Slides for talk at Institute of Advanced Legal Studies, London, on 1 Nov 2011

1. Institute of Advanced Legal Studies 1 November 2011
Data Protection Jurisdiction and
International Data Transfers in
Cloud Computing
Julia Hörnle
Kuan Hon
Cloud Legal Project
Centre for Commercial Law Studies, Queen Mary, University of London
cloudlegalproject.org

2. Outline
 Cloud Legal Project
 Cloud computing
 Data protection jurisdiction
 International data transfers

3. Cloud Legal Project

4. Cloud Legal Project
 History
 Aims

5. Cloud computing

6. What is cloud computing?
 IT resources over network, scalable on demand
 US NIST service models
 Software as a Service (SaaS) – incl. storage (eg. Salesforce;
Oracle CRM on demand; Gmail, Hotmail, Yahoo! Mail; Google
Apps, Microsoft Office 365; Facebook, Flickr)
o Storage as a Service (also SaaS!) = convenient way of storing / backing-up
data online (eg. box.net)
 Infrastructure as a Service (IaaS) (eg. Amazon Web Services,
Rackspace) – compute, storage
 Platform as a Service (PaaS) (eg. Google App Engine,
Microsoft Windows Azure, Force.com)
 Classification may depend on viewpoint

7. Deployment models: private, community,
public and hybrid clouds…

8. Cloud layers/‘stack’– different possible
architectures, possible hidden layers
--> Who holds user’s data? Where?
+ SaaS
Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure
IaaS Software as a Service on
PaaS PaaS (SaaS) IaaS
SaaS SaaS SaaS Architectures
Cloud Infrastructure Cloud Infrastructure
IaaS Platform as a Service (PaaS)
PaaS PaaS Architectures
+ physical
infrastructure
Cloud Infrastructure for each!
IaaS Infrastructure as a Service (IaaS)
Architectures
From
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt

9. Key cloud computing features relevant
to data protection law
 Multiple providers? (layers)
 Data replication, deletion
 Sharding/chunking/fragmentation
 Location – multiple; changing?
 Design - provider access; encryption
 Use of/dependence on shared, third
party resources, incl connectivity

10. Some possible contractual structures
User Provider Sub-provider
User Integrator Provider
Integrator
User
Provider

11. Data Protection
Jurisdiction

12. When do EU data protection laws
apply to a cloud user/controller?
 Laws applied based on:
'Establishment'/'context
o More than one law may apply!
o Google Video case/Italy
o Article 29 WP 179
o Incl. through third party
Public international law
'Use' of EEA 'equipment‘/’means’
o But transit?

13. When do EU data protection laws
apply to a cloud user/controller?
 Cookies ('equipment') – SaaS
 Use, by non-EEA customer, of:
EEA data centre?
o Data centre as an establishment?
o Subsidiary as an establishment?
EEA cloud provider?
 Relevant/irrelevant establishment?

14. Cloud layers
Layers - knowledge or intention?
Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure
IaaS Software as a Service + SaaS
PaaS PaaS (SaaS) on
SaaS SaaS SaaS Architectures
IaaS
Cloud Infrastructure Cloud Infrastructure
IaaS Platform as a Service (PaaS)
PaaS PaaS Architectures
+ physical
Cloud Infrastructure
infrastructure
IaaS Infrastructure as a Service (IaaS) for each!
Architectures
Diagram from
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt

15. When do EU data protection laws apply to a
cloud user/controller?
 Non-EEA users - France - CNIL’s
relaxation for use of French providers
 Full paper http://bit.ly/clouddataprotection3

16. Replacement of jurisdictional tests with targeting?
 Has been used in other contexts, eg
Consumer protection & applicable law to contracts
o Cases C-585/08 and 144/09 Pammer and Hotel Alpenhof
Trademark infringement on auction platform
o Case C-324/09 L’Oreal v eBay
 How could this be applied in a cloud context?
Outside EEA: targeting
Within EEA: country of origin rule?

17. International Data
Transfers

18. 'If we include entities outside the
European Union, the data transfer that is
inevitable with cloud computing — and
which has no legitimacy under data
privacy law — makes clouds inherently
impermissible.'
German regulator Thilo Weichert

19. 'The DPA does not prohibit the overseas
transfer of personal data, but it does
require that it is protected adequately
wherever it is located and whoever is
processing it. Clearly, this raises
compliance issues that organisations
using internet-based computing need to
address.'
UK Information Commissioner

20. Restriction on international data transfers
 Restriction on data export to country
without “adequate protection”, with
exceptions (articles 25 & 26)

21. How can personal data be transferred
outside the EEA? - 1
 Whitelisted countries
a short list
 Safe Harbor –
'processors'
layers/sub-providers & onward transfers
non-US/EEA data centres (Danish DPA ruling)
concerns about adequacy eg German
regulators

22. How can personal data be transferred
outside the EEA? - 2
BCRs
o within group only
Model clauses – layered situation?
o For EEA customer using a cloud provider –
Provider Sub-provider Covered by
model clauses?
Non-EEA Non-EEA Yes
EEA Non-EEA No

23. Regional clouds - can cloud users control
where their data are stored in clouds?
 It depends!
No choice
In practice, probably locally…
Regions?
oEEA ≠ EU ≠ Europe – Danish DPA decision
oContractual commitment?

24. Even within the EEA…
 Data centres in multiple EEA Member States
 Obstacle: compliance with multiple national
laws, which may conflict because of lack of
harmonisation and inconsistencies re.:
definitions eg special category data
scope eg data on corporate persons
security requirements eg Italy v UK

25. But… should location of data really matter?
 Shouldn’t the focus be on who can access data
in intelligible form?
non-EEA location doesn’t mean bad protection
EEA doesn’t guarantee good protection – question to
European Parliament re. Dutch Minister’s statement
 Given encryption, storage virtualisation & data
fragmentation, what may be more important are
System’s design, and
Provider’s jurisdiction
 Full paper
http://bit.ly/clouddataprotection4

26. Data Protection Directive reform
 Draft proposal – expected 2012
 In by…?

27. Meanwhile…
 Location, location, location
 Encryption, encryption, encryption;
but limitations -
speed
value-add
operations on data
key management critical
 Contract, contract, contract

28. Meanwhile, in practice
 Contract - procurement process
 Internal controls
 Due diligence
 Contract – negotiate? eg Google – City of LA, Cambridge U
 Controller/processor status
 Any use of sub-‘processors’
 Data location
 Also:
 Liability - integrity/breach/availability (backup!)
 Modification/termination
 Data retention/deletion
 Right to disclose/monitor
 Security (whose policy), audit rights?

29. Cloud Legal Project research
 Data protection – other papers
http://bit.ly/clouddataprotection1
http://bit.ly/clouddataprotection2
 Links to regulatory etc pronouncements
http://bit.ly/cloudlinks
 EU consultation response
http://bit.ly/clpeuresponse
 Other papers
http://cloudlegalproject.org/Research
 Future papers
 Negotiated cloud contracts
 Cloud governance (not just data protection)
 Consumer protection

30. Thanks for listening!
Any questions?
Julia Hörnle j.hornle@qmul.ac.uk
Kuan Hon w.k.hon@qmul.ac.uk
Cloud Legal Project, CCLS
Queen Mary, University of London
http://cloudlegalproject.org
@cloudlegalteam
Mailing list subscription
http://cloudlegalproject.org/Contact