Uploaded on

Cloud Computing Europe Day 1 EDPS Presentation

Cloud Computing Europe Day 1 EDPS Presentation

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Applying EU Data Protection to Cloud Computing Rosa Barcelo Legal adviser European Data Protection Supervisor
  • 2. Privacy risks in a nutshell
  • 3. Privacy risks in a nutshell I
    • Cloud computing from a privacy perspective:
      • Many cloud applications for consumers
      • Terabytes of data (some sensitive)
      • Stored in centres around the world
    • Risks:
  • 4. Privacy risks in a nutshell II
      • Security glitches (unintended)
      • Hacking
      • Risk of use of data for unrelated purposes
      • Accessibility restrictions (losing control)
      • Data stored in countries with poor data protection laws
      • Wiretapping by Governments
  • 5. Application of EU data protection legislation
  • 6. Application of EU data protection legislation I
      • If Directives apply, cloud provider must (if it is “controller”):
        • Ensure the security of the data and subsequent responsibility (Art 17)
        • Provide information to individuals (Art 10)
  • 7. Application of EU data protection legislation II
        • Application of the purpose limitation principle (Article 6)
        • Restriction on international data transfers (Arts 25 and 26)
        • Retention principle (Art 6)
        • Access rights (Art 14)
  • 8. Application of EU data protection legislation III
        • Responsibilities if cloud computing provider fails to fulfill its obligations
        • Authorities have enforcement powers
        • Sanctions
  • 9. Challenges and gaps in EU data protection legislation
  • 10. The Challenges I
      • Is the cloud provider a data controller or a processor?
        • The responsibilities are different;
        • Probably, processor but it will depend on the circumstances;
  • 11. The Challenges II
      • Determining whether the Directives apply:
        • Controller is established in the EU
        • Controller not established in the EU but uses equipment located in the EU for the processing of personal data
  • 12. The Challenges III
      • Compliance with provisions on international data transfers:
        • Is it a data transfer? ( Bodil Lindqvist)
        • Notification to authorities
        • Safe Harbour and adequacy findings
        • Putting contracts in place
        • BCRs & others
      • Difficult to apply the rules in case of multiple transfers which are often the case
  • 13. The Challenges & Gaps IV
      • If cloud client is an individual using the cloud for private purposes (eg calendar, storing pictures):
        • Similar to Picasa;
        • Does the Directive apply at all? Is there a l acuna and thus a lack of protection?
        • What are the responsibilities of the cloud provider in such cases?
  • 14. The Challenges & Gaps V
      • WP 29 expected guidance
      • Changes in the Data Protection Directive
          • New principles: Privacy by design, accountability
          • Updated rules on international data transfers
          • Specific rules for cloud computing?
  • 15. Conclusions
    • When engaging in cloud computing one must:
      • Be aware of EU legislation on data protection & ensure compliance:
      • Be aware that application may be “tricky”(international transfers).
    • Hope for solutions:
      • WP 29 guidance
      • Changes of the Directive? As part of a broader attempt to solve other (wider) problems
  • 16.
      • Questions?