The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
Data Protection Jurisdiction and International Transfers in Cloud Computing
1. Institute of Advanced Legal Studies 1 November 2011
Data Protection Jurisdiction and
International Data Transfers in
Cloud Computing
Julia Hörnle
Kuan Hon
Cloud Legal Project
Centre for Commercial Law Studies, Queen Mary, University of London
cloudlegalproject.org
2. Outline
Cloud Legal Project
Cloud computing
Data protection jurisdiction
International data transfers
6. What is cloud computing?
IT resources over network, scalable on demand
US NIST service models
Software as a Service (SaaS) – incl. storage (eg. Salesforce;
Oracle CRM on demand; Gmail, Hotmail, Yahoo! Mail; Google
Apps, Microsoft Office 365; Facebook, Flickr)
o Storage as a Service (also SaaS!) = convenient way of storing / backing-up
data online (eg. box.net)
Infrastructure as a Service (IaaS) (eg. Amazon Web Services,
Rackspace) – compute, storage
Platform as a Service (PaaS) (eg. Google App Engine,
Microsoft Windows Azure, Force.com)
Classification may depend on viewpoint
8. Cloud layers/‘stack’– different possible
architectures, possible hidden layers
--> Who holds user’s data? Where?
+ SaaS
Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure
IaaS Software as a Service on
PaaS PaaS (SaaS) IaaS
SaaS SaaS SaaS Architectures
Cloud Infrastructure Cloud Infrastructure
IaaS Platform as a Service (PaaS)
PaaS PaaS Architectures
+ physical
infrastructure
Cloud Infrastructure for each!
IaaS Infrastructure as a Service (IaaS)
Architectures
From
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
9. Key cloud computing features relevant
to data protection law
Multiple providers? (layers)
Data replication, deletion
Sharding/chunking/fragmentation
Location – multiple; changing?
Design - provider access; encryption
Use of/dependence on shared, third
party resources, incl connectivity
10. Some possible contractual structures
User Provider Sub-provider
User Integrator Provider
Integrator
User
Provider
12. When do EU data protection laws
apply to a cloud user/controller?
Laws applied based on:
'Establishment'/'context
o More than one law may apply!
o Google Video case/Italy
o Article 29 WP 179
o Incl. through third party
Public international law
'Use' of EEA 'equipment‘/’means’
o But transit?
13. When do EU data protection laws
apply to a cloud user/controller?
Cookies ('equipment') – SaaS
Use, by non-EEA customer, of:
EEA data centre?
o Data centre as an establishment?
o Subsidiary as an establishment?
EEA cloud provider?
Relevant/irrelevant establishment?
14. Cloud layers
Layers - knowledge or intention?
Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure
IaaS Software as a Service + SaaS
PaaS PaaS (SaaS) on
SaaS SaaS SaaS Architectures
IaaS
Cloud Infrastructure Cloud Infrastructure
IaaS Platform as a Service (PaaS)
PaaS PaaS Architectures
+ physical
Cloud Infrastructure
infrastructure
IaaS Infrastructure as a Service (IaaS) for each!
Architectures
Diagram from
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
15. When do EU data protection laws apply to a
cloud user/controller?
Non-EEA users - France - CNIL’s
relaxation for use of French providers
Full paper http://bit.ly/clouddataprotection3
16. Replacement of jurisdictional tests with targeting?
Has been used in other contexts, eg
Consumer protection & applicable law to contracts
o Cases C-585/08 and 144/09 Pammer and Hotel Alpenhof
Trademark infringement on auction platform
o Case C-324/09 L’Oreal v eBay
How could this be applied in a cloud context?
Outside EEA: targeting
Within EEA: country of origin rule?
18. 'If we include entities outside the
European Union, the data transfer that is
inevitable with cloud computing — and
which has no legitimacy under data
privacy law — makes clouds inherently
impermissible.'
German regulator Thilo Weichert
19. 'The DPA does not prohibit the overseas
transfer of personal data, but it does
require that it is protected adequately
wherever it is located and whoever is
processing it. Clearly, this raises
compliance issues that organisations
using internet-based computing need to
address.'
UK Information Commissioner
20. Restriction on international data transfers
Restriction on data export to country
without “adequate protection”, with
exceptions (articles 25 & 26)
21. How can personal data be transferred
outside the EEA? - 1
Whitelisted countries
a short list
Safe Harbor –
'processors'
layers/sub-providers & onward transfers
non-US/EEA data centres (Danish DPA ruling)
concerns about adequacy eg German
regulators
22. How can personal data be transferred
outside the EEA? - 2
BCRs
o within group only
Model clauses – layered situation?
o For EEA customer using a cloud provider –
Provider Sub-provider Covered by
model clauses?
Non-EEA Non-EEA Yes
EEA Non-EEA No
23. Regional clouds - can cloud users control
where their data are stored in clouds?
It depends!
No choice
In practice, probably locally…
Regions?
oEEA ≠ EU ≠ Europe – Danish DPA decision
oContractual commitment?
24. Even within the EEA…
Data centres in multiple EEA Member States
Obstacle: compliance with multiple national
laws, which may conflict because of lack of
harmonisation and inconsistencies re.:
definitions eg special category data
scope eg data on corporate persons
security requirements eg Italy v UK
25. But… should location of data really matter?
Shouldn’t the focus be on who can access data
in intelligible form?
non-EEA location doesn’t mean bad protection
EEA doesn’t guarantee good protection – question to
European Parliament re. Dutch Minister’s statement
Given encryption, storage virtualisation & data
fragmentation, what may be more important are
System’s design, and
Provider’s jurisdiction
Full paper
http://bit.ly/clouddataprotection4
27. Meanwhile…
Location, location, location
Encryption, encryption, encryption;
but limitations -
speed
value-add
operations on data
key management critical
Contract, contract, contract
28. Meanwhile, in practice
Contract - procurement process
Internal controls
Due diligence
Contract – negotiate? eg Google – City of LA, Cambridge U
Controller/processor status
Any use of sub-‘processors’
Data location
Also:
Liability - integrity/breach/availability (backup!)
Modification/termination
Data retention/deletion
Right to disclose/monitor
Security (whose policy), audit rights?
29. Cloud Legal Project research
Data protection – other papers
http://bit.ly/clouddataprotection1
http://bit.ly/clouddataprotection2
Links to regulatory etc pronouncements
http://bit.ly/cloudlinks
EU consultation response
http://bit.ly/clpeuresponse
Other papers
http://cloudlegalproject.org/Research
Future papers
Negotiated cloud contracts
Cloud governance (not just data protection)
Consumer protection
30. Thanks for listening!
Any questions?
Julia Hörnle j.hornle@qmul.ac.uk
Kuan Hon w.k.hon@qmul.ac.uk
Cloud Legal Project, CCLS
Queen Mary, University of London
http://cloudlegalproject.org
@cloudlegalteam
Mailing list subscription
http://cloudlegalproject.org/Contact