Upload
cloud-legal-project
View
1.811
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Slides for talk at Institute of Advanced Legal Studies, London, on 1 Nov 2011
Citation preview
Data Protection Jurisdiction and
International Data Transfers in
Cloud Computing
1 November 2011
Julia Hörnle
Kuan Hon
Cloud Legal Project
Centre for Commercial Law Studies, Queen Mary, University of London
cloudlegalproject.org
Institute of Advanced Legal Studies
Outline
Cloud Legal Project
Cloud computing
Data protection jurisdiction
International data transfers
Cloud Legal Project
Cloud Legal Project
History
Aims
Cloud computing
What is cloud computing?
IT resources over network, scalable on demand
US NIST service models
Software as a Service (SaaS) – incl. storage (eg. Salesforce;
Oracle CRM on demand; Gmail, Hotmail, Yahoo! Mail; Google
Apps, Microsoft Office 365; Facebook, Flickr)
o Storage as a Service (also SaaS!) = convenient way of storing / backing-up
data online (eg. box.net)
Infrastructure as a Service (IaaS) (eg. Amazon Web Services,
Rackspace) – compute, storage
Platform as a Service (PaaS) (eg. Google App Engine,
Microsoft Windows Azure, Force.com)
Classification may depend on viewpoint
Deployment models: private, community,
public and hybrid clouds…
Cloud layers/‘stack’– different possible
architectures, possible hidden layers
--> Who holds user’s data? Where? Cloud Infrastructure
IaaS
PaaS
SaaS
Infrastructure as a Service (IaaS)
Architectures
Platform as a Service (PaaS)
Architectures
Software as a Service
(SaaS)
Architectures
Cloud Infrastructure
SaaS
Cloud Infrastructure
PaaS
SaaS
Cloud Infrastructure
IaaS
PaaS
Cloud Infrastructure
PaaS
Cloud Infrastructure
IaaS
From
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
+ SaaS
on
IaaS
+ physical
infrastructure
for each!
Key cloud computing features relevant
to data protection law
Multiple providers? (layers)
Data replication, deletion
Sharding/chunking/fragmentation
Location – multiple; changing?
Design - provider access; encryption
Use of/dependence on shared, third
party resources, incl connectivity
Some possible contractual structures
User Provider
User Integrator
Sub-provider
Provider
User
Integrator
Provider
Data Protection
Jurisdiction
When do EU data protection laws
apply to a cloud user/controller?
Laws applied based on:
'Establishment'/'context
o More than one law may apply!
o Google Video case/Italy
o Article 29 WP 179
o Incl. through third party
Public international law
'Use' of EEA 'equipment‘/’means’
o But transit?
When do EU data protection laws
apply to a cloud user/controller?
Cookies ('equipment') – SaaS
Use, by non-EEA customer, of:
EEA data centre?
o Data centre as an establishment?
o Subsidiary as an establishment?
EEA cloud provider?
Relevant/irrelevant establishment?
Cloud layers
Layers - knowledge or intention?
Cloud Infrastructure
IaaS
PaaS
SaaS
Infrastructure as a Service (IaaS)
Architectures
Platform as a Service (PaaS)
Architectures
Software as a Service
(SaaS)
Architectures
Cloud Infrastructure
SaaS
Cloud Infrastructure
PaaS
SaaS
Cloud Infrastructure
IaaS
PaaS
Cloud Infrastructure
PaaS
Cloud Infrastructure
IaaS
Diagram from
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
+ SaaS
on
IaaS
+ physical
infrastructure
for each!
When do EU data protection laws apply to a
cloud user/controller?
Non-EEA users - France - CNIL’s
relaxation for use of French providers
Full paper http://bit.ly/clouddataprotection3
Replacement of jurisdictional tests with targeting?
Has been used in other contexts, eg
Consumer protection & applicable law to contracts
o Cases C-585/08 and 144/09 Pammer and Hotel Alpenhof
Trademark infringement on auction platform
o Case C-324/09 L’Oreal v eBay
How could this be applied in a cloud context?
Outside EEA: targeting
Within EEA: country of origin rule?
International Data
Transfers
'If we include entities outside the
European Union, the data transfer that is
inevitable with cloud computing — and
which has no legitimacy under data
privacy law — makes clouds inherently
impermissible.'
German regulator Thilo Weichert
'The DPA does not prohibit the overseas
transfer of personal data, but it does
require that it is protected adequately
wherever it is located and whoever is
processing it. Clearly, this raises
compliance issues that organisations
using internet-based computing need to
address.'
UK Information Commissioner
Restriction on international data transfers
Restriction on data export to country
without “adequate protection”, with
exceptions (articles 25 & 26)
How can personal data be transferred
outside the EEA? - 1
Whitelisted countries
a short list
Safe Harbor –
'processors'
layers/sub-providers & onward transfers
non-US/EEA data centres (Danish DPA ruling)
concerns about adequacy eg German
regulators
How can personal data be transferred
outside the EEA? - 2
BCRs
owithin group only
Model clauses – layered situation?
oFor EEA customer using a cloud provider –
Provider Sub-provider Covered by model clauses?
Non-EEA Non-EEA Yes
EEA Non-EEA No
Regional clouds - can cloud users control
where their data are stored in clouds?
It depends!
No choice
In practice, probably locally…
Regions?
oEEA ≠ EU ≠ Europe – Danish DPA decision
oContractual commitment?
Even within the EEA…
Data centres in multiple EEA Member States
Obstacle: compliance with multiple national
laws, which may conflict because of lack of
harmonisation and inconsistencies re.:
definitions eg special category data
scope eg data on corporate persons
security requirements eg Italy v UK
But… should location of data really matter?
Shouldn’t the focus be on who can access data
in intelligible form?
non-EEA location doesn’t mean bad protection
EEA doesn’t guarantee good protection – question to
European Parliament re. Dutch Minister’s statement
Given encryption, storage virtualisation & data
fragmentation, what may be more important are
System’s design, and
Provider’s jurisdiction
Full paper
http://bit.ly/clouddataprotection4
Data Protection Directive reform
Draft proposal – expected 2012
In by…?
Meanwhile…
Location, location, location
Encryption, encryption, encryption;
but limitations -
speed
value-add
operations on data
key management critical
Contract, contract, contract
Meanwhile, in practice
Contract - procurement process
Internal controls
Due diligence
Contract – negotiate? eg Google – City of LA, Cambridge U
Controller/processor status
Any use of sub-‘processors’
Data location
Also:
Liability - integrity/breach/availability (backup!)
Modification/termination
Data retention/deletion
Right to disclose/monitor
Security (whose policy), audit rights?
Cloud Legal Project research
Data protection – other papers
http://bit.ly/clouddataprotection1
http://bit.ly/clouddataprotection2
Links to regulatory etc pronouncements
http://bit.ly/cloudlinks
EU consultation response
http://bit.ly/clpeuresponse
Other papers
http://cloudlegalproject.org/Research
Future papers Negotiated cloud contracts
Cloud governance (not just data protection)
Consumer protection
Thanks for listening!
Any questions?
Julia Hörnle [email protected]
Kuan Hon [email protected]
Cloud Legal Project, CCLS
Queen Mary, University of London
http://cloudlegalproject.org
@cloudlegalteam
Mailing list subscription
http://cloudlegalproject.org/Contact