19/05/20139@kuan∅Let your lawyer do theworrying…@kuan∅Cloud computing• Legal risks - brief lawyers on:– what’s cloud?•recap•NB layers•12 Cs; cf traditional outsourcing– what do you want to use it for?•requirements, risk toleranceUser ---- DropBox ---- AmazonSaaS IaaS
19/05/201310@kuan∅Cloud legal issues• Lots! – IP, competition – no time…– see cloudlegalproject.org + book• Pre-contract checks + contract• For public sector:– government policy– CloudStore@kuan∅Location
19/05/201311@kuan∅Data location, me & you• Public sector – Gov ICT Offshoring(International Sourcing) Guidance -data location unrestricted, unless:– national security– data protection laws• Data protection – cloud guidance– Article 29 WP opinion– UK ICO guidance@kuan∅Law vs IT“Technical &organisationalmeasures”IT security& IT“dataprotection”“Dataprotection”(law)
19/05/201312@kuan∅Data protection laws:“Personal data”(cf anonymous data)@kuan∅EU Data Protection DirectiveData export restrictionNO transfer of PD outsideEuropean Economic Area
19/05/201313@kuan∅Unless…• Exception• “Adequate protection”/ “adequate safeguards”• But problems…@kuan∅So, in practice…• Regional clouds - easy, safe
19/05/201315@kuan∅• + Names of all“sub-contractors”• Follow this… + otherDP regulators’recommendations(eg liability chain)public cloud!Gimme gimme gimmeyour data locations…Image from Beeld en Geluidwiki@kuan∅TraditionaloutsourcingCloudCook food yourselfHire caterers to cookfor you on yourinstructionsRent kitchen, cookfood yourselfGet take-out or readymeal, cook it yourself
19/05/201316@kuan∅Key tensions• “Guaranteed” security / liability– should be possible – but will cost!– cheap / free public cloud model• Control of supply / contract chain– will big players be the winners?@kuan∅“It’s unworkable, so just ignore it?”@kuan∅
19/05/201317@kuan∅Draft Data Protection RegulationUp to 2%annualglobalturnover@kuan∅@kuan∅Goodintentions…Flames of hell…?
19/05/201318@kuan∅Cloud contracts@kuan∅Cloud contracts• 3 aspects:– pre-contract due diligence– contract terms– post-contract – monitoring etc• See negotiated contracts article– “no names” interviews, FOI etc– Forbes report
19/05/201319@kuan∅Standard terms• Providers’ standard terms– weighted; customer-appropriate?• Negotiable? – customer / deal size• Gov / banks - trad. IT outsourcing– cloud-appropriate?• Customer process issue – bypass IT,legal!@kuan∅Pre-contract due diligence• If personal data – all sub-providers’names; locations; security• Lock-in and exit – practical: test dataportability in advance (NB fake data!)• Security – pen testing, certifications?• NB backups• + Post-contract - security audits etc• ENISA papers (hunt!)
19/05/201320@kuan∅Contract terms• If personal data:– choice of provider (security), contractrequirements: “instructions”, security• More generally, some key issues:– provider liability (vs price)– lock-in – term, termination; exit terms– security – confidentiality; audit rights?– right to change terms? (cf G-Cloud…)@kuan∅G-Cloud: CloudStore• Process - no mini-competition,no negotiation! (though fill in blanks…)- Price / MEAT• Info - G-Cloud site, @G_Cloud_UK,BuyCamp events (Friday; 7 June)• NB overlay approach & supplier terms:– get advice on own specific data type/use– see G-Cloud paper
19/05/201321@kuan∅CloudOpen dataBig data@kuan∅Protection of Freedoms Act• s 102 amends FOIA– datasets – electronic, reusable form– open licensing – allow reuse (fees?)• In force May/June…?– Draft Code of Practice – consultation– ICO publication scheme, guidance• What datasets, how to handle?
19/05/201322@kuan∅Open data vs personal data• Anonymise any PD before release• Tricky! eg Sweeney etc research• Big, eg EE / Ipsos Mori! But worthwhile• ICO Code of Practice (full disclosure..)– limited controlled release, vs fully public• UK Anonymisation Network (2 years)– anonymisation clinics – 28 June@kuan∅STOP PRESS• Shakespeare review of PSI, 15 May 2013– Deloitte market assessment– His summary in the Guardian• Same ol’ same ol’, words vs action? (eg jail forunlawfully obtaining personal data…)– Following best practice guidelines should be enough, solong as we are willing to prosecute those who misusepersonal data… In considering further legislation we shouldinstitute increased penalties – not only loss ofaccreditation and much heavier fines, but alsoimprisonment in cases of deliberate and harmful misusesof data.
19/05/201323@kuan∅CloudOpen dataBig data@kuan∅Big data vs personal data• Data protection compliance (egsecurity) & anonymisation, again…• Less data good?• Other issues? eg IP
19/05/201324@kuan∅New technologiesand paradigms,old laws@kuan∅Old laws• Outdated assumptions• Appropriate to new paradigms??• But - the law is the law!• Until laws are updated properly…• Same ol’ strategy still sensible:– RRRR + EEEE
19/05/201325@kuan∅Key takeaways 1• RRRR:– requirements evaluation, for– real life intended use– review & understand tech / model– risk assessment – technological,legal, reputational, public trust etc(for intended data type/use case)@kuan∅Key takeaways 2• EEEE – get:– expert input / advice – legal, IT,risk, security, stats etc– based on exact data type, use case– explain the tech / model properly– early, not last minute or after!