Key privacy / data protection questions

Similar documents
Legal issues in the Cloud

Joint Innovate UK and CW Legal SIG Event - Internet of Things Workshop - 17th March Contracting for IoT

Data Protection Act Guidance on the use of cloud computing

Cloud Security under the EU Data Protection Directive and draft General Data Protection Regulation

GDPR & Service Providers ( Cloud Focus )

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

How To Protect Your Data In The Cloud

Contracting for Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station

Cloud Computing. Making legal aspects less cloudy. Erik Luysterborg Partner Cyber Security & Privacy Belgium EMEA Data Protection & Privacy Leader

GDPR & Cloud Providers Keynote Presentation

Cloud Computing Technology

Terms of Use The Human Face of Big Data Website

Legal Issues Associated with Cloud Computing. Laurin H. Mills May 13, 2009

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Data Protection and Cloud Computing: an Overview of the Legal Issues

Privacy in the Cloud A Microsoft Perspective

Learning from the Cloud providers to use the CMDB to drive cost savings through automation

RUNNING HEAD: Cloud Computing 1. Cloud Computing. Future of Computer Networking

2011 Morrison & Foerster LLP All Rights Reserved mofo.com. Risk, Governance and Negotiation in the Cloud: Capture Benefits and Reduce Risks

SAMPLE RETURN POLICY

Data Centers and Cloud Computing. Data Centers

DISCLAIMER. Any fact, assessment, analysis, forecasts, opinion and other information (collectively Information ) released by:

August Report on Cloud Computing and the Law for UK FE and HE (An Overview)

Cloud Computing. Patrick Van Eecke. Partner, DLA Piper Brussels Professor Universiteit Antwerpen

Cloud SingularLogic:

Brochure More information from

Data Privacy and Security for Market Research in the Cloud

The Cloud. IIA Seminar, York April 30 th

MOBILE BANKING SERVICES INCLUDING TEXT MESSAGING AND REMOTE DEPOSIT SERVICE ENROLLMENT TERMS AND CONDITIONS ( END USER TERMS )

Checklist: Cloud Computing Agreement

Cloud Computing. Cloud computing:

How To Make A Contract Between A Client And A Hoster

Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors

Outline. What is cloud computing? History Cloud service models Cloud deployment forms Advantages/disadvantages

Insights into Cloud Computing

Quartz Legal Terms and Conditions

Cloud Computing for Small to Mid Size Businesses. Tech66, LLC William Burleson

Inject Design General Terms & Conditions

Data Centers and Cloud Computing. Data Centers. MGHPCC Data Center. Inside a Data Center

Quick guide: Using the Cloud to support your business

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

IJRSET 2015 SPL Volume 2, Issue 11 Pages: 29-33

END USER USER-SUBJECT-TO- QUALIFICATION SOFTWARE LICENSE AGREEMENT

Safe Harbour Agreement no longer a valid basis for EEA to US transfers of personal data

B. Terms of Agreement; Google Terms of Service; Conflicting Provisions

Cloud Computing. What is Cloud Computing?

Survey On Security Threats In Data Storing & Sharing In Cloud Environment

THE BUSINESS COUNCIL OF WESTCHESTER Website & Internet Services Terms And Conditions of Use

Mobile App Developer Agreements

Architectural Implications of Cloud Computing

Cloud Computing. Bringing the Cloud into Focus

Technical Help Desk Terms of Service

fdsfdsfdsfdsfsdfdsfsdfdsfsdfsd Square Box Systems Technical Support Agreement

An SME perspective on Cloud Computing November 09. Survey

Data Centers and Cloud Computing

GlaxoSmithKline Single Sign On Portal for ClearView and Campaign Tracker - Terms of Use

Figure 1 Cloud Computing. 1.What is Cloud: Clouds are of specific commercial interest not just on the acquiring tendency to outsource IT

White Paper: Data Protection In The Cloud. Data Protection In The Cloud

Cloud Computing in the Enterprise An Overview. For INF 5890 IT & Management Ben Eaton 24/04/2013

Website Hosting Agreement

This service agreement (hereinafter referred to as the Agreement ) is between

Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users?

Covered California. Terms and Conditions of Use

Financial Institutions and Cloud Computing What s on the Horizon

Application of Data Protection Concepts to Cloud Computing

CLOUD COMPUTING An Overview

ZIMPERIUM, INC. END USER LICENSE TERMS

HARNESSING THE POWER OF THE CLOUD

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

CLOUD COMPUTING. A Primer

Mobile Banking, Text Messaging and Remote Deposit Service

LOW RISK ADOPTION OF CLOUD INFRA- STRUCTURE FOR ENTERPRISES

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012

Mobile Banking and Mobile Deposit Terms & Conditions

Resolution on Consumer Protection in Cloud Computing

AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING

What are the benefits of Cloud Computing for Small Business?

Legal aspects of cloud computing

Transcription:

Illuminating the Cloud: the What, Who and Where of Privacy Compliance Professor IAPP Europe Data Protection Intensive, London, April 2012 Key privacy / data protection questions What information in clouds is regulated as personal data? Who is responsible for personal data in clouds? Where do data protection laws reach to in clouds? What should you expect to find in typical cloud contracts? But first What do we mean by cloud computing? and Why is it such a hot topic? IAPP Europe DP Intensive, London April 2012 1

What is cloud computing? Basically scalable IT resources on demand, delivered via the Internet Prominent examples include: Amazon Web Services Gmail and GoogleApps IBM Smart Business + CloudBurst (previously Blue Cloud) Microsoft Hotmail + Office 365 + Windows Azure Safesforce.com AND Facebook, Apple, PayPal and other cloud app platforms Why is cloud computing such a hot topic? Remote computing has come of age thanks to high-bandwidth / low-cost connectivity, development of large server farms and enabling techniques such as virtualisation and sharding Cloud is attractive in current economic climate as a means of: achieving rapid outsourcing efficiencies reducing costs / converting capex to opex simplifying hardware and software maintenance smoothing fluctuations in demand levels delivering public sector services more efficiently, see eg. Ø In the US - Apps.gov Ø In the UK - Digital Britain and the G-Cloud IAPP Europe DP Intensive, London April 2012 2

IAPP Europe DP Intensive, London April 2012 3

Types of clouds Cloud stacks and hidden layers (simplified!) Cloud Infrastructure SaaS Cloud Infrastructure PaaS SaaS Cloud Infrastructure IaaS PaaS SaaS Software as a Service (SaaS) Architectures Cloud Infrastructure PaaS Cloud Infrastructure IaaS PaaS Platform as a Service (PaaS) Architectures Cloud Infrastructure IaaS Infrastructure as a Service (IaaS) Architectures From http://csrc.nist.gov/groups/sns/cloud-computing/cloud-computing-v26.ppt IAPP Europe DP Intensive, London April 2012 4

Major cloud players have substantial infrastructure Massive data centres are being built, often containing sealed shipping containers, themselves containing pre-configured servers Huge requirements for power / cooling / connectivity Google has patented a water-based data center - a system that includes a floating platform-mounted computer data center comprising a plurality of computing units, a sea-based electrical generator in electrical connection with the plurality of computing units, and one or more sea-water cooling units for providing cooling to the plurality of computing units. So, just when you thought you had identified all the technical, commercial and legal risks associated with outsourcing and offshore data processing don t forget maritime law and the risk of meeting real pirates on the high seas! IAPP Europe DP Intensive, London April 2012 5

What is regulated as personal data in clouds? Despite common concerns, cloud processes may be safer than DIY, not just for SMEs and individuals but also large corporates and governments Cloud processing arrangements may involve multiple cloud layers with multiple actors a spectrum of activities with diverse identification requirements anonymisation / pseudonymisation / encryption sharding / virtualisation / distributed storage Personal data: limits of the all or nothing / binary approach Should risk of identification / risk of harm be factors? EU 2012 proposal for a General Data Protection Regulation might reduce scope for keeping anonymised data out of regulatory scope Who is responsible for personal data in clouds? Cloud customers? Cloud providers? customer account data / metadata personal data processed by customer in the cloud distinguishing between IaaS, PaaS, SaaS, etc Generally assumed that a cloud provider will be a data controller or a data processor or both IAPP Europe DP Intensive, London April 2012 6

What should a cloud provider s status be? What about the possibility that a provider may be neither a controller nor a processor of customer data in certain circumstances? Alternatives include: End to end accountability - eg Canadian PIPEDA model ecommerce Directive model - recognise a mere conduit role (not just for telcos but perhaps also to cover some cloud hosting and caching) 2012 proposal for a General Data Protection Regulation would broadly perpetuate existing controller / processor model and Require a controller s prior permission for sub-processor appointments Deem a processor which exceeds instructions to be a joint controller Increase compliance obligations for controllers and processors Would this be cloud friendly or even cloud compatible? Where do European data protection laws reach to? Under DPD if processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State THEN national DP law can have global reach, but What constitutes establishment? What is the status of own and third party cloud data centres in EEA? If not established in EEA but use equipment / means in EEA also regulated and must appoint an agent, but What if EEA data centre is used by non-eea cloud provider / customer? How does exemption for mere transit through an EEA state apply to: follow the sun backup arrangements? incidental processing in the context of cloud load management? IAPP Europe DP Intensive, London April 2012 7

Current issues with EU approach to applicable law Can a cloud customer control where its data are stored in the clouds? Even within the EEA, data centres and network architecture may trigger multiple compliance regimes + conflicts due to lack of harmonisation Practical consequences include Inconsistent filing / notification / approval / security requirements Inconsistent application of the test of establishment Inconsistent scope eg special category data / corporate persons 2012 proposal for a General Data Protection Regulation: Move to one-stop-shop based on EU main establishment Abolish use of equipment / means test and instead regulate non-eu controllers who process data to offer goods / services to EU residents or to monitor their behaviour Would these changes help? Inside the matrix a few of the many permutations Cloud customer Cloud provider Data centre 1 EEA EEA EEA 2 EEA EEA Non-EEA 3 EEA Non-EEA EEA 4 EEA Non-EEA Non-EEA 5 Non-EEA EEA EEA 6 Non-EEA EEA Non-EEA 7 Non-EEA Non-EEA EEA 8 Non-EEA Non-EEA Non-EEA 9 EEA Anywhere Multiple 10 Non-EEA Anywhere Multiple IAPP Europe DP Intensive, London April 2012 8

Where - the way forward? Short / medium-term options: EEA (and perhaps other) regional clouds Safe Harbor for transfers from Europe to the US Flexible implementation of EU model clauses Processor BCRs to extend reach of corporate group BCRs BCRs for private / community clouds Encryption as a tool for de-personalising data before transfer Medium / long-term solutions: Effective DP harmonisation throughout the EEA even better, the world! End-to-end accountability (i.e. promote the Canadian model) Reduce focus on location of equipment where not important What is likely to be in an off the shelf cloud contract? Many cloud service providers use click-wrap terms of business Such terms of business may state, for example, that: the service provider has minimal, or even no, liability for loss or damage caused by failure of the cloud computing service the service may be modified or be discontinued without cause, without notice and without liability to users subcontracting may be unrestricted customers may have limited / no ability to recover data following termination of service IAPP Europe DP Intensive, London April 2012 9

Contracts for clouds: comparison and analysis of the terms and conditions of cloud computing services, Bradshaw, Millard & Walden (2010) We reviewed 31 sets of standard T&C (defined broadly) 20 main categories of clause were identified Each set of T&C was then mapped against these categories Hypothesis = that where significant variations exist between terms of service, differences would correlate significantly to: Type of service and target market Commercial and technological legacy (if any) of the provider Key findings include: T&C for particular services can be predicted to a significant extent Few contracts deal adequately with complexity of cloud arrangements Many provisions appear to be inappropriate / unenforceable / illegal Extensive disclaimers are common, eg. THE SERVICE OFFERINGS ARE PROVIDED AS IS. WE AND OUR AFFILIATES AND LICENSORS MAKE NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE REGARDING THE SERVICE OFFERINGS OR THE THIRD PARTY CONTENT, INCLUDING ANY WARRANTY THAT THE SERVICE OFFERINGS OR THIRD PARTY CONTENT WILL BE UNINTERRUPTED, ERROR FREE OR FREE OF HARMFUL COMPONENTS, OR THAT ANY CONTENT, INCLUDING YOUR CONTENT OR THE THIRD PARTY CONTENT, WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED. Q. Will that be good enough? A. It depends what you are going to use the service for (and how) IAPP Europe DP Intensive, London April 2012 10

What about disclosure of your data to third parties? Would you feel more comfortable signing up to this The Receiving Party [Salesforce.com] may disclose Confidential Information of the Disclosing Party [the customer] if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure. or this? You authorize ADrive to disclose any information about You to law enforcement or other government officials as ADrive, in its sole discretion, believes necessary, prudent or appropriate, in connection with an investigation of fraud, intellectual property infringement, or other activity that is illegal or may expose ADrive to legal liability. Whose laws apply if you have a cloud dispute? Choice of law specified by cloud provider US State: California (most common), Massachuse6s (Akamai), Washington (Amazon), Utah (Decho), Texas (The Planet) English law, probably because service provider based there English law, for customers in Europe / EMEA Other EU jurisdicaons (for European customers): eg. Ireland (Apple), Luxembourg (some MicrosoN services) ScoBsh law (Flexiant) The customer s local law No choice of law expressed or implied, or ambiguous choice (eg. UK Law for g.ho.st) Number * 15 4 4 2 1 2 3 * Number in each category is out of 31 contracts analysed by QMUL Cloud Legal Project: h@p://www.cloudlegal.ccls.qmul.ac.uk/ IAPP Europe DP Intensive, London April 2012 11

Contracting in the clouds: custom deals Although not generally advertised, major cloud vendors are prepared to go off piste if a deal merits it One-off contracts are usually confidential but A high profile negotiated deal, for which extensive documentation has been published, is the CSC, Google and the City of LA transaction which includes this provision: Google agrees to store and process Customers email and Google Message Discovery (GMD) data only in the continental United States. As soon as it shall become commercially feasible, Google shall store and process all other Customer Data, from any other Google Apps applications, only in the continental United States. (cl. 1.7) What questions should cloud users be asking? Is the infrastructure multi-layered and, if so, in what way? Where will our data be processed (inc. storage / replication)? Who controls the critical infrastructure (and from where)? How easily can third parties get access to our data? What happens if the cloud provider / their provider goes bust? How easily could we move our data to another cloud service (or back to our own systems) and how long would it take? How confident are we that we could regain control of our data without leaving behind copies and / or key metadata? Is the contract OK (inc. TOS, T&C, SLA, Privacy Policy, AUP, etc)? IAPP Europe DP Intensive, London April 2012 12

Forecast: cloudy and changeable but bright! Putting data / processes into clouds may save money and facilitate risk management - it may also have unintended consequences Physical location can be highly significant in virtual environments Sophistication and flexibility of cloud providers is highly variable Risks of compelled disclosure and other disruptions are real Regulators will take a while to get comfortable with clouds Adoption of cloud services looks set for continued rapid growth Cloud contracts are likely to evolve rapidly in response to competitive positioning, customer demands and regulatory / judicial intervention Thanks for listening! For background papers please visit: http://www.cloudlegal.ccls.qmul.ac.uk/ Any questions IAPP Europe DP Intensive, London April 2012 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information