Upload
jeffry-gilmore
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Keeping on top of the Cloud- Compliance from a Regulator’s Perspective
Henry Chang, IT AdvisorOffice of the Privacy Commissioner for Personal Data, Hong Kong
6 July 2013
Up in the Cloud:Conference on Legal and Privacy Challenges in Cloud Computing
2
Bottom lines
1. Data users are responsible for the protection of personal data entrusted to them;
2. Outsourcing of data processing does not mean outsourcing of legal liability.
4
Data flow and data protection principles (DPPs)
Personal Data Flow
CollectionRetention/
Erasure
DPP 6 – Rights of access and correctionDPP 5 – Transparency
DPP 1 – Collection
DPP 3 – UseDPP 2 – Accuracy
and retention
DPP 4 – Security
Storage, Use or Processing
IT System
5
The heat map of cloud
Private Cloud(dedicated)
Public Cloud(shared)
Consumers
Enterprises
Types of Cloud
Types of Users
SMEs
Most vulnerable
7
Attractive/free consumer solutions…
1. Uncertainty on whether data protection laws apply
2. Terms often favour service providers
3. There is no free lunch – where is the hidden cost?
4. Ultimate victims of any data breach are consumers
5. Assess risks before using cloud services
6. Consider encrypting data before uploading
9
Important issues that are not specific to clouds
1. Technical safeguards - Identity management and authentication
2. Proper exit plan, data erasure and data portability
3. Use by contractors that does not match with original purposes
4. Formal data breach notification arrangement
10
Cloud characteristics
1. Rapid transborder data flow
2. Loose outsourcing arrangements
3. Standard services and contracts
11
Rapid transborder data flow
1. Does the law allow?
2. Comparable data protection laws– Who can tell where the data are?– How could data user obligations be fulfilled?– Can data flow be limited to a few ‘white list’
jurisdictions?
3. Potential access by foreign LEAs
1. Lack of controls/relationship– No guarantee of controls downstream– No contractual remedies
2. Uncertain privacy rules, culture and training– Are outsourcers subject to privacy law in their
jurisdictions?– Are they accustomed to privacy laws?– Can they be sanctioned?
3. Where does the loyalty lie?12
Loose outsourcing arrangement
13
Standard services and contracts
1. If standard services do not meet the data protection requirements, can cloud provider customise?
2. If customisation is offered, how can cloud customers be sure that the extra measures are in place?
14
Views from data protection authorities
1. Hong Kong PCPD – http://www.pcpd.org.hk/english/publications/files/cloud_computing_e.pdf
2. The Article 29 Working Party –http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf
3. Office of the Privacy Commissioner, Canada –http://www.priv.gc.ca/information/pub/gd_cc_201206_e.asp
4. Dutch DPA – http://www.dutchdpa.nl/downloads_overig/dutch-dpa-written-opinion-cloud-computing-unofficial-translation.pdf
5. French DPA (CNIL) – http://www.cnil.fr/fileadmin/documents/en/Recommendations_for_companies_planning_to_use_Cloud_computing_services.pdf
6. Office of the Privacy Commissioner, New Zealand – http://www.privacy.org.nz/assets/Files/Brochures-and-pamphlets-and-pubs/OPC-Cloud-Computing-guidance-February-2013.pdf
7. UK Information Commissioner’s Office – http://www.ico.org.uk/news/latest_news/2012/~/media/documents/library/Data_Protection/Practical_application/cloud_computing_guidance_for_organisations.ashx
8. International working group on data protection in telecommunications –
http://datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083