SlideShare a Scribd company logo

Cloud computing : legal , privacy and contract issues

Download as PPTX, PDF
Lilian Edwards
Lilian Edwards

What is cloud computing? Whjat are the key legal problems for those involved as customers or suppliers, especially in light of the GDPR?

Law
1 of 21
CLOUD COMPUTING: LEGAL ISSUES FLORENCE APRIL 2016 Lilian Edwards Professor of E-Governance, University of Strathclyde, Deputy Director, CREATe Lilian.edwards@strath.ac.uk @lilianedwards
WHAT IS CLOUD COMPUTING?  Hon and Millard (2013): “a way of delivering computing resources as a utility service via a network, typically the Internet, scalable up and down according to user requirements. As such the cloud may prove to be as disruptive an innovation as was the emergence of cheap electricity”.  Microsoft (2010) : “cloud computing represents a transformation of the industry [which] will let you focus on your business, not on running infrastructure. It will also let you create better applications, then deploy those applications wherever makes the most sense: in your own data center, at a regional service provider, or in our global cloud. In short, IT as a Service will let you deliver more business value”
KEY FEATURES  B2B and B2C : Amazon, Microsoft, Google etc B2B services; B2C - Gmail, Facebook, Dropbox, Blogger  Remote storage plus on demand self service by clients  Ubiquitous access to data/resources – from office, mobile, tablet etc – also enables group distributed working  Resource management – provides scaleable and just in time acquisition of resources by customers (“rapid elasticity”)  Pay per use – not buy and use. Cloud provision not just of data storage but services or more (see next). No need for local support, upgrading etc.  Not entirely new: logical extension of (a) data warehousing (b) outsourcing of services – involves the complicated legal issues of both.
CLOUD COMPUTING MODELS
KEY LEGAL ISSUES  Data protection obligations  1. Is Cloud provider (CP) a data controller (DC) or data processor (DP)?  Obligations – security; right to be forgotten  2.Data exports – can personal data be “exported” from the EC into the Cloud?  How can the Cloud operate for US-based CSPs after Schrems?  3. Security breach notification  Contract  Standard term contracts – are they fair to users?  If not what can be done?
DATA PROTECTION – 1 - WHO IS RESPONSIBLE?  Data Protection Directive (DPD)  Art 2  (d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data;  (e) 'processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;  Unchanged by GDPR art 4
DATA PROTECTION PRINCIPLES (DPD ART 6; GDPR, ART 5 (MAINLY) ) 1. Personal Data shall be processed lawfully and fairly. (GDPR adds transparently) 2. Personal Data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in a manner incompatible with those purposes. (“purpose limitation”) 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it was processed (“data minimisation”) 4. Personal data shall be accurate and kept to date if necessary. (“accuracy”)
DP PRINCIPLES (CONT.) 5. Personal data shall not be kept for a longer time than it is necessary for its purpose. (data retention” now “storage limitation”) 6. Personal data can only be processed in accordance with the rights of the data subjects. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing (“integrity and confidentiality”). (Note new security oblign on processor, art 32 GDPR) 8. Restriction on transferring personal data to countries that do not provide adequate data protection. GDPR adds accountability principle.
DPD -> GDPR : DATA CONTROLLERS AND PROCESSORS  DPD regarded DCs as having primary legal responsibility for meeting DP principles and other duties and paying for breaches  Art 17(2) DPD : obligation on DCs to make sure they chose a data processors who guaranteed to meet security obligation  DC also had to make written contract with DP that DP acted only on DC’s instructions (art17(3))  Cloud service providers (CSPs) mainly thought of as processors (and sub processors) – but great uncertainty – different types of CSPs and circs.  Art 29 WP on SWIFT case – Opinion 10/2006  Held : SWIFT not just agent of Belgian banks (processor) but itself controller  Art 29 WP Report 169, Feb 2010 definition of processor vs controller – distinction based on “the possibility of pluralistic control (“which alone or jointly with others”), and.. the essential elements to distinguish the controller from other actors (“determines the purposes and the means of the processing of personal data”). Factual not an open choice.
THE CLOUD, RESPONSIBILTY AND CONTROLLER/PROCESSOR  GDPR art 24 -28 expand on old art 17(2)  The controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation  Possibility of joint controllers made explicit in art 26 and division of responsibilities to be “transparent”  Art 28 provides that “processor shall not engage another processor without prior specific or general written authorisation of the controller” with v detailed contents mandated  Distinguishing between different CSPs as controllers, processors or sub processors become crucial.  And note the CLIENT in cloud computing will usually be solely or jointly a controller
DC:DP CONTRACTS A29 guidance and national regulator guidance (say Hon and Millard) suggests DCs should review and conduct risk assessment in cloud provision contracts now GDPR is here  In particular check and give individual instructions taking into a/c  Nature and sensitivity of personal data in cloud  Type of intended processing  Risk assessment for future events  Due diligence re selection of sub service providers  Clear allocation of respective responsibilities of DC and DP  Data location  Data export  The DPs security measures including logging & auditing  Hon and Millard regard as impractical – cloud providers cannot efficiently follow detailed instructions from every client - but should rather merely be certified generally as meeting security standards
THE DEATH OF THE CLOUD IN EU?  Kitchen example: SaaS is like buying a ready meal from M&S; Infrastructure as a S is like renting a catering service or kitchen.  You expect to be able to give detailed and unique instrns to kitchen, but if you don’t like one ready meal you buy another one.  You don’t expect or have the legal right to make M and S make one for you with less salt, or no gluten, or no onions – and if you could demand this , M and S would go bust!  Hon: imagine user X (DC) using Dropbox (SaaS, processor) built on Amazon Web Service Iaas, sub processor ?); user has no interest in giving instrns to AWS and AWS isn’t configured to deal with requests of individual DCs.
HON “KILLING CLOUD QUICKLY WITH GDPR” SCL JNL, MARCH 2016  “the GDPR would set in stone the most prescriptive cloud-impracticable elements of [A29] WP 196 while omitting parts of WP 196 that actually recognised how cloud worked..  Rather than making data protection laws truly technology-neutral, the GDPR will perpetuate the 1970s model of computing/outsourcing embedded in the DPD”
ONE PARTICULAR OBLIGATION  “Right to be forgotten”? = right to seek erasure of PD  GDPR Reg, art 17-19  For hosts not just search engines!  But for controllers or processors?  Right to “obtain from the DC the erasure of [their] personal data” where processing out of data, consent withdrawn, unlawful etc (art 17(1)).  But also “the controller, taking account of available  technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data”  What kind of obligation is this for CSPs? And which ones? Will they have to consider exceptions art 17(3)?
DP – 2 – DATA EXPORTS & LEA ACCESS  DP 8th principle in DPD  “Personal Data shall not be transferred to a country outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data subjects in relation to the processing of personal data”.  Challenge for the Cloud where data often held outside EU, in varying and changing locations (not always known to user OR CSP). Especially in US!  NB EU DP law may be held to apply to non EU DC by virtue of art 4 (has an EU establishment (expanded after Google Spain v Costeja); or uses “equipment” in EU other than merely for transit (eg wires, cookies);
DP-2- EXPORT AND LEA ACCESS  Export outside EU allowed by DPD if  Finding of “adequacy” (art 25) (11 states)  US safe harbor membership  Art 26 – use of model contractual clauses issued by EU Comm or BCRs  Unambiguous consent – but high standard (free, informed); also revocable; DC may not be the data subject but processing data of others (eg posting FB group photo)  A29 questioned use of art 26 exemptions in Cloud transfers if transfers “massive, recurrent or structural”;  Schrems decision (CJEU, 2015 case C362/14) held safe harbor invalid because of post Snowden awareness that US laws - FISA , Patriot Act – allowed NSA and other agencies access to personal data held in servers in US and controlled by US companies. And US public authorities could not be made subject to EU oversight by EU contracts.  “compromises the essence of the fundamental right to private life” .. “To effective judicial protection”
DP – 2 – FALLOUT  Schrems resulted in safe harbour declared invalid  Very bad for non EU CP B2B business – reports of EU businesses withdrawing contracts  V bad for B2C trust  Law?  Attempt to replace safe harbour with “Privacy Shield” (February 2016)  Some improvements eg an ombudsman for EU data subjects to go to  But no fundamental change in US law  -> April 2016 A29 WP essentially declared Privacy Shield still unsatisfactory  _> CJEU?
DP- 2- ALTERNATE GROUNDS FOR TRANSFER OF DATA TO US  Varying from EU DPA to DPA  Schleswig-Holstein eg immediately declared all alternate grounds – standard contract terms, BCRs etc – equally invalid on grounds essentially that US could not provide the safeguards these forms depend on as sub for “adequacy”  All need “enforceable data subject rights and effective legal remedies for data subject” (GDPR)  All German DPAs have however agreed that explicit user consent remains valid pro tem  BUT  Note A29 warnings re “massive, structural” exports of PD reliant only on consent and GDPR art 49(1) ref to such (non repetitive ltd transfers)  US unlikely to change law further?  Best solutions- build Clouds in EU? Demand them? Deutschebank, Microsoft in Germany
DP – 3- SECURITY BREACH OBLIGATIONS  GDPR art 33  Controllers must notify the DPA of a data breach  “without undue delay and, where feasible, no later than 72 hours after having become aware of it ( unless the breach is “unlikely to result in a risk for the rights and freedoms of individuals”).  ”Controllers must notify data subjects of a breach where it creates a “high risk to the rights and freedoms of individuals” although exceptions can apply.  Fines up to 4% annual turnover or 20 m Euro may apply for some breaches  For first time in GDPR Data Processors have independent security obligation so may be subject to these fines (CSPs??) and breach notifn oblign to DC, art 33(2)  Level of fine linked to speedy mitigation so CSPs should be on alert..  Fights over indemnities/allocation of blame in cloud contracts may get more heated?
CONTRACT  Distinguish  Standard term contract service provision  Negotiated contract service provision  This cannot be easily mapped as B2B, B2C – eg many SMEs and public sector bodies universities, will use Gmail.  Distinguish “free”/paying ToS – former likely to have more freedom!  Terms of service (ToS) survey by Bradshaw, Millard, Walden 2010-2013 found many problematic standard terms even in non-free services  Very comprehensive limitation of liability clauses, even including liability for poor security by CP  Governing law that of US states (to exclude unfair terms law?). Location of actual servers often not specified.  Monitoring of customer activity  Right to vary T-S unilaterally, or terminate unilaterally without retaining customer data  Note that German, Fr courts starting to knock down unfair terms in digital standard form B2C contracts!

Recommended

Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller SolicitorCloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Brian Miller, Solicitor
 
Cloud computing legal issues
Cloud computing legal issuesCloud computing legal issues
Cloud computing legal issues
Adv Prashant Mali
 
Legal ethics & cloud computing
Legal ethics & cloud computingLegal ethics & cloud computing
Legal ethics & cloud computing
Patrick Fowler
 
Cloud Computing Legal Issues
Cloud Computing Legal IssuesCloud Computing Legal Issues
Cloud Computing Legal Issues
Ikuo Takahashi
 
Is There Sun Behind Those Clouds
Is There Sun Behind Those CloudsIs There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Janine Anthony Bowen, Esq.
 
Securing data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsSecuring data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law Firms
CloudMask inc.
 
Cloud
CloudCloud
Cloud
alberto0
 
Cloud computing and law-India legal summit 2011
Cloud computing and law-India legal summit 2011Cloud computing and law-India legal summit 2011
Cloud computing and law-India legal summit 2011
Adv Prashant Mali
 

Recommended

Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller SolicitorCloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Brian Miller, Solicitor
 
Cloud computing legal issues
Cloud computing legal issuesCloud computing legal issues
Cloud computing legal issues
Adv Prashant Mali
 
Legal ethics & cloud computing
Legal ethics & cloud computingLegal ethics & cloud computing
Legal ethics & cloud computing
Patrick Fowler
 
Cloud Computing Legal Issues
Cloud Computing Legal IssuesCloud Computing Legal Issues
Cloud Computing Legal Issues
Ikuo Takahashi
 
Is There Sun Behind Those Clouds
Is There Sun Behind Those CloudsIs There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
Janine Anthony Bowen, Esq.
 
Securing data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsSecuring data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law Firms
CloudMask inc.
 
Cloud
CloudCloud
Cloud
alberto0
 
Cloud computing and law-India legal summit 2011
Cloud computing and law-India legal summit 2011Cloud computing and law-India legal summit 2011
Cloud computing and law-India legal summit 2011
Adv Prashant Mali
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data Privacy
WilmerHale
 
Cybersecurity and Data Privacy Update
Cybersecurity and Data Privacy UpdateCybersecurity and Data Privacy Update
Cybersecurity and Data Privacy Update
WilmerHale
 
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 SydneyLegal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
anthonywong
 
Cloud Computing for Lawyers- Chicago Bar Association Presentation
Cloud Computing for Lawyers- Chicago Bar Association PresentationCloud Computing for Lawyers- Chicago Bar Association Presentation
Cloud Computing for Lawyers- Chicago Bar Association Presentation
Nicole Black
 
Email and cloud ethics (continuing legal education course)
Email and cloud ethics (continuing legal education course)Email and cloud ethics (continuing legal education course)
Email and cloud ethics (continuing legal education course)
Chad Gilles
 
Judicial Frameworks and Privacy Issues of Cloud Computing
Judicial Frameworks and Privacy Issues of Cloud ComputingJudicial Frameworks and Privacy Issues of Cloud Computing
Judicial Frameworks and Privacy Issues of Cloud Computing
International Journal of Science and Research (IJSR)
 
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
guestd7fc9c
 
Security & Compliance in the Cloud - Proactively Managing Governance, Risk & ...
Security & Compliance in the Cloud - Proactively Managing Governance, Risk & ...Security & Compliance in the Cloud - Proactively Managing Governance, Risk & ...
Security & Compliance in the Cloud - Proactively Managing Governance, Risk & ...
Chad Lawler
 
Iowa Weighs in on Ethics of Cloud Computing for Lawyers
Iowa Weighs in on Ethics of Cloud Computing for LawyersIowa Weighs in on Ethics of Cloud Computing for Lawyers
Iowa Weighs in on Ethics of Cloud Computing for Lawyers
Nicole Black
 
Misa cloud computing workshop lhm final
Misa cloud computing workshop lhm finalMisa cloud computing workshop lhm final
Misa cloud computing workshop lhm final
Lou Milrad
 
S719a
S719aS719a
S719a
ecommerce
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
The Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThe Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud Services
This account is closed
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
Morris Dorfer
 
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
DLA Piper Nederland N.V.
 
Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013
Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013
Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013
Franck Franchin
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacy
rajab ssemwogerere
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
Home
 
Cloud Computing: legal issues
Cloud Computing: legal issuesCloud Computing: legal issues
Cloud Computing: legal issues
ISPABelgium
 
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
Tom Kulik
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017
Dryden Geary
 
The GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacyThe GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacy
Lilian Edwards
 

More Related Content

What's hot

Judicial Frameworks and Privacy Issues of Cloud Computing
Judicial Frameworks and Privacy Issues of Cloud ComputingJudicial Frameworks and Privacy Issues of Cloud Computing
Judicial Frameworks and Privacy Issues of Cloud Computing
International Journal of Science and Research (IJSR)
 
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
guestd7fc9c
 
Iowa Weighs in on Ethics of Cloud Computing for Lawyers
Iowa Weighs in on Ethics of Cloud Computing for LawyersIowa Weighs in on Ethics of Cloud Computing for Lawyers
Iowa Weighs in on Ethics of Cloud Computing for Lawyers
Nicole Black
 
Misa cloud computing workshop lhm final
Misa cloud computing workshop lhm finalMisa cloud computing workshop lhm final
Misa cloud computing workshop lhm final
Lou Milrad
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
DLA Piper Nederland N.V.
 

What's hot (18)

Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data Privacy
 
Cybersecurity and Data Privacy Update
Cybersecurity and Data Privacy UpdateCybersecurity and Data Privacy Update
Cybersecurity and Data Privacy Update
 
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 SydneyLegal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
 
Cloud Computing for Lawyers- Chicago Bar Association Presentation
Cloud Computing for Lawyers- Chicago Bar Association PresentationCloud Computing for Lawyers- Chicago Bar Association Presentation
Cloud Computing for Lawyers- Chicago Bar Association Presentation
 
Email and cloud ethics (continuing legal education course)
Email and cloud ethics (continuing legal education course)Email and cloud ethics (continuing legal education course)
Email and cloud ethics (continuing legal education course)
 
Judicial Frameworks and Privacy Issues of Cloud Computing
Judicial Frameworks and Privacy Issues of Cloud ComputingJudicial Frameworks and Privacy Issues of Cloud Computing
Judicial Frameworks and Privacy Issues of Cloud Computing
 
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
 
Security & Compliance in the Cloud - Proactively Managing Governance, Risk & ...
Security & Compliance in the Cloud - Proactively Managing Governance, Risk & ...Security & Compliance in the Cloud - Proactively Managing Governance, Risk & ...
Security & Compliance in the Cloud - Proactively Managing Governance, Risk & ...
 
Iowa Weighs in on Ethics of Cloud Computing for Lawyers
Iowa Weighs in on Ethics of Cloud Computing for LawyersIowa Weighs in on Ethics of Cloud Computing for Lawyers
Iowa Weighs in on Ethics of Cloud Computing for Lawyers
 
Misa cloud computing workshop lhm final
Misa cloud computing workshop lhm finalMisa cloud computing workshop lhm final
Misa cloud computing workshop lhm final
 
S719a
S719aS719a
S719a
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
The Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThe Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud Services
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
 
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
 
Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013
Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013
Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacy
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
 

Similar to Cloud computing : legal , privacy and contract issues

Cloud Computing: legal issues
Cloud Computing: legal issuesCloud Computing: legal issues
Cloud Computing: legal issues
ISPABelgium
 
Cloud Computing_CS_Oct2012
Cloud Computing_CS_Oct2012Cloud Computing_CS_Oct2012
Cloud Computing_CS_Oct2012
Paras Kumar Jain
 
Cloud computing in Hungarian financial industry 2013
Cloud computing in Hungarian financial industry 2013Cloud computing in Hungarian financial industry 2013
Cloud computing in Hungarian financial industry 2013
IgorMate
 
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009 Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
EuroCloud
 
Contracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy BortzContracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy Bortz
itnewsafrica
 

Similar to Cloud computing : legal , privacy and contract issues (20)

Cloud Computing: legal issues
Cloud Computing: legal issuesCloud Computing: legal issues
Cloud Computing: legal issues
 
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017
 
The GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacyThe GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacy
 
Dr.M.Florence Dayana-Cloud Computing-Unit - 1.pdf
Dr.M.Florence Dayana-Cloud Computing-Unit - 1.pdfDr.M.Florence Dayana-Cloud Computing-Unit - 1.pdf
Dr.M.Florence Dayana-Cloud Computing-Unit - 1.pdf
 
Privacy, the Internet of Things and Smart Cities
Privacy, the Internet of Things and Smart Cities Privacy, the Internet of Things and Smart Cities
Privacy, the Internet of Things and Smart Cities
 
Cloud Computing_CS_Oct2012
Cloud Computing_CS_Oct2012Cloud Computing_CS_Oct2012
Cloud Computing_CS_Oct2012
 
Cloud computing in Hungarian financial industry 2013
Cloud computing in Hungarian financial industry 2013Cloud computing in Hungarian financial industry 2013
Cloud computing in Hungarian financial industry 2013
 
DevOps vs GDPR: How to Comply and Stay Agile
DevOps vs GDPR: How to Comply and Stay AgileDevOps vs GDPR: How to Comply and Stay Agile
DevOps vs GDPR: How to Comply and Stay Agile
 
Case by case - moving data centres to Romania
Case by case - moving data centres to RomaniaCase by case - moving data centres to Romania
Case by case - moving data centres to Romania
 
GDPR - Top 10 AWS Security and Compliance Best Practices
GDPR - Top 10 AWS Security and Compliance Best PracticesGDPR - Top 10 AWS Security and Compliance Best Practices
GDPR - Top 10 AWS Security and Compliance Best Practices
 
GDPR - A practical guide
GDPR - A practical guideGDPR - A practical guide
GDPR - A practical guide
 
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz..."Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
 
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009 Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
 
Clouds and Chains
Clouds and ChainsClouds and Chains
Clouds and Chains
 
Impact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economiesImpact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economies
 
Contracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy BortzContracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy Bortz
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
IDC on 10 myths regarding GDPR
IDC on 10 myths regarding GDPRIDC on 10 myths regarding GDPR
IDC on 10 myths regarding GDPR
 

More from Lilian Edwards

Global Governance of Generative AI: The Right Way Forward
Global Governance of Generative AI: The Right Way ForwardGlobal Governance of Generative AI: The Right Way Forward
Global Governance of Generative AI: The Right Way Forward
Lilian Edwards
 
Can ChatGPT be compatible with the GDPR? Discuss.
Can ChatGPT be compatible with the GDPR? Discuss.Can ChatGPT be compatible with the GDPR? Discuss.
Can ChatGPT be compatible with the GDPR? Discuss.
Lilian Edwards
 
Slave to the Algo-Rhythms?
Slave to the Algo-Rhythms?Slave to the Algo-Rhythms?
Slave to the Algo-Rhythms?
Lilian Edwards
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obama
Lilian Edwards
 

More from Lilian Edwards (20)

Global Governance of Generative AI: The Right Way Forward
Global Governance of Generative AI: The Right Way ForwardGlobal Governance of Generative AI: The Right Way Forward
Global Governance of Generative AI: The Right Way Forward
 
How to regulate foundation models: can we do better than the EU AI Act?
How to regulate foundation models: can we do better than the EU AI Act?How to regulate foundation models: can we do better than the EU AI Act?
How to regulate foundation models: can we do better than the EU AI Act?
 
Can ChatGPT be compatible with the GDPR? Discuss.
Can ChatGPT be compatible with the GDPR? Discuss.Can ChatGPT be compatible with the GDPR? Discuss.
Can ChatGPT be compatible with the GDPR? Discuss.
 
What Do You Do with a Problem Like AI?
What Do You Do with a Problem Like AI?What Do You Do with a Problem Like AI?
What Do You Do with a Problem Like AI?
 
Slave to the Algorithm 2016
Slave to the Algorithm 2016 Slave to the Algorithm 2016
Slave to the Algorithm 2016
 
From Privacy Impact Assessment to Social Impact Assessment: Preserving TRrus...
From Privacy Impact Assessment to Social Impact Assessment: Preserving TRrus...From Privacy Impact Assessment to Social Impact Assessment: Preserving TRrus...
From Privacy Impact Assessment to Social Impact Assessment: Preserving TRrus...
 
UK copyright, online intermediaries and enforcement
UK copyright, online intermediaries and enforcementUK copyright, online intermediaries and enforcement
UK copyright, online intermediaries and enforcement
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
 
the Death of Privacy in Three Acts
the Death of Privacy in Three Actsthe Death of Privacy in Three Acts
the Death of Privacy in Three Acts
 
Revenge porn: punish, remove, forget, forgive?
Revenge porn: punish, remove, forget, forgive? Revenge porn: punish, remove, forget, forgive?
Revenge porn: punish, remove, forget, forgive?
 
From piracy to “The Producers?
From piracy to “The Producers?From piracy to “The Producers?
From piracy to “The Producers?
 
The Death of Privacy in Three Acts
The Death of Privacy in Three ActsThe Death of Privacy in Three Acts
The Death of Privacy in Three Acts
 
Police surveillance of social media - do you have a reasonable expectation of...
Police surveillance of social media - do you have a reasonable expectation of...Police surveillance of social media - do you have a reasonable expectation of...
Police surveillance of social media - do you have a reasonable expectation of...
 
IT law : the middle kingdom between east and West
IT law : the middle kingdom between east and WestIT law : the middle kingdom between east and West
IT law : the middle kingdom between east and West
 
What do we do with aproblem like revenge porn ?
What do we do with aproblem like revenge porn ?What do we do with aproblem like revenge porn ?
What do we do with aproblem like revenge porn ?
 
Slave to the Algo-Rhythms?
Slave to the Algo-Rhythms?Slave to the Algo-Rhythms?
Slave to the Algo-Rhythms?
 
9worlds robots
9worlds robots9worlds robots
9worlds robots
 
The death of data protection
The death of data protection The death of data protection
The death of data protection
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obama
 
Cdas 2012, lilian edwards and edina harbinja
Cdas 2012, lilian edwards and edina harbinjaCdas 2012, lilian edwards and edina harbinja
Cdas 2012, lilian edwards and edina harbinja
 

Recently uploaded

RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxRIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
OmGod1
 
Notes-on-Prescription-Obligations-and-Contracts.doc
Notes-on-Prescription-Obligations-and-Contracts.docNotes-on-Prescription-Obligations-and-Contracts.doc
Notes-on-Prescription-Obligations-and-Contracts.doc
BRELGOSIMAT
 
Agrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quizAgrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quiz
gaelcabigunda
 
ALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdfALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdf
46adnanshahzad
 

Recently uploaded (20)

Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
 
Everything You Should Know About Child Custody and Parenting While Living in ...
Everything You Should Know About Child Custody and Parenting While Living in ...Everything You Should Know About Child Custody and Parenting While Living in ...
Everything You Should Know About Child Custody and Parenting While Living in ...
 
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdfDonald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
 
7 Basic Steps of Trust Administration.pdf
7 Basic Steps of Trust Administration.pdf7 Basic Steps of Trust Administration.pdf
7 Basic Steps of Trust Administration.pdf
 
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxRIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
 
Solidarity and Taxation: the Ubuntu approach in South Africa
Solidarity and Taxation: the Ubuntu approach in South AfricaSolidarity and Taxation: the Ubuntu approach in South Africa
Solidarity and Taxation: the Ubuntu approach in South Africa
 
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptxPRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
 
DNA Testing in Civil and Criminal Matters.pptx
DNA Testing in Civil and Criminal Matters.pptxDNA Testing in Civil and Criminal Matters.pptx
DNA Testing in Civil and Criminal Matters.pptx
 
Notes-on-Prescription-Obligations-and-Contracts.doc
Notes-on-Prescription-Obligations-and-Contracts.docNotes-on-Prescription-Obligations-and-Contracts.doc
Notes-on-Prescription-Obligations-and-Contracts.doc
 
Application of Doctrine of Renvoi by foreign courts under conflict of laws
Application of Doctrine of Renvoi by foreign courts under conflict of lawsApplication of Doctrine of Renvoi by foreign courts under conflict of laws
Application of Doctrine of Renvoi by foreign courts under conflict of laws
 
Debt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debtDebt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debt
 
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
 
Agrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quizAgrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quiz
 
The Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot CitizenshipThe Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot Citizenship
 
Abdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal CourtAbdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal Court
 
Types of Cybercrime and Its Impact on Society
Types of Cybercrime and Its Impact on SocietyTypes of Cybercrime and Its Impact on Society
Types of Cybercrime and Its Impact on Society
 
Book review - Amartya Sen's Idea of Justice
Book review - Amartya Sen's Idea of JusticeBook review - Amartya Sen's Idea of Justice
Book review - Amartya Sen's Idea of Justice
 
ALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdfALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdf
 
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselMilitary Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
 
Charge and its essentials rules Under the CRPC, 1898
Charge and its essentials rules Under the CRPC, 1898Charge and its essentials rules Under the CRPC, 1898
Charge and its essentials rules Under the CRPC, 1898
 

Cloud computing : legal , privacy and contract issues

  • 1. CLOUD COMPUTING: LEGAL ISSUES FLORENCE APRIL 2016 Lilian Edwards Professor of E-Governance, University of Strathclyde, Deputy Director, CREATe Lilian.edwards@strath.ac.uk @lilianedwards
  • 2.
  • 3. WHAT IS CLOUD COMPUTING?  Hon and Millard (2013): “a way of delivering computing resources as a utility service via a network, typically the Internet, scalable up and down according to user requirements. As such the cloud may prove to be as disruptive an innovation as was the emergence of cheap electricity”.  Microsoft (2010) : “cloud computing represents a transformation of the industry [which] will let you focus on your business, not on running infrastructure. It will also let you create better applications, then deploy those applications wherever makes the most sense: in your own data center, at a regional service provider, or in our global cloud. In short, IT as a Service will let you deliver more business value”
  • 4. KEY FEATURES  B2B and B2C : Amazon, Microsoft, Google etc B2B services; B2C - Gmail, Facebook, Dropbox, Blogger  Remote storage plus on demand self service by clients  Ubiquitous access to data/resources – from office, mobile, tablet etc – also enables group distributed working  Resource management – provides scaleable and just in time acquisition of resources by customers (“rapid elasticity”)  Pay per use – not buy and use. Cloud provision not just of data storage but services or more (see next). No need for local support, upgrading etc.  Not entirely new: logical extension of (a) data warehousing (b) outsourcing of services – involves the complicated legal issues of both.
  • 6. KEY LEGAL ISSUES  Data protection obligations  1. Is Cloud provider (CP) a data controller (DC) or data processor (DP)?  Obligations – security; right to be forgotten  2.Data exports – can personal data be “exported” from the EC into the Cloud?  How can the Cloud operate for US-based CSPs after Schrems?  3. Security breach notification  Contract  Standard term contracts – are they fair to users?  If not what can be done?
  • 7. DATA PROTECTION – 1 - WHO IS RESPONSIBLE?  Data Protection Directive (DPD)  Art 2  (d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data;  (e) 'processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;  Unchanged by GDPR art 4
  • 8. DATA PROTECTION PRINCIPLES (DPD ART 6; GDPR, ART 5 (MAINLY) ) 1. Personal Data shall be processed lawfully and fairly. (GDPR adds transparently) 2. Personal Data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in a manner incompatible with those purposes. (“purpose limitation”) 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it was processed (“data minimisation”) 4. Personal data shall be accurate and kept to date if necessary. (“accuracy”)
  • 9. DP PRINCIPLES (CONT.) 5. Personal data shall not be kept for a longer time than it is necessary for its purpose. (data retention” now “storage limitation”) 6. Personal data can only be processed in accordance with the rights of the data subjects. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing (“integrity and confidentiality”). (Note new security oblign on processor, art 32 GDPR) 8. Restriction on transferring personal data to countries that do not provide adequate data protection. GDPR adds accountability principle.
  • 10. DPD -> GDPR : DATA CONTROLLERS AND PROCESSORS  DPD regarded DCs as having primary legal responsibility for meeting DP principles and other duties and paying for breaches  Art 17(2) DPD : obligation on DCs to make sure they chose a data processors who guaranteed to meet security obligation  DC also had to make written contract with DP that DP acted only on DC’s instructions (art17(3))  Cloud service providers (CSPs) mainly thought of as processors (and sub processors) – but great uncertainty – different types of CSPs and circs.  Art 29 WP on SWIFT case – Opinion 10/2006  Held : SWIFT not just agent of Belgian banks (processor) but itself controller  Art 29 WP Report 169, Feb 2010 definition of processor vs controller – distinction based on “the possibility of pluralistic control (“which alone or jointly with others”), and.. the essential elements to distinguish the controller from other actors (“determines the purposes and the means of the processing of personal data”). Factual not an open choice.
  • 11. THE CLOUD, RESPONSIBILTY AND CONTROLLER/PROCESSOR  GDPR art 24 -28 expand on old art 17(2)  The controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation  Possibility of joint controllers made explicit in art 26 and division of responsibilities to be “transparent”  Art 28 provides that “processor shall not engage another processor without prior specific or general written authorisation of the controller” with v detailed contents mandated  Distinguishing between different CSPs as controllers, processors or sub processors become crucial.  And note the CLIENT in cloud computing will usually be solely or jointly a controller
  • 12. DC:DP CONTRACTS A29 guidance and national regulator guidance (say Hon and Millard) suggests DCs should review and conduct risk assessment in cloud provision contracts now GDPR is here  In particular check and give individual instructions taking into a/c  Nature and sensitivity of personal data in cloud  Type of intended processing  Risk assessment for future events  Due diligence re selection of sub service providers  Clear allocation of respective responsibilities of DC and DP  Data location  Data export  The DPs security measures including logging & auditing  Hon and Millard regard as impractical – cloud providers cannot efficiently follow detailed instructions from every client - but should rather merely be certified generally as meeting security standards
  • 13. THE DEATH OF THE CLOUD IN EU?  Kitchen example: SaaS is like buying a ready meal from M&S; Infrastructure as a S is like renting a catering service or kitchen.  You expect to be able to give detailed and unique instrns to kitchen, but if you don’t like one ready meal you buy another one.  You don’t expect or have the legal right to make M and S make one for you with less salt, or no gluten, or no onions – and if you could demand this , M and S would go bust!  Hon: imagine user X (DC) using Dropbox (SaaS, processor) built on Amazon Web Service Iaas, sub processor ?); user has no interest in giving instrns to AWS and AWS isn’t configured to deal with requests of individual DCs.
  • 14. HON “KILLING CLOUD QUICKLY WITH GDPR” SCL JNL, MARCH 2016  “the GDPR would set in stone the most prescriptive cloud-impracticable elements of [A29] WP 196 while omitting parts of WP 196 that actually recognised how cloud worked..  Rather than making data protection laws truly technology-neutral, the GDPR will perpetuate the 1970s model of computing/outsourcing embedded in the DPD”
  • 15. ONE PARTICULAR OBLIGATION  “Right to be forgotten”? = right to seek erasure of PD  GDPR Reg, art 17-19  For hosts not just search engines!  But for controllers or processors?  Right to “obtain from the DC the erasure of [their] personal data” where processing out of data, consent withdrawn, unlawful etc (art 17(1)).  But also “the controller, taking account of available  technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data”  What kind of obligation is this for CSPs? And which ones? Will they have to consider exceptions art 17(3)?
  • 16. DP – 2 – DATA EXPORTS & LEA ACCESS  DP 8th principle in DPD  “Personal Data shall not be transferred to a country outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data subjects in relation to the processing of personal data”.  Challenge for the Cloud where data often held outside EU, in varying and changing locations (not always known to user OR CSP). Especially in US!  NB EU DP law may be held to apply to non EU DC by virtue of art 4 (has an EU establishment (expanded after Google Spain v Costeja); or uses “equipment” in EU other than merely for transit (eg wires, cookies);
  • 17. DP-2- EXPORT AND LEA ACCESS  Export outside EU allowed by DPD if  Finding of “adequacy” (art 25) (11 states)  US safe harbor membership  Art 26 – use of model contractual clauses issued by EU Comm or BCRs  Unambiguous consent – but high standard (free, informed); also revocable; DC may not be the data subject but processing data of others (eg posting FB group photo)  A29 questioned use of art 26 exemptions in Cloud transfers if transfers “massive, recurrent or structural”;  Schrems decision (CJEU, 2015 case C362/14) held safe harbor invalid because of post Snowden awareness that US laws - FISA , Patriot Act – allowed NSA and other agencies access to personal data held in servers in US and controlled by US companies. And US public authorities could not be made subject to EU oversight by EU contracts.  “compromises the essence of the fundamental right to private life” .. “To effective judicial protection”
  • 18. DP – 2 – FALLOUT  Schrems resulted in safe harbour declared invalid  Very bad for non EU CP B2B business – reports of EU businesses withdrawing contracts  V bad for B2C trust  Law?  Attempt to replace safe harbour with “Privacy Shield” (February 2016)  Some improvements eg an ombudsman for EU data subjects to go to  But no fundamental change in US law  -> April 2016 A29 WP essentially declared Privacy Shield still unsatisfactory  _> CJEU?
  • 19. DP- 2- ALTERNATE GROUNDS FOR TRANSFER OF DATA TO US  Varying from EU DPA to DPA  Schleswig-Holstein eg immediately declared all alternate grounds – standard contract terms, BCRs etc – equally invalid on grounds essentially that US could not provide the safeguards these forms depend on as sub for “adequacy”  All need “enforceable data subject rights and effective legal remedies for data subject” (GDPR)  All German DPAs have however agreed that explicit user consent remains valid pro tem  BUT  Note A29 warnings re “massive, structural” exports of PD reliant only on consent and GDPR art 49(1) ref to such (non repetitive ltd transfers)  US unlikely to change law further?  Best solutions- build Clouds in EU? Demand them? Deutschebank, Microsoft in Germany
  • 20. DP – 3- SECURITY BREACH OBLIGATIONS  GDPR art 33  Controllers must notify the DPA of a data breach  “without undue delay and, where feasible, no later than 72 hours after having become aware of it ( unless the breach is “unlikely to result in a risk for the rights and freedoms of individuals”).  ”Controllers must notify data subjects of a breach where it creates a “high risk to the rights and freedoms of individuals” although exceptions can apply.  Fines up to 4% annual turnover or 20 m Euro may apply for some breaches  For first time in GDPR Data Processors have independent security obligation so may be subject to these fines (CSPs??) and breach notifn oblign to DC, art 33(2)  Level of fine linked to speedy mitigation so CSPs should be on alert..  Fights over indemnities/allocation of blame in cloud contracts may get more heated?
  • 21. CONTRACT  Distinguish  Standard term contract service provision  Negotiated contract service provision  This cannot be easily mapped as B2B, B2C – eg many SMEs and public sector bodies universities, will use Gmail.  Distinguish “free”/paying ToS – former likely to have more freedom!  Terms of service (ToS) survey by Bradshaw, Millard, Walden 2010-2013 found many problematic standard terms even in non-free services  Very comprehensive limitation of liability clauses, even including liability for poor security by CP  Governing law that of US states (to exclude unfair terms law?). Location of actual servers often not specified.  Monitoring of customer activity  Right to vary T-S unilaterally, or terminate unilaterally without retaining customer data  Note that German, Fr courts starting to knock down unfair terms in digital standard form B2C contracts!

Editor's Notes

  1. Implications for how much control the user has --- Eg Software as a Service eg Dropbox, Salesforce – customer can’t control any of the non local infrastructure or settings or security by and large eg where data stored, so security mainly job for cloud provider PaaS – delivers operating system plus services over net – no need to download or update. Typically just key services not whole infrastructure. Eg Java developmnt Cf Infrastructure as a Service - like buying a server , - hardware, os, apps and data only its not in your office – full control to user – eg Amazon Elastic Cloud – user typically takes resp for the secuerity of all but the basic remote infrastructure