Charge and its essentials rules Under the CRPC, 1898
Cloud computing : legal , privacy and contract issues
1. CLOUD COMPUTING: LEGAL ISSUES
FLORENCE APRIL 2016
Lilian Edwards
Professor of E-Governance, University of Strathclyde,
Deputy Director, CREATe
Lilian.edwards@strath.ac.uk
@lilianedwards
2.
3. WHAT IS CLOUD COMPUTING?
Hon and Millard (2013): “a way of
delivering computing resources as a
utility service via a network, typically the
Internet, scalable up and down
according to user requirements. As such
the cloud may prove to be as disruptive
an innovation as was the emergence of
cheap electricity”.
Microsoft (2010) : “cloud computing
represents a transformation of the
industry [which] will let you focus on your
business, not on running infrastructure. It
will also let you create better
applications, then deploy those
applications wherever makes the most
sense: in your own data center, at a
regional service provider, or in our global
cloud. In short, IT as a Service will let
you deliver more business value”
4. KEY FEATURES
B2B and B2C : Amazon, Microsoft, Google etc B2B
services; B2C - Gmail, Facebook, Dropbox, Blogger
Remote storage plus on demand self service by clients
Ubiquitous access to data/resources – from office,
mobile, tablet etc – also enables group distributed
working
Resource management – provides scaleable and just
in time acquisition of resources by customers (“rapid
elasticity”)
Pay per use – not buy and use. Cloud provision not just
of data storage but services or more (see next). No
need for local support, upgrading etc.
Not entirely new: logical extension of (a) data
warehousing (b) outsourcing of services – involves the
complicated legal issues of both.
6. KEY LEGAL ISSUES
Data protection obligations
1. Is Cloud provider (CP) a data controller (DC)
or data processor (DP)?
Obligations – security; right to be forgotten
2.Data exports – can personal data be
“exported” from the EC into the Cloud?
How can the Cloud operate for US-based CSPs
after Schrems?
3. Security breach notification
Contract
Standard term contracts – are they fair to
users?
If not what can be done?
7. DATA PROTECTION – 1 - WHO IS
RESPONSIBLE?
Data Protection Directive (DPD)
Art 2
(d) 'controller' shall mean the natural or legal
person, public authority, agency or any other body
which alone or jointly with others determines the
purposes and means of the processing of personal
data;
(e) 'processor' shall mean a natural or legal
person, public authority, agency or any other body
which processes personal data on behalf of the
controller;
Unchanged by GDPR art 4
8. DATA PROTECTION PRINCIPLES (DPD ART 6;
GDPR, ART 5 (MAINLY) )
1. Personal Data shall be processed lawfully
and fairly. (GDPR adds transparently)
2. Personal Data shall be obtained only for
one or more specified and lawful
purposes, and shall not be further
processed in a manner incompatible with
those purposes. (“purpose limitation”)
3. Personal data shall be adequate, relevant
and not excessive in relation to the
purpose for which it was processed (“data
minimisation”)
4. Personal data shall be accurate and kept
to date if necessary. (“accuracy”)
9. DP PRINCIPLES (CONT.)
5. Personal data shall not be kept for a longer time
than it is necessary for its purpose. (data
retention” now “storage limitation”)
6. Personal data can only be processed in
accordance with the rights of the data subjects.
7. Appropriate technical and organisational
measures shall be taken against unauthorised
or unlawful processing (“integrity and
confidentiality”). (Note new security oblign on
processor, art 32 GDPR)
8. Restriction on transferring personal data to
countries that do not provide adequate data
protection.
GDPR adds accountability principle.
10. DPD -> GDPR : DATA CONTROLLERS AND
PROCESSORS
DPD regarded DCs as having primary legal responsibility for meeting
DP principles and other duties and paying for breaches
Art 17(2) DPD : obligation on DCs to make sure they chose a data
processors who guaranteed to meet security obligation
DC also had to make written contract with DP that DP acted only on
DC’s instructions (art17(3))
Cloud service providers (CSPs) mainly thought of as processors
(and sub processors) – but great uncertainty – different types of
CSPs and circs.
Art 29 WP on SWIFT case – Opinion 10/2006
Held : SWIFT not just agent of Belgian banks (processor) but itself
controller
Art 29 WP Report 169, Feb 2010 definition of processor vs controller
– distinction based on “the possibility of pluralistic control (“which
alone or jointly with others”), and.. the essential elements to
distinguish the controller from other actors (“determines the purposes
and the means of the processing of personal data”). Factual not an
open choice.
11. THE CLOUD, RESPONSIBILTY AND
CONTROLLER/PROCESSOR
GDPR art 24 -28 expand on old art 17(2)
The controller shall implement appropriate technical and
organisational measures to ensure and to be able to
demonstrate that processing is performed in accordance with
this Regulation
Possibility of joint controllers made explicit in art 26 and
division of responsibilities to be “transparent”
Art 28 provides that “processor shall not engage another
processor without prior specific or general written
authorisation of the controller” with v detailed contents
mandated
Distinguishing between different CSPs as controllers,
processors or sub processors become crucial.
And note the CLIENT in cloud computing will usually be solely
or jointly a controller
12. DC:DP CONTRACTS
A29 guidance and national regulator guidance (say Hon
and Millard) suggests DCs should review and conduct risk
assessment in cloud provision contracts now GDPR is
here
In particular check and give individual instructions
taking into a/c
Nature and sensitivity of personal data in cloud
Type of intended processing
Risk assessment for future events
Due diligence re selection of sub service providers
Clear allocation of respective responsibilities of DC and DP
Data location
Data export
The DPs security measures including logging & auditing
Hon and Millard regard as impractical – cloud providers
cannot efficiently follow detailed instructions from every client
- but should rather merely be certified generally as meeting
security standards
13. THE DEATH OF THE CLOUD IN EU?
Kitchen example: SaaS is like buying a ready meal
from M&S; Infrastructure as a S is like renting a
catering service or kitchen.
You expect to be able to give detailed and unique
instrns to kitchen, but if you don’t like one ready
meal you buy another one.
You don’t expect or have the legal right to make M
and S make one for you with less salt, or no gluten,
or no onions – and if you could demand this , M and
S would go bust!
Hon: imagine user X (DC) using Dropbox (SaaS,
processor) built on Amazon Web Service Iaas, sub
processor ?); user has no interest in giving instrns
to AWS and AWS isn’t configured to deal with
requests of individual DCs.
14. HON “KILLING CLOUD QUICKLY WITH
GDPR” SCL JNL, MARCH 2016
“the GDPR would set in stone the most
prescriptive cloud-impracticable elements of
[A29] WP 196 while omitting parts of WP
196 that actually recognised how cloud
worked..
Rather than making data protection laws
truly technology-neutral, the GDPR will
perpetuate the 1970s model of
computing/outsourcing embedded in the
DPD”
15. ONE PARTICULAR OBLIGATION
“Right to be forgotten”? = right to seek erasure of PD
GDPR Reg, art 17-19
For hosts not just search engines!
But for controllers or processors?
Right to “obtain from the DC the erasure of [their]
personal data” where processing out of data, consent
withdrawn, unlawful etc (art 17(1)).
But also “the controller, taking account of available
technology and the cost of implementation, shall take
reasonable steps, including technical measures, to
inform controllers which are processing the personal
data that the data subject has requested the erasure by
such controllers of any links to, or copy or replication of,
those personal data”
What kind of obligation is this for CSPs? And which
ones? Will they have to consider exceptions art 17(3)?
16. DP – 2 – DATA EXPORTS & LEA ACCESS
DP 8th principle in DPD
“Personal Data shall not be transferred to a country outside
the European Economic Area, unless that country or
territory ensures an adequate level of protection for the
rights and freedoms of Data subjects in relation to the
processing of personal data”.
Challenge for the Cloud where data often held outside EU,
in varying and changing locations (not always known to user
OR CSP). Especially in US!
NB EU DP law may be held to apply to non EU DC by virtue
of art 4 (has an EU establishment (expanded after Google
Spain v Costeja); or uses “equipment” in EU other than
merely for transit (eg wires, cookies);
17. DP-2- EXPORT AND LEA ACCESS
Export outside EU allowed by DPD if
Finding of “adequacy” (art 25) (11 states)
US safe harbor membership
Art 26 – use of model contractual clauses issued by EU
Comm or BCRs
Unambiguous consent – but high standard (free, informed);
also revocable; DC may not be the data subject but
processing data of others (eg posting FB group photo)
A29 questioned use of art 26 exemptions in Cloud transfers
if transfers “massive, recurrent or structural”;
Schrems decision (CJEU, 2015 case C362/14) held safe
harbor invalid because of post Snowden awareness that
US laws - FISA , Patriot Act – allowed NSA and other
agencies access to personal data held in servers in US and
controlled by US companies. And US public authorities
could not be made subject to EU oversight by EU
contracts.
“compromises the essence of the fundamental right to private
life” .. “To effective judicial protection”
18. DP – 2 – FALLOUT
Schrems resulted in safe harbour declared invalid
Very bad for non EU CP B2B business – reports of
EU businesses withdrawing contracts
V bad for B2C trust
Law?
Attempt to replace safe harbour with “Privacy
Shield” (February 2016)
Some improvements eg an ombudsman for EU
data subjects to go to
But no fundamental change in US law
-> April 2016 A29 WP essentially declared Privacy
Shield still unsatisfactory
_> CJEU?
19. DP- 2- ALTERNATE GROUNDS FOR TRANSFER
OF DATA TO US
Varying from EU DPA to DPA
Schleswig-Holstein eg immediately declared all alternate
grounds – standard contract terms, BCRs etc – equally
invalid on grounds essentially that US could not provide
the safeguards these forms depend on as sub for
“adequacy”
All need “enforceable data subject rights and effective
legal remedies for data subject” (GDPR)
All German DPAs have however agreed that explicit user
consent remains valid pro tem
BUT
Note A29 warnings re “massive, structural” exports of PD
reliant only on consent and GDPR art 49(1) ref to such
(non repetitive ltd transfers)
US unlikely to change law further?
Best solutions- build Clouds in EU? Demand them?
Deutschebank, Microsoft in Germany
20. DP – 3- SECURITY BREACH OBLIGATIONS
GDPR art 33
Controllers must notify the DPA of a data breach
“without undue delay and, where feasible, no later than 72 hours
after having become aware of it ( unless the breach is “unlikely to
result in a risk for the rights and freedoms of individuals”).
”Controllers must notify data subjects of a breach where it
creates a “high risk to the rights and freedoms of individuals”
although exceptions can apply.
Fines up to 4% annual turnover or 20 m Euro may apply for
some breaches
For first time in GDPR Data Processors have independent
security obligation so may be subject to these fines
(CSPs??) and breach notifn oblign to DC, art 33(2)
Level of fine linked to speedy mitigation so CSPs should be on
alert..
Fights over indemnities/allocation of blame in cloud contracts
may get more heated?
21. CONTRACT
Distinguish
Standard term contract service provision
Negotiated contract service provision
This cannot be easily mapped as B2B, B2C – eg many SMEs
and public sector bodies universities, will use Gmail.
Distinguish “free”/paying ToS – former likely to have more
freedom!
Terms of service (ToS) survey by Bradshaw, Millard,
Walden 2010-2013 found many problematic standard
terms even in non-free services
Very comprehensive limitation of liability clauses, even
including liability for poor security by CP
Governing law that of US states (to exclude unfair terms
law?). Location of actual servers often not specified.
Monitoring of customer activity
Right to vary T-S unilaterally, or terminate unilaterally without
retaining customer data
Note that German, Fr courts starting to knock down
unfair terms in digital standard form B2C contracts!
Editor's Notes
Implications for how much control the user has ---
Eg Software as a Service eg Dropbox, Salesforce – customer can’t control any of the non local infrastructure or settings or security by and large eg where data stored, so security mainly job for cloud provider
PaaS – delivers operating system plus services over net – no need to download or update. Typically just key services not whole infrastructure. Eg Java developmnt
Cf Infrastructure as a Service - like buying a server , - hardware, os, apps and data only its not in your office – full control to user – eg Amazon Elastic Cloud – user typically takes resp for the secuerity of all but the basic remote infrastructure