Institute of Advanced Legal Studies                           1 November 2011Data Protection Jurisdiction andInternational...
Outline   Cloud Legal Project   Cloud computing   Data protection jurisdiction   International data transfers
Cloud Legal Project
Cloud Legal Project History Aims
Cloud computing
What is cloud computing? IT resources over network, scalable on demand US NIST service models    Software as a Service ...
Deployment models: private, community,public and hybrid clouds…
Cloud layers/‘stack’– different possible   architectures, possible hidden layers   --> Who holds user’s data? Where?      ...
Key cloud computing features relevantto data protection law   Multiple providers? (layers)   Data replication, deletion...
Some possible contractual structuresUser       Provider      Sub-providerUser       Integrator    Provider           Integ...
Data Protection  Jurisdiction
When do EU data protection lawsapply to a cloud user/controller? Laws applied based on:  Establishment/context    o More...
When do EU data protection lawsapply to a cloud user/controller? Cookies (equipment) – SaaS Use, by non-EEA customer, of...
Cloud layers   Layers - knowledge or intention?Cloud Infrastructure   Cloud Infrastructure   Cloud Infrastructure         ...
When do EU data protection laws apply to acloud user/controller? Non-EEA users - France - CNIL’s  relaxation for use of F...
Replacement of jurisdictional tests with targeting? Has been used in other contexts, eg  Consumer protection & applicabl...
International Data     Transfers
If we include entities outside theEuropean Union, the data transfer that isinevitable with cloud computing — andwhich has ...
The DPA does not prohibit the overseastransfer of personal data, but it doesrequire that it is protected adequatelywhereve...
Restriction on international data transfers Restriction on data export to country  without “adequate protection”, with  e...
How can personal data be transferredoutside the EEA? - 1 Whitelisted countries  a short list Safe Harbor –  processors...
How can personal data be transferredoutside the EEA? - 2  BCRs      o within group only  Model clauses – layered situati...
Regional clouds - can cloud users controlwhere their data are stored in clouds? It depends!  No choice  In practice, pr...
Even within the EEA… Data centres in multiple EEA Member States Obstacle: compliance with multiple national  laws, which...
But… should location of data really matter? Shouldn’t the focus be on who can access data  in intelligible form?   non-E...
Data Protection Directive reform Draft proposal – expected 2012 In by…?
Meanwhile… Location, location, location Encryption, encryption, encryption;  but limitations -  speed  value-add  ope...
Meanwhile, in practice Contract - procurement process    Internal controls    Due diligence Contract – negotiate? eg G...
Cloud Legal Project research Data protection – other papers  http://bit.ly/clouddataprotection1  http://bit.ly/clouddatap...
Thanks for listening!Any questions?Julia Hörnle j.hornle@qmul.ac.ukKuan Hon w.k.hon@qmul.ac.uk   Cloud Legal Project, CCLS...
Upcoming SlideShare
Loading in …5
×

Data Protection Jurisdiction and International Transfers in Cloud Computing

2,145 views
2,027 views

Published on

Slides for talk at Institute of Advanced Legal Studies, London, on 1 Nov 2011

Published in: Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,145
On SlideShare
0
From Embeds
0
Number of Embeds
78
Actions
Shares
0
Downloads
51
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Data Protection Jurisdiction and International Transfers in Cloud Computing

  1. 1. Institute of Advanced Legal Studies 1 November 2011Data Protection Jurisdiction andInternational Data Transfers in Cloud Computing Julia Hörnle Kuan Hon Cloud Legal Project Centre for Commercial Law Studies, Queen Mary, University of London cloudlegalproject.org
  2. 2. Outline Cloud Legal Project Cloud computing Data protection jurisdiction International data transfers
  3. 3. Cloud Legal Project
  4. 4. Cloud Legal Project History Aims
  5. 5. Cloud computing
  6. 6. What is cloud computing? IT resources over network, scalable on demand US NIST service models  Software as a Service (SaaS) – incl. storage (eg. Salesforce; Oracle CRM on demand; Gmail, Hotmail, Yahoo! Mail; Google Apps, Microsoft Office 365; Facebook, Flickr) o Storage as a Service (also SaaS!) = convenient way of storing / backing-up data online (eg. box.net)  Infrastructure as a Service (IaaS) (eg. Amazon Web Services, Rackspace) – compute, storage  Platform as a Service (PaaS) (eg. Google App Engine, Microsoft Windows Azure, Force.com) Classification may depend on viewpoint
  7. 7. Deployment models: private, community,public and hybrid clouds…
  8. 8. Cloud layers/‘stack’– different possible architectures, possible hidden layers --> Who holds user’s data? Where? + SaaS Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure IaaS Software as a Service on PaaS PaaS (SaaS) IaaS SaaS SaaS SaaS Architectures Cloud Infrastructure Cloud Infrastructure IaaS Platform as a Service (PaaS) PaaS PaaS Architectures + physical infrastructure Cloud Infrastructure for each! IaaS Infrastructure as a Service (IaaS) ArchitecturesFromhttp://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
  9. 9. Key cloud computing features relevantto data protection law Multiple providers? (layers) Data replication, deletion Sharding/chunking/fragmentation Location – multiple; changing? Design - provider access; encryption Use of/dependence on shared, third party resources, incl connectivity
  10. 10. Some possible contractual structuresUser Provider Sub-providerUser Integrator Provider IntegratorUser Provider
  11. 11. Data Protection Jurisdiction
  12. 12. When do EU data protection lawsapply to a cloud user/controller? Laws applied based on: Establishment/context o More than one law may apply! o Google Video case/Italy o Article 29 WP 179 o Incl. through third party Public international law Use of EEA equipment‘/’means’ o But transit?
  13. 13. When do EU data protection lawsapply to a cloud user/controller? Cookies (equipment) – SaaS Use, by non-EEA customer, of: EEA data centre? o Data centre as an establishment? o Subsidiary as an establishment? EEA cloud provider? Relevant/irrelevant establishment?
  14. 14. Cloud layers Layers - knowledge or intention?Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure IaaS Software as a Service + SaaS PaaS PaaS (SaaS) on SaaS SaaS SaaS Architectures IaaSCloud Infrastructure Cloud Infrastructure IaaS Platform as a Service (PaaS) PaaS PaaS Architectures + physicalCloud Infrastructure infrastructure IaaS Infrastructure as a Service (IaaS) for each! ArchitecturesDiagram fromhttp://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
  15. 15. When do EU data protection laws apply to acloud user/controller? Non-EEA users - France - CNIL’s relaxation for use of French providers Full paper http://bit.ly/clouddataprotection3
  16. 16. Replacement of jurisdictional tests with targeting? Has been used in other contexts, eg Consumer protection & applicable law to contracts o Cases C-585/08 and 144/09 Pammer and Hotel Alpenhof Trademark infringement on auction platform o Case C-324/09 L’Oreal v eBay How could this be applied in a cloud context? Outside EEA: targeting Within EEA: country of origin rule?
  17. 17. International Data Transfers
  18. 18. If we include entities outside theEuropean Union, the data transfer that isinevitable with cloud computing — andwhich has no legitimacy under dataprivacy law — makes clouds inherentlyimpermissible. German regulator Thilo Weichert
  19. 19. The DPA does not prohibit the overseastransfer of personal data, but it doesrequire that it is protected adequatelywherever it is located and whoever isprocessing it. Clearly, this raisescompliance issues that organisationsusing internet-based computing need toaddress. UK Information Commissioner
  20. 20. Restriction on international data transfers Restriction on data export to country without “adequate protection”, with exceptions (articles 25 & 26)
  21. 21. How can personal data be transferredoutside the EEA? - 1 Whitelisted countries a short list Safe Harbor – processors layers/sub-providers & onward transfers non-US/EEA data centres (Danish DPA ruling) concerns about adequacy eg German regulators
  22. 22. How can personal data be transferredoutside the EEA? - 2 BCRs o within group only Model clauses – layered situation? o For EEA customer using a cloud provider – Provider Sub-provider Covered by model clauses?Non-EEA Non-EEA YesEEA Non-EEA No
  23. 23. Regional clouds - can cloud users controlwhere their data are stored in clouds? It depends! No choice In practice, probably locally… Regions? oEEA ≠ EU ≠ Europe – Danish DPA decision oContractual commitment?
  24. 24. Even within the EEA… Data centres in multiple EEA Member States Obstacle: compliance with multiple national laws, which may conflict because of lack of harmonisation and inconsistencies re.: definitions eg special category data scope eg data on corporate persons security requirements eg Italy v UK
  25. 25. But… should location of data really matter? Shouldn’t the focus be on who can access data in intelligible form? non-EEA location doesn’t mean bad protection EEA doesn’t guarantee good protection – question to European Parliament re. Dutch Minister’s statement Given encryption, storage virtualisation & data fragmentation, what may be more important are System’s design, and Provider’s jurisdiction Full paper http://bit.ly/clouddataprotection4
  26. 26. Data Protection Directive reform Draft proposal – expected 2012 In by…?
  27. 27. Meanwhile… Location, location, location Encryption, encryption, encryption; but limitations - speed value-add operations on data key management critical Contract, contract, contract
  28. 28. Meanwhile, in practice Contract - procurement process  Internal controls  Due diligence Contract – negotiate? eg Google – City of LA, Cambridge U  Controller/processor status  Any use of sub-‘processors’  Data location Also:  Liability - integrity/breach/availability (backup!)  Modification/termination  Data retention/deletion  Right to disclose/monitor  Security (whose policy), audit rights?
  29. 29. Cloud Legal Project research Data protection – other papers http://bit.ly/clouddataprotection1 http://bit.ly/clouddataprotection2 Links to regulatory etc pronouncements http://bit.ly/cloudlinks EU consultation response http://bit.ly/clpeuresponse Other papers http://cloudlegalproject.org/Research Future papers  Negotiated cloud contracts  Cloud governance (not just data protection)  Consumer protection
  30. 30. Thanks for listening!Any questions?Julia Hörnle j.hornle@qmul.ac.ukKuan Hon w.k.hon@qmul.ac.uk Cloud Legal Project, CCLS Queen Mary, University of London http://cloudlegalproject.org @cloudlegalteamMailing list subscriptionhttp://cloudlegalproject.org/Contact

×