DEUTSCH-FRANZÖSISCHE SOMMERUNIVERSITÄT! FÜR NACHWUCHSWISSENSCHAFTLER 2011! CLOUD COMPUTING : HERAUSFORDERUNGEN UND MÖGLICHKEITEN UNIVERSITÉ DʼÉTÉ FRANCO-ALLEMANDE POUR JEUNES CHERCHEURS 2011! CLOUD COMPUTING : DÉFIS ET OPPORTUNITÉS Cloud Computing and Privacy Laws! 17.7. 22.7. 2011 Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School 1
Agenda I. Characterization of Cloud Computing for legal purposes 1. Cloud Computing vs. Traditional Client- Server solutions 2. Cloud types 3. Cloud applications II. III. IV. General legal issues of cloud computing The paramount importance of privacy for Cloud Computing 1. Privacy as a success factor for new technologies 2. Privacy as a legal obligation The foundations of privacy laws in Europe V. Relevance of privacy laws for Cloud Computing 1. Storage of personal data in the cloud 2. Processing of personal data in the cloud VI. Outlook 2 2
Characterization of Cloud Computing for legal purposes Traditional Client-Server Solution 3 3
Characterization of Cloud Computing for legal purposes Grid Computing 4 4
Characterization of Cloud Computing for legal purposes 5 5
Cloud types Private Cloud Public Cloud Hybride Cloud 6 6
Application types Software (as-a-service SaaS) Platform (as-a-service PaaS) Infrastructure (as-a-service IaaS) Cloud provider offers processing of data in the the cloud Computation-as-a-Service Cloud provider offers storage of data in the cloud Storage-as-a-Service 7 7
Application types involved parties Cloud provider Cloud user Data subject Cloud service provider, e.g. amazon, salesforce Company, e.g. insurance company Individual, e.g. customer 8
Legal implications of cloud computing Cloud provider Cloud user Data subject Cloud service provider, e.g. amazon, salesforce Company, e.g. insurance company Individual, e.g. customer 9
Legal implications of cloud computing Cloud provider cloud user Contractual questions Service Level Agreements Accessibility and reliability of the cloud service Maintenance of the cloud service Warranty in the case of data disruption Liability in the case of third-party attacks General contractual matters Liability in case of a treaty violation ( Data as a hostage ) Consequences of a merger or an acquisition of the cloud provider Consequences of a potential insolvency of the cloud provider 10
Legal implications of cloud computing Cloud provider cloud user Accounting 146 par. 2 of the German Tax Code (AO) requires tax payers to store tax records in Germany 146 par. 2a AO allows tax payers to store tax records within the European Union only if the German tax authorities declare their consent in advance 148 AO allows tax payers to store tax records outside the EU only if storing the data in Germany would create a hardship for the tax payer 257 par. 4 of the German Commercial Code (HGB) requires the storage of accounting documents and business letters in a way that they can be access at any time for 6 to 10 years 11
Legal implications of cloud computing Cloud provider cloud user Copyright law Legality of the transfer of copyright protected materials to the cloud Liability for copyright law infringements Criminal law Substantive criminal law Liability for uploading materials to the cloud that is potentially unlawful Duty by the cloud provider to control uploaded materials? Procedural criminal law Access of criminal investigators to information in the cloud Access of anti-terror agencies to information in the cloud 12
Legal implications of cloud computing Cloud provider cloud user Labor law Processing of personal data of employees in the cloud Usage of cloud services in combination with performance measuring technologies Administrative law Usage of cloud services by public authorities 13
Legal implications of cloud computing Cloud provider Cloud user Data subject Cloud service provider, e.g. amazon, salesforce Transfer of personal data of the data subject to the cloud Company, e.g. insurance company Personal data, e.g. banking data Individual, e.g. customer 14
The paramount importance of privacy for cloud computing Privacy concerns are still a major problem for the success of Internet applications Surveys show that customers are reluctant to the usage of personal data in the Internet Fear of data unauthorized attacks by third parties Sony, REWE Low trust towards cloud/internet providers T-Mobile Germany, T-Mobile USA Privacy is a key factor for the economic success of cloud computing 15
The paramount importance of privacy for cloud computing Data protection officers at least in Europe have raised major concerns towards cloud computing Some even questions the general permissibility of cloud computing under the current legal framework on privacy Compliance with privacy statutes is a inevitable legal necessity 16
The foundations of privacy laws in Europe The right to the protection of personal data (= privacy right) is rooted in the fundamental right to personal self-determination ( informational self-determination ) In Germany privacy rights are also based on Art. 1 GG ( human dignity ) which is at the apex of the German constitution Art. 8 Charter of Fundamental Rights of the European Union Strongly influenced by the German tradition which has to be seen against the background of German history During the Third Reich the individual and its personal data where irrelevant and therefore not protected by the law Central: Decision by the Bundesverfassungsgericht on the constitutionality of a census (BVerfGE 65, 1) 17
The foundations of privacy laws in Europe Unlike in the U.S. in Europe privacy laws are strongly linked to the personality of the data subject U.S.: Privacy is primarily a question of property rights U.S.: Right to be left alone U.S.: Rights that do not have a commercial value are less protected by the law U.S.: Privacy rights can be balances with other legally protected interests The European framework is much stricter than the U.S. framework 18
The foundations of privacy laws in Europe Core principle: Individuals must be able to control their personal data at any time Personal data must not be processed without either the consent of the individual or an explicit statutory permission The government must not intrude into the privacy of individuals AND it has a duty to protect the personal data of individuals against intrusion by other private parties Protected personal data: Any piece of information that is linked to an individual Name, address, bank information, credit history, preferences, age, sex, friends, order history Only data that has been anonymized (not sufficient pseudonymous data) is not captured by the fundamental right to informational selfdetermination 19
Storage as a Service Cloud-User Anonymisation of personal (customer) data Cloud-User Uploading of the anonymised data to the cloud infrastructure of the cloud provider Cloud- Provider Storage of anonymous data for which privacy laws can not be relevant by definition 20 20
Relevance of privacy laws for cloud computing For most cloud computing applications creating anonymous data is not an option Processing of data in the cloud requires the uncoded data Might change when homomorphous encryption technologies will further evolve Cloud computing usually falls within the scope of privacy laws 21
The foundations of privacy laws in Europe Based on the theoretical foundations the privacy framework has been harmonized by European Directives Directive 95/46/EC on the protection of individuals with regard to the processing of personal data of 1995(!) Applies to personal data = any information relating to a natural person Directive 2002/58/EC on privacy and electronic communication Applies only to telecommunications data (e.g. traffic data) Directive 2006/24/EC on the retention of telecommunications data Applies only to telecommunication data (e.g. traffic data, location data) 22
Jurisdiction Generally Application to cloud computing Principle of territoriality (Art. 4 Directive 95/46/EC) EU law applies if the processing of personal data takes place within the EU The controller is established within the EU and it processes personal data within in the EU The controller is established outside the EU but uses IT infrastructure within the EU Personal data is transferred (=processed) from the Union to a third country EU law applies to Clouds using at least partially servers that are located within the Union Saas, PaaS, IaaS Private clouds, public clouds, hybrid clouds European companies using cloud services Problem Enforcement of privacy laws in multinational clouds Leaves room for jurisdictional arbitrage at the expense of individuals 23 23
Permissibility to use a cloud for computation services under EU law Personal data must not be processed without either the consent of the individual or an explicit statutory permission Consent by the data subject? Not feasible since the consent by the data subject requires the full information of the data subject in advance on questions like where is my personal data stored at any given time Privacy laws allow the processing of personal data by third parties on behalf of the controller 24
Responsibility Contract data processing Cloud provider Cloud user Data subject Processor Controller Individual, e.g. customer 25
Responsibility Art. 6 par. 2 Directive 95/46/EC It shall be for the controller to ensure that the obligations constituted by the Directive are complied with Art. 2 lit. d) and e) Directive 95/46/EC Controller shall mean the legal person which determines the purposes and means of the processing of the personal data Processor shall mean the legal person which processes personal data on behalf of the controller 26 26
Obligations Generally Data security, Art. 17 par. 2 Directive 95/46/EC Controller must ensure that the processor provides for appropriate technical and organizational measures to protect personal data It must be guaranteed that the processor acts only on instructions by the controller Application to cloud computing Company that uses service of a cloud provider must ensure that the cloud provider provides for appropriate technical and organizational measures for its entire IT to protect personal data acts only on instructions from the client Problem How should a cloud user be able to ensure this if it is not necessarily predictable what infrastructure is used and where it is located? 27 27
Obligations 11 par. 2 BDSG The processor shall be chosen carefully, with special attention to the suitability of the technical and organizational measures applied by the processor. The work to be carried out by the processor shall be specified in writing, including in particular the following: 1. the subject and duration of the work to be carried out, 2. the extent, type and purpose of the intended collection, processing or use of data, the type of data and category of data subjects, 3. the technical and organizational measures to be taken under Section 9, 4. the rectification, erasure and blocking of data, 5. the processor s obligations under subsection 4, in particular monitoring, 6. any right to issue subcontracts, 7. the controller s rights to monitor and the processor s corresponding obligations to accept and cooperate, 8. violations by the processor or its employees of provisions to protect personal data or of the terms specified by the controller which are subject to the obligation to notify, 9. the extent of the controller s authority to issue instructions to the processor, 10. the return of data storage media and the erasure of data recorded by the processor after the work has been carried out. The controller shall verify compliance with the technical and organizational measures taken by the processor before data processing begins and regularly thereafter. The result shall be documented. 28
Obligations for processor (to be surveyed by the controller) Where personal data are processed or used in automated form, the internal organization of authorities or enterprises is to be such that it meets the specific requirements of data protection. In particular, measures suited to the type of personal data or categories of data to be protected shall be taken 1. to prevent unauthorized persons from gaining access to data processing systems for processing or using personal data (access control), 2. to prevent data processing systems from being used without authorization (access control), 3. to ensure that persons authorized to use a data processing system have access only to those data they are authorized to access, and that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording (access control), 4. to ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred personal data using data transmission facilities (disclosure control), 5. to ensure that it is possible after the fact to check and ascertain whether personal data have been entered into, altered or removed from data processing systems and if so, by whom (input control), 6. to ensure that personal data processed on behalf of others are processed strictly in compliance with the controller s instructions (job control), 7. to ensure that personal data are protected against accidental destruction or loss (availability control), 8. to ensure that data collected for different purposes can be processed separately. 29
Computation as a service Cloud-User Uploading of anonymous data to the cloud is not feasible Cloud-User However: The use of a cloud service is permissble if the cloud user complies with the regulations on contract data processing Problem The provisions concerning contract data processing only apply if a European cloud service is used Art. 25 Data Protection Directive declares the transfer of personal data to third countries to be generally illegal 30 30
Computation as a service in a non- European cloud Cloud-User Uploading of anonymous data is not feasible Cloud-User Provisions on contract data processing are not applicable Possible solutions Exemptions from Art. 25 DPD Adequate level of data protection in the target country U.S.: Safe-Harbor-Provisions Standard EU contract Binding corporate rules Not: SAS 70 Type II audit certification 31 31
Computation as a Service in a non-european cloud 1. Adequate level of data protection Requires decision by the European Commission Argentina, Faroe Islands, Guernsey, Isle of Man, Canada, Switzerland 2. Safe-Harbor-Provisions A cloud provider uses servers that are located in the U.S. and has declared to follow the safe-harbor-provisions that have been negotiated between the EU and the U.S. 32
Computation as a Service in a non-european cloud 3. Standard EU contract If cloud provider and cloud user agree on the standard EU provisions on the protection of privacy laws Provisions on liability, technical and organizational standards 4. Corporate binding rules If a cloud provider issues binding rules on the protection of privacy rights and a national data protection agency in Europe approves these rules 33
Overview ( Storage-as-a-Service ) European Cloud Uploading anonymous data by cloud user Public Cloud / non-european cloud Uploading anonymous data by cloud user ( Computation-as-a-Service ) Contract data processing Careful choice and surveillance of cloud provider by cloud user Adequate level of privacy protection Standard EU provisions Corporate Binding Rules U.S.: Safe-Harbor 34 34
Guidelines under the current legal framework Only use European clouds Contract between cloud provider and cloud user should contain provisions what kind of servers will be used and where they are located Chose cloud provider carefully As a cloud user be transparent about the use of cloud services As a cloud provider be serious about privacy issues and make your privacy policies transparent 35
Need for a new framework? European privacy principles and cloud computing are not compatible Harmonization in Europe is not sufficient to create legal certainty There are several statements by German data protection officers that cloud computing is not compatible with EU Law Global efforts? Cyber Crime Convention? 36 36
Unsolved Problems Third-party access Foreign governments might be able to access data that has been shifted to the cloud U.S.: Homeland Security Financial agencies Some countries allow private parties to access data in order to enforce private laws Copyright infringements Technical safeguards recommended since a global legal solution is unlikely 37
Unsolved Problems Unlawful third-party access Potential for new attacks by cybercriminals Enforcement of privacy laws in third countries? Cloud providers should take any possible technical and organizational measures to prevent third-party access 38
Status quo Major companies offer cloud services Privacy policies are often not transparent Cloud providers do not pay attention to privacy issues Data protection officers seem to overreact Interdisciplinary work is required!!! 39
Efficient cloud computing under the current legal framework almost impossible! An adequate privacy framework for the cloud mission impossible? Thank you for your attention! Questions!?!!? Prof. Dr. Thomas Fetzer, LL.M. (Vanderbilt) Technische Universität Dresden School of Law fetzer@jura.tu-dresden.de 40 40