A How-to Guide for Privacy, Big Data and the Cloud in the US and Asia Pacific Joel Lutz, The Vanguard Group, Inc and Alec Christie, DLA Piper Australia 1
SETTING THE SCENE 1. What do we mean by "Big Data" and "Cloud"? 2. Issues 3. What is the privacy framework for Big Data and Cloud? 4. Examples using framework 5. Applying the framework in a practical manner 2
THE CLOUD: WHAT IS IT? 3
BIG DATA: WHAT IS IT? 4
AUDIENCE QUESTIONS 1. For those of you who have been involved in a Big Data project, what was the privacy issue of most concern: a) re-identification of information (ie creation of personal data) b) acquisition of data from a third party c) use of collected personal data for other purposes d) the need for consent/notification e) other 2. For those of you who have been involved in a Cloud project, what was the privacy issue of most concern: a) sending personal data offshore b) security/data sovereignty c) the need for notification/consent d) working out who needed to comply with what privacy laws e) other 5
ISSUES Big Data Lack of transparency in how data is combined, transformed, and used within Big Data system Cloud Lack of transparency and joint responsibility IaaS and PaaS Disclosure and Security SaaS All framework principles are handled by data controller and cloud provider 6
GLOBAL PRIVACY FRAMEWORK Management Notice Choice/Consent Collection Use/Retention/Disposal Access Disclosure Security Quality Monitoring/Enforcement Define, document, communicate and assign accountability for privacy policies and procedures Provide notice about privacy policies and procedures; identify purpose for which information is collected, used, retained, and destroyed Provide data subject the opportunity to consent or opt out of collection or use where appropriate Collect only information needed for stated purposes Limit use to disclosed purposes; retain information only as long as needed for stated purpose; dispose of appropriately Provide data subject access to personal information for review and update Disclose information to third parties only for purposes identified Protect information against unauthorized access Maintain accurate, complete, and relevant information Monitor compliance with state privacy policies and procedures and handle related complaints 7
BIG DATA FRAMEWORK Small Data Notice/Consent/Choice Identify Data Sources Insure Proper Notice Big Data Identify Data Sources Insure Proper Notice Collection Identify Sources Assure Rights Identify Sources Assure Rights Use Policy Enforcement Create System Rules Create Business Process Rules Create Business Process Rules Create System Rules Retention/Destruction Set System Rules Set System Rules Access Input into system In system Output from system Disclosure What Data + What Purpose=Which Disclosure Allowed Input into system (In system?) Output from system What Data + What Purpose=Which Disclosure Allowed Quality Output Monitoring Output Monitoring 8
CLOUD FRAMEWORK Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Notice/Consent/Choice Data Controller Data Controller Both Collection Data Controller Data Controller Both Use Policy Enforcement Data Controller Data Controller Both Retention/Destruction Data Controller Data Controller Both Access Data Controller Data Controller Both Disclosure Both Both Both Quality Data Controller Data Controller Both Security Both Both Both 9
Notice/Consent /Choice Collection CLOUD FRAMEWORK EXAMPLE Contractual Commitment X X Data Controller Monitoring Cloud Provider Policy Review X X Cloud Provider Procedure Review Cloud Provider Reporting Use Policy Enforcement X X X X Retention/ Destruction Access Disclosure Quality Security Data Controller Inspection/ Testing Independent Audit and Report X X X X X X X X X X X X X Security: Physical X X X Security: Network X X X X Security: Application Security: Monitoring/ Data Loss Protection Security: Contingency X X X X X X X X X X X X 10
EXAMPLE/CASE STUDY: THE FACTS Australian based financial services company "Dollar Co" Operates in/collects personal data in each of: Japan through a subsidiary company "JCo" Malaysia in an incorporated joint venture with a Malaysian company "MJV" Singapore through an agent "SA" South Korea through a branch "SKB" (together "related entities") 11
EXAMPLE/CASE STUDY: THE FACTS As part of a global HR Could platform roll out Dollar Co puts (and asks all related entities to put) all their employee personal data into the third party HR Cloud platform with servers in the US and the EU. In order to focus their product development and marketing efforts across the region Dollar Co collects anonymised data from each of its related entities across the region third party information providers websites/databases on the Internet in order to run Big Data analytics and asks each of its related entities to do the same in their countries. 12
EXAMPLE/CASE STUDY: THE CHALLENGES Cloud (SaaS here): Who has what privacy obligations/what privacy laws apply? What method to confirm cloud provider responsibilities? Go through all parts of framework and answer who is responsible and how is that confirmed? 1. Notice 2. Consent 3. Collection 4. Use/Retention/Disposal 5. Access 6. Disclosure 7. Security 8. Quality 13
EXAMPLE/CASE STUDY: THE CHALLENGES Big Data How is data transformed, combined, and used? How do you confirm all parts of the framework with lack of transparency? 1. Notice 2. Consent 3. Collection 4. Use/Retention/Disposal 5. Access 6. Disclosure 7. Security 8. Quality 14
AUDIENCE QUESTION In respect of the Asia Pacific region, which do you believe is the most accurate statement: a) except for Australia and New Zealand, there are no real privacy laws in the region b) all countries in the region have privacy laws and they pretty much have uniform principles, penalties and enforcement regimes c) it is the "fastest growing" region in terms of the introduction of new and revised tougher privacy laws d) some key elements are common across most of the region (including being European in concept/approach to privacy) but there are also important differences to be wary of 15
ASIA PACIFIC PRIVACY REGIMES AT A GLANCE 16
EXAMPLE/CASE STUDY: IN GENERAL What privacy challenges are similar? Across Big Data and Cloud Across the U.S. and Asia Pacific What privacy challenges are different? Across Big Data and Cloud Across the U.S. and Asia Pacific 17
PRACTICAL SOLUTIONS 1. Have a framework based on rationalized legal requirements. (Use ours if you want!) 2. Do not abandon your framework because the project has a fancy name and uses cool sounding technology. (The names only attraction attention.) 3. Do not abandon your framework because the level or type of transparency is different. 4. Document your application of the framework. 5. Big Data: Execute at different points in different ways. 18
PRACTICAL SOLUTIONS 6. Big Data: Focus on what goes in and what comes out control there. 7. Cloud: Answer which type of cloud first. 8. Cloud: For IaaS and PaaS, focus on who is responsible for security and disclosure. 9. Cloud: For SaaS focus on who is responsible (Data Controller or Cloud Provider). 10. Cloud: For SaaS focus on how to confirm responsibilities are carried out. 19
QUESTIONS AND COMMENTS 20
RESOURCES Some resources we believe you will find useful in the Privacy, Big Data, and Cloud areas: Privacy: Data Protection Laws of the World Handbook (2014): http://www.dlapiperdataprotection.com Big Data: CSA Cloud Bytes Big Data, Open Data, Smart Data All need BIG Privacy https://cloudsecurityalliance.org/research/cloudbytes/big-data-open-datasmart-data/ Privacy and Big Data An ISACA White Paper August 2013 http://www.isaca.org/knowledge- Center/Research/ResearchDeliverables/Pages/Privacy-and-Big-Data.aspx CSA Big Data Working Group. Expanded Top Ten Big Data Security and Privacy Challenges, April 2013 http://downloads.cloudsecurityalliance. org/initiatives/bdwg/expanded_top_ten_big_data_security_and_privacy_ Challenges.pdf 21
Cloud: RESOURCES (CONT) Security Guidance for Critical Areas of Focus in Cloud Computing V3.0 http://www.cloudsecurityalliance.org/guidance/csaguide. v3.0.pdf Cloud Controls Matrix V3.0 https://cloudsecurityalliance.org/ download/cloud-controls-matrix-v3/ BSA Global Cloud Computing Scorecard 2013 http://cloudscorecard.bsa.org/2013/ Building Confidence in the Cloud: A Proposal for Industry and Government Action for Europe to Reap the Benefits of Cloud Computing (Microsoft's submission No 2 to the European Commission) http://ec.europa.eu/justice/news/consulting_ public/0003/contributions/organisations/microsoft_corporation_2nd_ document_en.pdf 22