with the obligations under the applicable privacy legislations. If the cloud computing provider is a data processor, this implies that the client and the provider must have agreements in place on the processing of personal data and more particularly the protection of personal data. These agreements, which are also referred to as "processor agreements", may be part of the service contract but can also be included in a separate annex. In any event it must be agreed that the cloud computing provider, as the data processor, may only process the personal data in as instructed by the client. In addition, there must be a contractual obligation upon the cloud computing provider to adhere to security measures which are applicable to the client. The client will have to monitor compliance with these regulations and it is recommended that the client reserves the right to do so.

Security From the point of view of privacy, protection of personal data seems to represent a serious threat in cloud computing. For instance, it would not be inconceivable for the system to be down for a certain time, thus preventing access to essential personal data, with all the attendant consequences. An additional problem is that companies which process their data in the cloud have normally stopped backing up this data, They are completely reliant on the availability of data in the cloud. Another feature of cloud computing is that the data may be at several locations, making monitoring of data processing more difficult. Security problems will probably occur mostly in the public cloud because it is accessible to the public. In a private cloud, the personal data remains within a private network and the cloud is not shared with other clients. In principle, therefore, organisations will still be capable of monitoring data processing themselves in the private cloud, unlike the public cloud. In the Netherlands, the statutory framework for imposing security requirements can be found in article 13 of the Dutch Data Protection Act, which is equivalent to article 17 of the EU Privacy Directive 95/46. The Dutch provision requires that adequate technical measures and security measures are put in place to protect personal data. This raises the question, however, of the scope of this security obligation in the case of cloud computing. Aspects to be considered are the state of the art, the cost of their implementation, the risks represented by processing and the nature of the data to be protected. These are open standards. The Dutch Data Protection Authority (College Bescherming Persoonsgegevens), which monitors compliance with privacy standards, has created a number of risk categories to specify these standards in further detail. A data controller which is contemplating transferring data to a cloud must first analyse the risk to privacy. This will involve analysing the nature and extent of the data processing, who will be granted access to the data, the privacy risks envisaged and their potential consequences. This analysis can then be used as a basis for establishing the applicable risk category and the applicable level of protection. The more sensitive the data being processed in the cloud, the higher the risk category. If, for example, the data being processed is special personal data or personal data which is subject to an obligation of confidentiality, the processing will be categorised as high risk. The current risk categories were defined in 2001. The Dutch Data Protection Authority announced that new guidelines were being developed for the protection of personal data, but they have not yet been published. At the same time, the Dutch Data Protection Authority indicated its intention to tighten up monitoring of data protection compliance. This is good to know, both for clients who use cloud computing and for the cloud computing providers. Obligation to notify data breaches When data is processed in a cloud, there is an increased risk of leaks and, as a consequence, infringements of privacy. Therefore measures to protect personal data should also have regard to the envisaged introduction of a statutory obligation to notify data breaches. At the moment no statutory regulation in the Netherlands obliges organisations to report the loss of privacy-sensitive information (unlike the United States or Germany, for example). A Bill has now been tabled to amend the Dutch Telecommunications Act, which implements (inter alia) the EU Citizens Rights Directive 2009/136. Essentially, the obligation to notify data breaches as it is currently proposed, entails immediate reporting by public communications service providers to the parties involved and the OPTA (the Dutch telecommunications watchdog) of any infringement of the security of personal data being processed in the context of a public electronic communications service which is provided within the EU. This Citizens Rights Directive should have been transposed into Dutch law by May 2011, but this deadline was not met. The Bill is currently before the Dutch Senate. The Bill proposes that for the moment, the obligation to notify data breaches will apply only to providers of public telecommunications services. However, given that leaks can occur in many other organisations the value of such an limited obligation to report is questionable, which is why plans for a wide-ranging obligation to report are currently being developed in the Netherlands and Europe. If these plans come to fruition, the obligation to notify data breaches will also apply to other organisations that process personal data, such as financial institutions, social networks, web shops, hospitals and public transport organisations. This extension is not expected at European level until the review of the EU Privacy Directive 95/46 which will probably be replaced by a regulation. The Dutch government did not want to wait for this: the preliminary Bill proposing the inclusion of a general obligation to notify data breaches in the Dutch Data Protection Act was published in December 2011. If the foregoing is applied to cloud computing, then the following will apply. Assuming that a general obligation to notify data breaches is indeed introduced, the clients of

cloud providers, as data controllers, will be obliged to inform both the data subjects involved and the relevant supervisory authority of any data breach that is coupled with the unlawful acquisition of personal data from the cloud. It is specifically important in the context of cloud computing that clients are dependent on their cloud provider for this information and it is therefore advisable for both parties, since the cloud provider knows the exact situation, to include a definition of the obligation to notify data breaches t in the service contract/processing agreement. International aspects With cloud computing, data are normally stored in different locations. They may be in a different country. The Dutch Data Protection Act applies only to personal data that are processed as part of the activities of a data controller established in the Netherlands. The Dutch Data Protection Act also applies if the data controller is established outside the EU and the data processing uses resources in the Netherlands, such as servers, cookies, banners, search engines, social networks, cloud computing and/or outsourcing. In the latter case, the data controller established outside the EU must appoint a representative in the Netherlands who will be regarded as the data controller. Having regard to the earlier consideration that a cloud provider can also be the data controller, this adds an extra dimension to the already complex issue of applicability of the Dutch Data Protection Act. Here again, the ambiguity and attendant lack of certainty on applicability of the Dutch Data Protection Act can present an obstacle to cloud computing. Furthermore, the applicability of the Dutch Data Protection Act at European level could be of subordinate importance if an EU Privacy Regulation were indeed introduced. The aforementioned Opinion of the Article 29 Working Party states that data controllers will be required to know where the data processing takes place. A complication with cloud computing, however, is that clients will often be uncertain about the destination countries to which their data are transferred. It is self-evident that the data can be transferred to countries outside the European Economic Area (EEA). As a rule of thumb, personal data may only be transferred to countries with an appropriate level of protection. Even if a country cannot offer an appropriate level of protection, transfer of data will be nevertheless permitted if a statutory exception can be invoked or if the Dutch Minister of Justice has issued a permit for the transfer. The following countries are presumed to have an appropriate level of protection: Argentina, Guernsey, Jersey, Switzerland, Canada, Isle of Man, Israel, Andorra. Faroe Islands (Uruguay, New Zealand and Australia). The same applies to companies established in the United States which have an obligation to comply with the Safe Harbor principles. If the company in question is not in one of these countries and is not a established in the United States which has endorsed the Safe Harbor principles, a statutory exception must be invoked or the client contracting a cloud computing provider must apply for a permit. The statutory exceptions do not really appear to offer an option for validating the transfer of personal data in the framework of cloud computing. Clearly, requesting the unequivocal consent of all data subjects involved (one of the statutory exceptions) will pose practical difficulties. Not only is this a rather exacting alternative, but refusal by the data subject involved to give consent gives rise to the problem that his personal data may not be transferred to the third country; hence it is not a realistic option. Personal data may also be transferred if the client can demonstrate that the transfer is necessary to implement an agreement concluded between the client and the data subject involved. This might also be an agreement which is or will be concluded, in the interests of the data subject, between the client and a third party, for example the cloud computing provider. It may be possible to justify the transfer on the basis of the statutory exception in the case of cloud computing. If it is not, the client will have no other option than to apply for a permit, in which case the client must know the destination countries for the personal data which, as stated above, can be problematic with cloud computing. The permit is granted by the Dutch Minister of Justice. The application for the permit must be submitted to the Dutch Data Protection Authority. The permit application attaches further conditions which act as safeguards to protect the personal data in question. The easiest way of demonstrating that these safeguards are offered is by using the model contracts approved by the European Commission. In 2010 a new model contract between the controller/data exporter and the processor/data importer was defined. This contract must be concluded between the client and the cloud computing provider. Moreover, this model contract applies only if the cloud computing provider is established outside the EEA and it is therefore unclear whether it can also be used if the cloud computing provider is established within the EEA, but uses subcontractors which are established in a country outside the EEA without appropriate levels of protection.

As stated above, it is not incumbent upon the cloud computing provider to ensure that the transfer to the client is legitimate. It is therefore the client who must complete the necessary formalities. If the cloud computing provider wishes to take over these formalities from its clients, it must elect to apply for a "generic permit". The idea here is that the client is the data controller with respect to data processing in the Netherlands, whereas the cloud computing provider is the data controller in the context of transfer of the personal data. This allows the cloud computing provider to relieve his clients of some administrative burdens. Moreover, the cloud computer must in principle be aware of the destination countries for the data. The issue of the permit will become less controversial in future given that a Bill has been tabled which proposes that the permit requirement ceases to be valid if the model contracts are used without amendment. Another way of validating the transfer is to use Binding Corporate Rules (BCRs). Apart from the fact that applying for a BCR can be rather time-consuming, BCRs are currently only available for transfers within the data controller's group. Because cloud computing involves providing the data to the cloud computing provider, as the data processor, the BCR solution is not (for the moment) a viable option. In light of the current text of the proposed EU Privacy Regulation, BCRs are expected to become increasingly important in the transfer of personal data. In conclusion The problems surrounding the privacy aspects of cloud computing are not inconsiderable, particularly in regard to protection of personal data. Other obligations under the Dutch Data Protection Act, such as those relating to the transfer of personal data, will clearly need to be examined. In any event, the first step is for clients and cloud computing providers to clarify their division of roles in the context of privacy and what obligations may be incumbent upon them as a consequence. If cloud computing is to be a successful venture for all concerned we must keep our head out of the clouds" and keep "both feet on the ground. Van Doorne N.V. Jachthavenweg 121 1081 KM Amsterdam t +31 (0)20 6789 123 Postbus 75265 f +31 (0)20 7954 589 1070 AG Amsterdam info@vandoorne.com The Netherlands www.vandoorne.com For more information: Dr. Elisabeth Thole t +31 (0)20 6789 293 f +31 (0)20 7954 293 m +31 (0)61 1388 561 thole@vandoorne.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information