Some key concepts Cloud Computing (by type) Managed by Ownership of Dedicated hardware infrastructurePublic Cloud Service Cloud Service No Provider ProviderPrivate, external Cloud Service Cloud Service Yes Provider ProviderPrivate, internal Internal Organization Internal Organization YesHybrid Mixed Mixed Depends on the contract with the CSP Source: J. Ruiter and M. Warnier, Privacy Regulations for Cloud Computing – Compliance and Implementation in Theory and Practice.
Some key concepts Compliance Strict sense: “conforming to a rule, such as a specification, policy, standard or law” Tendency to include operational risks in regulations, thereby extending the notion ‘compliance’ to certain operational risk assessments MiFiD CBFA Circular Letter PPB 2004/5 on good practices in relation to outsourcing by financial institutions and investment companies Privacy (Data Protection) Set of limitations in relation to the processing of ‘personal data’ Essential compliance obligation!
Importance of data protection compliance UK Fine of 2.275.000 £ imposed by FSA on Zurich Insurance Company due to data loss by service provider (outsourced data processing) Data loss related to 46.000 clients due to an unencrypted backup tape No evidence that the data had been misused or compromised, but it was clear that Zurich had no effective data protection systems in place or systems to manage the risks to the security of customer data resulting from the outsourcing arrangement Germany Fine of 1.100.000 EUR imposed by Berlin DPA on Deutsche Bahn Screening of employee and supplier data to combat corruption Monitoring communication sent via external e-mail accounts by employees France Regular fines by CNIL
Scope of Data Protection Law Limitations in relation to the processing of personal data Personal data: “any information in relation to an identified or identifiable physical person […]” Very large legal interpretation to the concept of personal data Not necessarily sensitive information (although stricter rules apply to special categories of personal data) Processing: “any operation or set of operations which is performed upon personal data […]” Purpose: impose strict (civil and criminal) liability to the entity that is processing the personal data Data controller Data processor (“service provider”)
Principles of Data Protection Law Principles Processing of personal data is prohibited, unless allowed by the Data Protection Law The data processing must comply with specific principles Proportionality Purpose limitation Limited in time (Individual and collective) Transparency Data quality Data security (Individual and collective) Enforcement measures No export of personal data to non-EEA countries, unless adequate protection is offered
Security Obligations Security obligation General obligation Specific obligations Obligations in relation to the use of data processors Belgian Data Protection Commission has issued a list of security measures that can be implemented ‘Reference Measures’ Description of 10 information security measures Based on ISO 27000 series
Security Obligations General obligation to implement security measures Technical measures User access management IT security (anti-virus, firewall, …) Fire prevention measures Organizational measures Data categorization (confidentiality level) Employee policies Protection against any unauthorized processing Adequate level of protection taking into account: Available technology and costs; Nature of concerned personal data and the potential risks Both types of measures are interchangeable
Data Processing by Service Providers Data processing operations are often carried out by service providers (“data processors) Security measures in case of data processors Choice of data processor (quality requirement) Security measures must be contractually imposed & verified Determine the extent of liability of the data processor Data controller is subject to strict liability Data controller can be held liable for the acts of the data processor Limit the mission of the data processor Conclude a written data processing agreement Paper document Electronic document
Cloud Service Providers (CSP) Cloud Service Provider (CSP) is generally a ‘data processor’ Cloud Computing agreements Standard ‘click-wrap’-agreements Generally considered valid under Belgian law in a B2B context Meets the requirements of ‘electronic medium’ in data protection legislation Security measures must be imposed and audited Issue: how to audit security measures in a Cloud setting? Potentially multinational Locations may change Auditing CSPs may become very expensive Solution: certification of the CSP (check the scope of the certificates!) SAS 70 Type II ISO 9000 series ISO 27000 series
Issues relating to international dataflowsInternal Market for Personal Data= European Economic Area (EEA) Data Transfer 1 CSP inside EEA Data Controller (but other EEA inside EEA Member State) Data Export Data Transfer 3 Data Import 2 Data Controller CSP outside EEA inside EEA Data CSP inside Controller EEA outside EEA Data Import Data Export
Issues relating to international dataflows Dataflow within the EEA (1) Law of the country of establishment of data controller applies to data processing operation Subsequent transfers to sub-processors located within the EEA are possible within the scope of the data processing agreement Subsequent transfers to subprocessors located outside the EEA are in principle not possible within the scope of the data processing agreement There is no P2P Model Contract New Model Contract leaves the door partially open Multiparty C2P Model Contract offers a solution
Issues relating to international dataflows Dataflow from a data controller outside the EEA to a CSP inside the EEA (2) National data protection law applies if ‘means’ are applied by the data controller on the territory of a member state Cumulation of applicable laws if ‘means’ are applied on the territory of several member states ‘Worst case situation’ as the data controller is subjected to data protection law due to the location of the CSP (or its subcontractors) Art. 29 WP Opinion 8/2010 on applicable law this criterion has shown to have undesirable consequences, such as a possible universal application of EU law Under review for the future data protection framework
Issues relating to international dataflows Dataflow from a data controller inside the EEA to a CSP outside the EEA (3) Law of the country of establishment of data controller applies to data processing operation No export to countries outside EEA, except if they offer adequate protection White-listed countries (e.g. Switzerland, USA if Safe Harbor, ...) BCR / Model Contracts Latest C2P Model Contract accepts ‘onward transfer’ to subprocessors, thereby facilitating Cloud Computing
Practical approach to Cloud Computing Review the security mechanisms in place Security arrangements to mitigate the risks must be in place Review the certification of the CSP Which certificates? Scope of the certificates? Back-ground on the certification process Perform a due diligence in relation to the CSPs terms & conditions Performance levels Contractual limitations Exit Plan / Retransition Is there an obligation to hand over the client’s data in a readily exploitable manner to the client or any subsequent service provider? Belgian law is not very helpful on this issue
Conclusion Cloud Computing is possible in a compliant manner in most cases Data security is a key issue International dataflows are facilitated with the latest Model Contract Choose the right type of Cloud Computing Service in function of compliance requirements Security measures must be implemented and audited, especially where personal data are involved Potentially expensive (for client and CSP alike) Certification offers a valid solutions if some precautions are taken (scope!)