Data Protection Jurisdiction and International Transfers in Cloud Computing
Institute of Advanced Legal Studies 1 November 2011Data Protection Jurisdiction andInternational Data Transfers in Cloud Computing Julia Hörnle Kuan Hon Cloud Legal Project Centre for Commercial Law Studies, Queen Mary, University of London cloudlegalproject.org
Outline Cloud Legal Project Cloud computing Data protection jurisdiction International data transfers
What is cloud computing? IT resources over network, scalable on demand US NIST service models Software as a Service (SaaS) – incl. storage (eg. Salesforce; Oracle CRM on demand; Gmail, Hotmail, Yahoo! Mail; Google Apps, Microsoft Office 365; Facebook, Flickr) o Storage as a Service (also SaaS!) = convenient way of storing / backing-up data online (eg. box.net) Infrastructure as a Service (IaaS) (eg. Amazon Web Services, Rackspace) – compute, storage Platform as a Service (PaaS) (eg. Google App Engine, Microsoft Windows Azure, Force.com) Classification may depend on viewpoint
Deployment models: private, community,public and hybrid clouds…
Cloud layers/‘stack’– different possible architectures, possible hidden layers --> Who holds user’s data? Where? + SaaS Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure IaaS Software as a Service on PaaS PaaS (SaaS) IaaS SaaS SaaS SaaS Architectures Cloud Infrastructure Cloud Infrastructure IaaS Platform as a Service (PaaS) PaaS PaaS Architectures + physical infrastructure Cloud Infrastructure for each! IaaS Infrastructure as a Service (IaaS) ArchitecturesFromhttp://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
Key cloud computing features relevantto data protection law Multiple providers? (layers) Data replication, deletion Sharding/chunking/fragmentation Location – multiple; changing? Design - provider access; encryption Use of/dependence on shared, third party resources, incl connectivity
Some possible contractual structuresUser Provider Sub-providerUser Integrator Provider IntegratorUser Provider
When do EU data protection lawsapply to a cloud user/controller? Laws applied based on: Establishment/context o More than one law may apply! o Google Video case/Italy o Article 29 WP 179 o Incl. through third party Public international law Use of EEA equipment‘/’means’ o But transit?
When do EU data protection lawsapply to a cloud user/controller? Cookies (equipment) – SaaS Use, by non-EEA customer, of: EEA data centre? o Data centre as an establishment? o Subsidiary as an establishment? EEA cloud provider? Relevant/irrelevant establishment?
Cloud layers Layers - knowledge or intention?Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure IaaS Software as a Service + SaaS PaaS PaaS (SaaS) on SaaS SaaS SaaS Architectures IaaSCloud Infrastructure Cloud Infrastructure IaaS Platform as a Service (PaaS) PaaS PaaS Architectures + physicalCloud Infrastructure infrastructure IaaS Infrastructure as a Service (IaaS) for each! ArchitecturesDiagram fromhttp://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
When do EU data protection laws apply to acloud user/controller? Non-EEA users - France - CNIL’s relaxation for use of French providers Full paper http://bit.ly/clouddataprotection3
Replacement of jurisdictional tests with targeting? Has been used in other contexts, eg Consumer protection & applicable law to contracts o Cases C-585/08 and 144/09 Pammer and Hotel Alpenhof Trademark infringement on auction platform o Case C-324/09 L’Oreal v eBay How could this be applied in a cloud context? Outside EEA: targeting Within EEA: country of origin rule?
If we include entities outside theEuropean Union, the data transfer that isinevitable with cloud computing — andwhich has no legitimacy under dataprivacy law — makes clouds inherentlyimpermissible. German regulator Thilo Weichert
The DPA does not prohibit the overseastransfer of personal data, but it doesrequire that it is protected adequatelywherever it is located and whoever isprocessing it. Clearly, this raisescompliance issues that organisationsusing internet-based computing need toaddress. UK Information Commissioner
Restriction on international data transfers Restriction on data export to country without “adequate protection”, with exceptions (articles 25 & 26)
How can personal data be transferredoutside the EEA? - 1 Whitelisted countries a short list Safe Harbor – processors layers/sub-providers & onward transfers non-US/EEA data centres (Danish DPA ruling) concerns about adequacy eg German regulators
How can personal data be transferredoutside the EEA? - 2 BCRs o within group only Model clauses – layered situation? o For EEA customer using a cloud provider – Provider Sub-provider Covered by model clauses?Non-EEA Non-EEA YesEEA Non-EEA No
Regional clouds - can cloud users controlwhere their data are stored in clouds? It depends! No choice In practice, probably locally… Regions? oEEA ≠ EU ≠ Europe – Danish DPA decision oContractual commitment?
Even within the EEA… Data centres in multiple EEA Member States Obstacle: compliance with multiple national laws, which may conflict because of lack of harmonisation and inconsistencies re.: definitions eg special category data scope eg data on corporate persons security requirements eg Italy v UK
But… should location of data really matter? Shouldn’t the focus be on who can access data in intelligible form? non-EEA location doesn’t mean bad protection EEA doesn’t guarantee good protection – question to European Parliament re. Dutch Minister’s statement Given encryption, storage virtualisation & data fragmentation, what may be more important are System’s design, and Provider’s jurisdiction Full paper http://bit.ly/clouddataprotection4
Data Protection Directive reform Draft proposal – expected 2012 In by…?
Meanwhile… Location, location, location Encryption, encryption, encryption; but limitations - speed value-add operations on data key management critical Contract, contract, contract
Meanwhile, in practice Contract - procurement process Internal controls Due diligence Contract – negotiate? eg Google – City of LA, Cambridge U Controller/processor status Any use of sub-‘processors’ Data location Also: Liability - integrity/breach/availability (backup!) Modification/termination Data retention/deletion Right to disclose/monitor Security (whose policy), audit rights?
Cloud Legal Project research Data protection – other papers http://bit.ly/clouddataprotection1 http://bit.ly/clouddataprotection2 Links to regulatory etc pronouncements http://bit.ly/cloudlinks EU consultation response http://bit.ly/clpeuresponse Other papers http://cloudlegalproject.org/Research Future papers Negotiated cloud contracts Cloud governance (not just data protection) Consumer protection
Thanks for listening!Any questions?Julia Hörnle email@example.comKuan Hon firstname.lastname@example.org Cloud Legal Project, CCLS Queen Mary, University of London http://cloudlegalproject.org @cloudlegalteamMailing list subscriptionhttp://cloudlegalproject.org/Contact