Obscured by Clouds This is the first song title. Recorded by Pink Floyd (http://en.wikipedia.org/wiki/Obscured_by_Clouds_(song)) (c)2010 Castlebridge Associates.
Every one of you may be breaking the law * *This is not a legal opinion. This presentation is for education and information purposes only and should not be construed in any way as legal advice. In any event, I’m not a lawyer and my opinions and views might only have the standing of an episode of Matlock with respect to the specific facts of your situation. Then again, I could be 100% correct . That’s a chance you will have to take unless you seek independent legal advice. (c)2010 Castlebridge Associates.
Some Quotes “Building Data Protection safeguards into new technologies and applications of these technologies remains the best approach. This is as much true of data processing in the “Cloud” as it is of a routine development of an IT application in an organisation.” (DPC Annual Report 2009, page 4) (c)2010 Castlebridge Associates.
Four key Problems Cross Border Transfers of Personal Data outside of the EU/EEA Cross Border Transfers of Personal Data outside of the EU/EEA Compliant contract terms for Data Controller/Data Processor relationship Cross Border Transfers of Personal Data outside of the EU/EEA (c)2010 Castlebridge Associates.
One solution to X-Border Issue Objects stored in the EU (Ireland) Region never leave the EU unless you transfer them out. However, it is your responsibility to ensure that you comply with EU privacy laws. Amazon S3 FAQ, last accessed 2010-04-09 @16:54 GMT+1 (c)2010 Castlebridge Associates.
But Contract Terms issue remains… 11.5. Disclaimers. AMAZON PROPERTIES, THE MARKS, THE SERVICES AND ALL TECHNOLOGY, SOFTWARE,FUNCTIONS, CONTENT, IMAGES, MATERIALS AND OTHER DATA OR INFORMATION PROVIDED BY US OR OUR LICENSORS IN CONNECTION THEREWITH (COLLECTIVELY THE “SERVICE OFFERINGS”) ARE PROVIDED “AS IS”. WE AND OUR LICENSORS MAKE NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED,STATUTORY OR OTHERWISE WITH RESPECT TO THE SERVICE OFFERINGS. EXCEPT TO THE EXTENT PROHIBITED BY APPLICABLE LAW, WE AND OUR LICENSORS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, ANYIMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, QUIET ENJOYMENT, AND ANY WARRANTIES ARISING OUT OF ANY COURSE OF DEALING OR USAGE OF TRADE. WE AND OUR LICENSORS DO NOT WARRANT THAT THE SERVICE OFFERINGS WILL FUNCTION AS DESCRIBED, WILL BE UNINTERRUPTED OR ERROR FREE, OR FREE OF HARMFUL COMPONENTS, OR THAT THE DATA YOU STORE WITHIN THE SERVICE OFFERINGS WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED. WE AND OUR LICENSORS SHALL NOT BE RESPONSIBLE FOR ANY SERVICE INTERRUPTIONS, INCLUDING, WITHOUT LIMITATION, POWER OUTAGES, SYSTEM FAILURES OR OTHER INTERRUPTIONS, INCLUDING THOSE THAT AFFECT THE RECEIPT, PROCESSING, ACCEPTANCE, COMPLETION OR SETTLEMENT OF ANY PAYMENT SERVICES. NO ADVICE OR INFORMATION OBTAINED BY YOU FROM US OR FROM ANY THIRD PARTY OR THROUGH THE SERVICES SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THIS AGREEMENT. (c)2010 Castlebridge Associates.
What a Real Lawyer says… “The contracts that underpin the services your business relies on form part of the bundle of things that a lawyer will look at when advising clients during the purchase of or investment in a business, kind of like the title deeds to a house or the ownership papers for a car. If your customer data is being processed (captured, hosted, managed) in a Cloud that doesn’t respect Data Protection law and actively opts out of it in the small print then, bluntly, you're running the risk of putting yourself in the same position as if you were trying to sell a housewith defective title deeds, or your next door neighbour’s car.” Simon McGarr Solicitor & Blogger Mcgarrsolicitors.ie (in response to a question about his article in the Irish Times, 11 Sept. 2009) (c)2010 Castlebridge Associates.
(c)2010 Castlebridge Associates.
Safe Harbor Practice Theory
Not all companies claiming Safe Harbor actually ARE SafeHarbor registered
T&Cs often incompatible with EU DP Principles
Relies on “self-certification” by companies of their DP compliance
Safe Harbor registration is “context” specific to the type of data being registered for.
Safe Harbor member companies have signed up to respect EU 8 Data Protection Principles
Companies understand principles
Contract terms etc. don’t undermine DP Compliance
(c)2010 Castlebridge Associates.
Only 31% of Safe Harbor registered organisations meet minimum standard for Safe Harbor Data Protection Principles. Only 3% of Safe Harbor listed organisations are compliant with minimum Safe Harbor requirements for all categories of personal data 19% of Safe Harbor registrants require use of a dispute resolution service that is not affordable for individuals (one service has minimum fee of €1780) 206 organisations claim membership of Safe Harbor when they are not actually registered (equivalent of almost 20% of the full registered list) There is also a significant issue of false/misleading information being presented Source: The US Safe Harbor – Fact or Fiction, a research study from Galexia (http://galexia.com) (c)2010 Castlebridge Associates.
The Cloud Computing Problem (c)2010 Castlebridge Associates.
Solutions Cloud providers successfully lobby to change the Data Protection Regulations Cloud Customers should negotiate better contract terms that fill the missing rungs on ladder A Cloud hosting provider steps up to the mark and provides a fully DP compliant cloud platform, with audit reports etc on security + organisation culture etc. around DP and ZERO transfer outside of EU. (c)2010 Castlebridge Associates.
Shameless Plug Castlebridge Associates – Helping Organisations Manage Information Assets as well as (or better) than their People! Castlebridge-Associates.com firstname.lastname@example.org
Useful Links McGarrsolicitors.ie Article on Facebook & Safe Harbor Article on Cloud Computing Irish Computer Society Data Protection Training Data Protection Conferences Data Protection Commissioner Annual Report Information Commissioner (UK) Consultation on Code of Practice for Personal Information On-Line (with ref to cloud computing) – not yet launched but consultation closed March 2010. EU Commission Reports on Safe Harbor 2002 2004 Galexia Consulting Study on Safe Harbor Read it here… (c)2010 Castlebridge Associates.