Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Privacy, Data Protection
and Cloud Computing
16 July 2014
Professor Ian Walden
Centre for Commercial Law Studies, Queen Ma...
Introductory remarks
 Understanding privacy and data protection laws
 Understanding cloud computing
 Personal data
 Co...
Privacy laws
 Different cultural values and practices
Identity, autonomy, personal development, establish &
develop rela...
Data protection laws
 Responding to the capabilities of ICTs
Council of Europe Convention 1981
o Processing principles: ...
Cloud computing?
 ‘X as a Service’
 SaaS, PaaS, IaaS...
 Flexible, location-independent (-ish), on-demand, shared,
virt...
Virtualisation and abstraction
 Hypervisor or Virtual Machine Monitor
Physical server
/ host OS
- (shared)
processor, mem...
Possible architectures: cloud layers or “stack”
Cloud Infrastructure
IaaS
PaaS
SaaS
Infrastructure as a Service (IaaS)
Arc...
Deployment models: private, community,
public and hybrid clouds…
Key features relevant to data protection law
 Distributed storage
‘Sharding’, ‘chunking’ & ‘partitioning’
 Data replica...
‘Personal data’ in the clouds
 ‘identified or identifiable natural person…’
‘sensitive data’
o Recital 26: “whether a pe...
Regulated entities
 Controllers, processors & sub-processors
‘determine purpose & means’
o Google Spain v AEPD (ECJ, May...
Applicable law
 ‘Establishment’: corporate structure / operations
Own data centre or 3rd party data centre in EEA?
‘in ...
Data export
 Can cloud customer control where its data are
stored in the clouds?
 It depends!
 Sometimes no choice
 Re...
‘Where’: The way forward?
 EEA Regional Cloud
e.g. AWS Regions, Microsoft
o e.g. ‘Schengen data area’ (ATOS) or ‘Schenge...
Law enforcement access
 Commercial secrecy and privacy threats
From organised crime to law enforcement
o The ‘Patriot Ac...
Dealing with law enforcement
 Request recipients
EU: ‘electronic communication services’ & ‘information
society services...
Law enforcement powers
 Law enforcement access
Data ‘at rest’ & ‘in transmission’
Obtaining data: Covert & coercive inv...
Law enforcement powers
 Issues of legality & enforceability
Executing the authorisation
o e.g. Microsoft (2014)
Recipie...
International co-operation
 Mutual legal assistance
From harmonisation to mutual recognition
o Convention on Cybercrime
...
Concluding remarks & questions?
Upcoming SlideShare
Loading in …5
×

Ian walden - data protection in cloud computing

  • Be the first to comment

  • Be the first to like this

Ian walden - data protection in cloud computing

  1. 1. Privacy, Data Protection and Cloud Computing 16 July 2014 Professor Ian Walden Centre for Commercial Law Studies, Queen Mary, University of London www.cloudlegal.ccls.qmul.ac.uk Presentation at the OII Doctoral Summer School
  2. 2. Introductory remarks  Understanding privacy and data protection laws  Understanding cloud computing  Personal data  Controllers, processors & others?  Location, location, location  Law enforcement access
  3. 3. Privacy laws  Different cultural values and practices Identity, autonomy, personal development, establish & develop relationships, reputation, democracy….  A constellation of legal rights Constitutional, statutory, tortious, equitable, proprietal… o Charter, art. 7: “Everyone has the right to respect for his or her private and family life, home and communications”  Private (and public) realms ‘reasonable expectation of privacy’ o e.g. Gmail  Permitted interferences e.g. national security, protection of rights of others
  4. 4. Data protection laws  Responding to the capabilities of ICTs Council of Europe Convention 1981 o Processing principles: data quality & data subject rights EU Directives 95/46/EC & 02/58/EC o Charter, Article 8 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority. Draft Regulation o Implications for cloud
  5. 5. Cloud computing?  ‘X as a Service’  SaaS, PaaS, IaaS...  Flexible, location-independent (-ish), on-demand, shared, virtualised  Cloud multi-layered ecosystem  Service providers  Cloud infrastructure providers o Amazon Web Services  Communication providers  Deployment models  Public, private, community & hybrid
  6. 6. Virtualisation and abstraction  Hypervisor or Virtual Machine Monitor Physical server / host OS - (shared) processor, memory, network, storage  Linux, Unix, Windows…
  7. 7. Possible architectures: cloud layers or “stack” Cloud Infrastructure IaaS PaaS SaaS Infrastructure as a Service (IaaS) Architectures Platform as a Service (PaaS) Architectures Software as a Service (SaaS) Architectures Cloud Infrastructure SaaS Cloud Infrastructure PaaS SaaS Cloud Infrastructure IaaS PaaS Cloud Infrastructure PaaS Cloud Infrastructure IaaS From http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
  8. 8. Deployment models: private, community, public and hybrid clouds…
  9. 9. Key features relevant to data protection law  Distributed storage ‘Sharding’, ‘chunking’ & ‘partitioning’  Data replication For performance, availability, back-up & redundancy  Data deletion  System & service design: Cloud supply chain “Stack” Ancillary services, e.g. apps integration  Resources: shared, third party
  10. 10. ‘Personal data’ in the clouds  ‘identified or identifiable natural person…’ ‘sensitive data’ o Recital 26: “whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person”  Anonymisation & pseudonymisation techniques deletion/omission; substitution, aggregation, addition  As processing Big data analytics Paul Ohm: ‘Broken promises of privacy’ (2009)  Encrypted data What is “good enough”?
  11. 11. Regulated entities  Controllers, processors & sub-processors ‘determine purpose & means’ o Google Spain v AEPD (ECJ, May 2014) o Draft Regulation: Joint and severable liability  Cloud customer & provider(s) Customer’s data / metadata o Not even ‘processor’? o Infrastructure providers – IaaS, PaaS, SaaS  End to end accountability, not binary controller/processor?  eCommerce Directive (00/31/EC) approach? o Liability safe harbour: Mere conduit, hosting & caching
  12. 12. Applicable law  ‘Establishment’: corporate structure / operations Own data centre or 3rd party data centre in EEA? ‘in the context of the activities’ o Google Spain v AEPD (ECJ, May 2014)  ‘Equipment’ / ‘means’ and EEA data centre Use of EEA data centre by non-EEA customer or cloud provider o ‘Transit’ exception – ‘follow the sun’ Cloud support services
  13. 13. Data export  Can cloud customer control where its data are stored in the clouds?  It depends!  Sometimes no choice  Regions (but, what is contractual status?)  Sometimes locally by default  Within the EEA Lack of harmonisation Draft Regulation: ‘One-stop-shop’  Public cloud may not be appropriate for regulated data
  14. 14. ‘Where’: The way forward?  EEA Regional Cloud e.g. AWS Regions, Microsoft o e.g. ‘Schengen data area’ (ATOS) or ‘Schengen routing’ (DT)  Country of origin (intra EEA) Draft Regulation: ‘main establishment’  Targeting (extra EEA) Draft Regulation: Offering good & services or monitoring behaviour of EU residents  End-to-end accountability Technical: e.g. location of encryption keys Legal: e.g. model contracts & BCRs
  15. 15. Law enforcement access  Commercial secrecy and privacy threats From organised crime to law enforcement o The ‘Patriot Act’ problem  An exercise of powers Legality & enforceability  Questions of vires and regulatory boundaries Obligations to assist Jurisdictional reach o Search & seizure: Microsoft (2014) Evidential impact?
  16. 16. Dealing with law enforcement  Request recipients EU: ‘electronic communication services’ & ‘information society services’ o e.g. Yahoo! Belgium (2011) US: providers of ‘electronic communication services’ and ‘remote computing services’ (18 U.S.C. § 2703)  Obligations to assist Directive 02/58/EC, art. 5(1) & art. 15(1): interception o Existing capability or build obligation? Directive 06/24/EC: data retention o Digital Rights Ireland v Ireland (ECJ, April 2014) o UK: Data Retention and Investigatory Powers Bill
  17. 17. Law enforcement powers  Law enforcement access Data ‘at rest’ & ‘in transmission’ Obtaining data: Covert & coercive investigative techniques o ‘in its ‘possession or control’: Rackspace (2013), Verizon (2014)  ‘Exercising a power’ Permissible & impermissible conduct o e.g. entrapment  Expedited preservation, retention & delivery-up Obtaining authorisation o Judicial, executive or administrative
  18. 18. Law enforcement powers  Issues of legality & enforceability Executing the authorisation o e.g. Microsoft (2014) Recipient’s actions o e.g. Rackspace (2004)  Interference with rights ‘conditions and safeguards’ o Notification: Pre & Post o Oversight regime: ‘judicial or other independent supervision’ o Jurisdiction limitations
  19. 19. International co-operation  Mutual legal assistance From harmonisation to mutual recognition o Convention on Cybercrime o TFEU, art. 82: European Evidence Warrant & European Investigation Order  Informal co-operation with foreign LEAs Proactive disclosure & 24/7 networks  Direct liaison with foreign service providers Voluntary disclosures by cloud providers o e.g. Google ‘Transparency Report, Microsoft, Twitter, Vodafone o Cloud contractual provisions on disclosure  Engage directly with the material sought
  20. 20. Concluding remarks & questions?

×