Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

johan vandendriessche privacy & compliance issues with cloud computing


Published on

  • Be the first to comment

  • Be the first to like this

johan vandendriessche privacy & compliance issues with cloud computing

  1. 1. Privacy & Compliance Issues with Cloud Computing (in Theory and Practice) Johan Vandendriessche 24 March 2011
  2. 2. Some key concepts Cloud Computing (by layer) • SaaS • Google Docs • Gmail • Google App Engine PaaS • Microsoft Azure Platform • Oracle/AWS IaaS • Amazon Web Services • FlexiScale
  3. 3. Some key concepts Cloud Computing (by type)
  4. 4. Some key concepts  Cloud Computing (by type) Managed by Ownership of Dedicated hardware infrastructurePublic Cloud Service Cloud Service No Provider ProviderPrivate, external Cloud Service Cloud Service Yes Provider ProviderPrivate, internal Internal Organization Internal Organization YesHybrid Mixed Mixed Depends on the contract with the CSP Source: J. Ruiter and M. Warnier, Privacy Regulations for Cloud Computing – Compliance and Implementation in Theory and Practice.
  5. 5. Some key concepts Compliance  Strict sense: “conforming to a rule, such as a specification, policy, standard or law”  Tendency to include operational risks in regulations, thereby extending the notion ‘compliance’ to certain operational risk assessments  MiFiD  CBFA Circular Letter PPB 2004/5 on good practices in relation to outsourcing by financial institutions and investment companies Privacy (Data Protection)  Set of limitations in relation to the processing of ‘personal data’  Essential compliance obligation!
  6. 6. Importance of data protection compliance UK  Fine of 2.275.000 £ imposed by FSA on Zurich Insurance Company due to data loss by service provider (outsourced data processing)  Data loss related to 46.000 clients due to an unencrypted backup tape  No evidence that the data had been misused or compromised, but it was clear that Zurich had no effective data protection systems in place or systems to manage the risks to the security of customer data resulting from the outsourcing arrangement Germany  Fine of 1.100.000 EUR imposed by Berlin DPA on Deutsche Bahn  Screening of employee and supplier data to combat corruption  Monitoring communication sent via external e-mail accounts by employees France  Regular fines by CNIL
  7. 7. Scope of Data Protection Law Limitations in relation to the processing of personal data  Personal data: “any information in relation to an identified or identifiable physical person […]”  Very large legal interpretation to the concept of personal data  Not necessarily sensitive information (although stricter rules apply to special categories of personal data)  Processing: “any operation or set of operations which is performed upon personal data […]” Purpose: impose strict (civil and criminal) liability to the entity that is processing the personal data  Data controller  Data processor (“service provider”)
  8. 8. Principles of Data Protection Law Principles  Processing of personal data is prohibited, unless allowed by the Data Protection Law  The data processing must comply with specific principles  Proportionality  Purpose limitation  Limited in time  (Individual and collective) Transparency  Data quality  Data security  (Individual and collective) Enforcement measures  No export of personal data to non-EEA countries, unless adequate protection is offered
  9. 9. Security Obligations Security obligation  General obligation  Specific obligations  Obligations in relation to the use of data processors Belgian Data Protection Commission has issued a list of security measures that can be implemented  ‘Reference Measures’  Description of 10 information security measures  Based on ISO 27000 series
  10. 10. Security Obligations General obligation to implement security measures  Technical measures  User access management  IT security (anti-virus, firewall, …)  Fire prevention measures  Organizational measures  Data categorization (confidentiality level)  Employee policies  Protection against any unauthorized processing  Adequate level of protection taking into account:  Available technology and costs;  Nature of concerned personal data and the potential risks  Both types of measures are interchangeable
  11. 11. Data Processing by Service Providers Data processing operations are often carried out by service providers (“data processors) Security measures in case of data processors  Choice of data processor (quality requirement)  Security measures must be contractually imposed & verified  Determine the extent of liability of the data processor  Data controller is subject to strict liability  Data controller can be held liable for the acts of the data processor  Limit the mission of the data processor  Conclude a written data processing agreement  Paper document  Electronic document
  12. 12. Cloud Service Providers (CSP) Cloud Service Provider (CSP) is generally a ‘data processor’ Cloud Computing agreements  Standard ‘click-wrap’-agreements  Generally considered valid under Belgian law in a B2B context  Meets the requirements of ‘electronic medium’ in data protection legislation  Security measures must be imposed and audited  Issue: how to audit security measures in a Cloud setting?  Potentially multinational  Locations may change  Auditing CSPs may become very expensive  Solution: certification of the CSP (check the scope of the certificates!)  SAS 70 Type II  ISO 9000 series  ISO 27000 series
  13. 13. Issues relating to international dataflowsInternal Market for Personal Data= European Economic Area (EEA) Data Transfer 1 CSP inside EEA Data Controller (but other EEA inside EEA Member State) Data Export Data Transfer 3 Data Import 2 Data Controller CSP outside EEA inside EEA Data CSP inside Controller EEA outside EEA Data Import Data Export
  14. 14. Issues relating to international dataflows Dataflow within the EEA (1)  Law of the country of establishment of data controller applies to data processing operation  Subsequent transfers to sub-processors located within the EEA are possible within the scope of the data processing agreement  Subsequent transfers to subprocessors located outside the EEA are in principle not possible within the scope of the data processing agreement  There is no P2P Model Contract  New Model Contract leaves the door partially open  Multiparty C2P Model Contract offers a solution
  15. 15. Issues relating to international dataflows Dataflow from a data controller outside the EEA to a CSP inside the EEA (2)  National data protection law applies if ‘means’ are applied by the data controller on the territory of a member state  Cumulation of applicable laws if ‘means’ are applied on the territory of several member states ‘Worst case situation’ as the data controller is subjected to data protection law due to the location of the CSP (or its subcontractors) Art. 29 WP Opinion 8/2010 on applicable law  this criterion has shown to have undesirable consequences, such as a possible universal application of EU law  Under review for the future data protection framework
  16. 16. Issues relating to international dataflows Dataflow from a data controller inside the EEA to a CSP outside the EEA (3)  Law of the country of establishment of data controller applies to data processing operation  No export to countries outside EEA, except if they offer adequate protection  White-listed countries (e.g. Switzerland, USA if Safe Harbor, ...)  BCR / Model Contracts  Latest C2P Model Contract accepts ‘onward transfer’ to subprocessors, thereby facilitating Cloud Computing
  17. 17. Practical approach to Cloud Computing Review the security mechanisms in place  Security arrangements to mitigate the risks must be in place Review the certification of the CSP  Which certificates?  Scope of the certificates?  Back-ground on the certification process Perform a due diligence in relation to the CSPs terms & conditions  Performance levels  Contractual limitations  Exit Plan / Retransition  Is there an obligation to hand over the client’s data in a readily exploitable manner to the client or any subsequent service provider?  Belgian law is not very helpful on this issue
  18. 18. Conclusion Cloud Computing is possible in a compliant manner in most cases  Data security is a key issue  International dataflows are facilitated with the latest Model Contract Choose the right type of Cloud Computing Service in function of compliance requirements Security measures must be implemented and audited, especially where personal data are involved  Potentially expensive (for client and CSP alike)  Certification offers a valid solutions if some precautions are taken (scope!)
  19. 19. Thank you for your attention! Questions?