Your SlideShare is downloading. ×
0
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Data Protection Jurisdiction and International Transfers in Cloud Computing

1,791

Published on

Slides for talk at Institute of Advanced Legal Studies, London, on 1 Nov 2011

Slides for talk at Institute of Advanced Legal Studies, London, on 1 Nov 2011

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,791
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
44
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Institute of Advanced Legal Studies 1 November 2011Data Protection Jurisdiction andInternational Data Transfers in Cloud Computing Julia Hörnle Kuan Hon Cloud Legal Project Centre for Commercial Law Studies, Queen Mary, University of London cloudlegalproject.org
  • 2. Outline Cloud Legal Project Cloud computing Data protection jurisdiction International data transfers
  • 3. Cloud Legal Project
  • 4. Cloud Legal Project History Aims
  • 5. Cloud computing
  • 6. What is cloud computing? IT resources over network, scalable on demand US NIST service models  Software as a Service (SaaS) – incl. storage (eg. Salesforce; Oracle CRM on demand; Gmail, Hotmail, Yahoo! Mail; Google Apps, Microsoft Office 365; Facebook, Flickr) o Storage as a Service (also SaaS!) = convenient way of storing / backing-up data online (eg. box.net)  Infrastructure as a Service (IaaS) (eg. Amazon Web Services, Rackspace) – compute, storage  Platform as a Service (PaaS) (eg. Google App Engine, Microsoft Windows Azure, Force.com) Classification may depend on viewpoint
  • 7. Deployment models: private, community,public and hybrid clouds…
  • 8. Cloud layers/‘stack’– different possible architectures, possible hidden layers --> Who holds user’s data? Where? + SaaS Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure IaaS Software as a Service on PaaS PaaS (SaaS) IaaS SaaS SaaS SaaS Architectures Cloud Infrastructure Cloud Infrastructure IaaS Platform as a Service (PaaS) PaaS PaaS Architectures + physical infrastructure Cloud Infrastructure for each! IaaS Infrastructure as a Service (IaaS) ArchitecturesFromhttp://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
  • 9. Key cloud computing features relevantto data protection law Multiple providers? (layers) Data replication, deletion Sharding/chunking/fragmentation Location – multiple; changing? Design - provider access; encryption Use of/dependence on shared, third party resources, incl connectivity
  • 10. Some possible contractual structuresUser Provider Sub-providerUser Integrator Provider IntegratorUser Provider
  • 11. Data Protection Jurisdiction
  • 12. When do EU data protection lawsapply to a cloud user/controller? Laws applied based on: Establishment/context o More than one law may apply! o Google Video case/Italy o Article 29 WP 179 o Incl. through third party Public international law Use of EEA equipment‘/’means’ o But transit?
  • 13. When do EU data protection lawsapply to a cloud user/controller? Cookies (equipment) – SaaS Use, by non-EEA customer, of: EEA data centre? o Data centre as an establishment? o Subsidiary as an establishment? EEA cloud provider? Relevant/irrelevant establishment?
  • 14. Cloud layers Layers - knowledge or intention?Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure IaaS Software as a Service + SaaS PaaS PaaS (SaaS) on SaaS SaaS SaaS Architectures IaaSCloud Infrastructure Cloud Infrastructure IaaS Platform as a Service (PaaS) PaaS PaaS Architectures + physicalCloud Infrastructure infrastructure IaaS Infrastructure as a Service (IaaS) for each! ArchitecturesDiagram fromhttp://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
  • 15. When do EU data protection laws apply to acloud user/controller? Non-EEA users - France - CNIL’s relaxation for use of French providers Full paper http://bit.ly/clouddataprotection3
  • 16. Replacement of jurisdictional tests with targeting? Has been used in other contexts, eg Consumer protection & applicable law to contracts o Cases C-585/08 and 144/09 Pammer and Hotel Alpenhof Trademark infringement on auction platform o Case C-324/09 L’Oreal v eBay How could this be applied in a cloud context? Outside EEA: targeting Within EEA: country of origin rule?
  • 17. International Data Transfers
  • 18. If we include entities outside theEuropean Union, the data transfer that isinevitable with cloud computing — andwhich has no legitimacy under dataprivacy law — makes clouds inherentlyimpermissible. German regulator Thilo Weichert
  • 19. The DPA does not prohibit the overseastransfer of personal data, but it doesrequire that it is protected adequatelywherever it is located and whoever isprocessing it. Clearly, this raisescompliance issues that organisationsusing internet-based computing need toaddress. UK Information Commissioner
  • 20. Restriction on international data transfers Restriction on data export to country without “adequate protection”, with exceptions (articles 25 & 26)
  • 21. How can personal data be transferredoutside the EEA? - 1 Whitelisted countries a short list Safe Harbor – processors layers/sub-providers & onward transfers non-US/EEA data centres (Danish DPA ruling) concerns about adequacy eg German regulators
  • 22. How can personal data be transferredoutside the EEA? - 2 BCRs o within group only Model clauses – layered situation? o For EEA customer using a cloud provider – Provider Sub-provider Covered by model clauses?Non-EEA Non-EEA YesEEA Non-EEA No
  • 23. Regional clouds - can cloud users controlwhere their data are stored in clouds? It depends! No choice In practice, probably locally… Regions? oEEA ≠ EU ≠ Europe – Danish DPA decision oContractual commitment?
  • 24. Even within the EEA… Data centres in multiple EEA Member States Obstacle: compliance with multiple national laws, which may conflict because of lack of harmonisation and inconsistencies re.: definitions eg special category data scope eg data on corporate persons security requirements eg Italy v UK
  • 25. But… should location of data really matter? Shouldn’t the focus be on who can access data in intelligible form? non-EEA location doesn’t mean bad protection EEA doesn’t guarantee good protection – question to European Parliament re. Dutch Minister’s statement Given encryption, storage virtualisation & data fragmentation, what may be more important are System’s design, and Provider’s jurisdiction Full paper http://bit.ly/clouddataprotection4
  • 26. Data Protection Directive reform Draft proposal – expected 2012 In by…?
  • 27. Meanwhile… Location, location, location Encryption, encryption, encryption; but limitations - speed value-add operations on data key management critical Contract, contract, contract
  • 28. Meanwhile, in practice Contract - procurement process  Internal controls  Due diligence Contract – negotiate? eg Google – City of LA, Cambridge U  Controller/processor status  Any use of sub-‘processors’  Data location Also:  Liability - integrity/breach/availability (backup!)  Modification/termination  Data retention/deletion  Right to disclose/monitor  Security (whose policy), audit rights?
  • 29. Cloud Legal Project research Data protection – other papers http://bit.ly/clouddataprotection1 http://bit.ly/clouddataprotection2 Links to regulatory etc pronouncements http://bit.ly/cloudlinks EU consultation response http://bit.ly/clpeuresponse Other papers http://cloudlegalproject.org/Research Future papers  Negotiated cloud contracts  Cloud governance (not just data protection)  Consumer protection
  • 30. Thanks for listening!Any questions?Julia Hörnle j.hornle@qmul.ac.ukKuan Hon w.k.hon@qmul.ac.uk Cloud Legal Project, CCLS Queen Mary, University of London http://cloudlegalproject.org @cloudlegalteamMailing list subscriptionhttp://cloudlegalproject.org/Contact

×