Legal Risks of Cloud Computing and Open Data
•
0 j'aime•682 vues
Kuan Hon, an independant consultant (Kuan0.com) presents 'New technologies & paradigms, old laws', at the Eduserv Symposium 2013: In with the new.
![19/05/2013
2
@kuan∅
Introduction
• Self
[2 hats 4 clouds 3 weasels]
• Attendees?
@kuan∅
Legal risks of new tech
Risk pyramid
Legal
Reputational
[Public trust] etc etc](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommandé
Recommandé
Contenu connexe
Similaire à Legal Risks of Cloud Computing and Open Data
Similaire à Legal Risks of Cloud Computing and Open Data (20)
Plus de Eduserv
Plus de Eduserv (20)
Dernier
Dernier (20)
Legal Risks of Cloud Computing and Open Data
- 1. 19/05/2013 1 New Technologies & Paradigms, Old Laws Kuan Hon Independent Consultant PhD Candidate, QMUL Eduserv Symposium 2013, London 16 May 2013 @kuan∅ Outline • Introduction • Cloud • Open data, big data
- 2. 19/05/2013 2 @kuan∅ Introduction • Self [2 hats 4 clouds 3 weasels] • Attendees? @kuan∅ Legal risks of new tech Risk pyramid Legal Reputational [Public trust] etc etc
- 4. 19/05/2013 4 @kuan∅ LawyersLawyers (Image reproduced by kind permission of Firebox.com) Certainty? Hah! ‘It depends…’ Interpretation Context Probabilities
- 5. 19/05/2013 5 @kuan∅ Skills For legal (& many other) issues: Know WHO to ask, & WHEN, & WHAT to tell ‘em! @kuan∅ WHO Lawyers
- 8. 19/05/2013 8 @kuan∅ Laws & the internet @kuan∅ Cloud computing & law Risk pyramid Laws Reputational [Public trust] etc etc
- 9. 19/05/2013 9 @kuan∅ Let your lawyer do the worrying… @kuan∅ Cloud computing • Legal risks - brief lawyers on: – what’s cloud? •recap •NB layers •12 Cs; cf traditional outsourcing – what do you want to use it for? •requirements, risk tolerance User ---- DropBox ---- Amazon SaaS IaaS
- 10. 19/05/2013 10 @kuan∅ Cloud legal issues • Lots! – IP, competition – no time… – see cloudlegalproject.org + book • Pre-contract checks + contract • For public sector: – government policy – CloudStore @kuan∅ Location
- 11. 19/05/2013 11 @kuan∅ Data location, me & you • Public sector – Gov ICT Offshoring (International Sourcing) Guidance - data location unrestricted, unless: – national security – data protection laws • Data protection – cloud guidance – Article 29 WP opinion – UK ICO guidance @kuan∅ Law vs IT “Technical & organisational measures” IT security & IT “data protection” “Data protection” (law)
- 12. 19/05/2013 12 @kuan∅ Data protection laws: “Personal data” (cf anonymous data) @kuan∅ EU Data Protection Directive Data export restriction NO transfer of PD outside European Economic Area
- 13. 19/05/2013 13 @kuan∅ Unless… • Exception • “Adequate protection” / “adequate safeguards” • But problems… @kuan∅ So, in practice… • Regional clouds - easy, safe
- 14. 19/05/2013 14 @kuan∅ EEA, EU, Europe… http://bit.ly /eu-venn for large version & table @kuan∅ ‘Transfer’ – physical location • Gear: storage / processing; caches • People: remote access
- 15. 19/05/2013 15 @kuan∅ • + Names of all “sub-contractors” • Follow this… + other DP regulators’ recommendations (eg liability chain) public cloud! Gimme gimme gimme your data locations… Image from Beeld en Geluidwiki @kuan∅ Traditional outsourcing Cloud Cook food yourself Hire caterers to cook for you on your instructions Rent kitchen, cook food yourself Get take-out or ready meal, cook it yourself
- 16. 19/05/2013 16 @kuan∅ Key tensions • “Guaranteed” security / liability – should be possible – but will cost! – cheap / free public cloud model • Control of supply / contract chain – will big players be the winners? @kuan∅ “It’s unworkable, so just ignore it?” @kuan∅
- 17. 19/05/2013 17 @kuan∅ Draft Data Protection Regulation Up to 2% annual global turnover @kuan∅ @kuan∅ Good intentions… Flames of hell…?
- 18. 19/05/2013 18 @kuan∅ Cloud contracts @kuan∅ Cloud contracts • 3 aspects: – pre-contract due diligence – contract terms – post-contract – monitoring etc • See negotiated contracts article – “no names” interviews, FOI etc – Forbes report
- 19. 19/05/2013 19 @kuan∅ Standard terms • Providers’ standard terms – weighted; customer-appropriate? • Negotiable? – customer / deal size • Gov / banks - trad. IT outsourcing – cloud-appropriate? • Customer process issue – bypass IT, legal! @kuan∅ Pre-contract due diligence • If personal data – all sub-providers’ names; locations; security • Lock-in and exit – practical: test data portability in advance (NB fake data!) • Security – pen testing, certifications? • NB backups • + Post-contract - security audits etc • ENISA papers (hunt!)
- 20. 19/05/2013 20 @kuan∅ Contract terms • If personal data: – choice of provider (security), contract requirements: “instructions”, security • More generally, some key issues: – provider liability (vs price) – lock-in – term, termination; exit terms – security – confidentiality; audit rights? – right to change terms? (cf G-Cloud…) @kuan∅ G-Cloud: CloudStore • Process - no mini-competition, no negotiation! (though fill in blanks…) - Price / MEAT • Info - G-Cloud site, @G_Cloud_UK, BuyCamp events (Friday; 7 June) • NB overlay approach & supplier terms: – get advice on own specific data type/use – see G-Cloud paper
- 21. 19/05/2013 21 @kuan∅ Cloud Open data Big data @kuan∅ Protection of Freedoms Act • s 102 amends FOIA – datasets – electronic, reusable form – open licensing – allow reuse (fees?) • In force May/June…? – Draft Code of Practice – consultation – ICO publication scheme, guidance • What datasets, how to handle?
- 22. 19/05/2013 22 @kuan∅ Open data vs personal data • Anonymise any PD before release • Tricky! eg Sweeney etc research • Big, eg EE / Ipsos Mori! But worthwhile • ICO Code of Practice (full disclosure..) – limited controlled release, vs fully public • UK Anonymisation Network (2 years) – anonymisation clinics – 28 June @kuan∅ STOP PRESS • Shakespeare review of PSI, 15 May 2013 – Deloitte market assessment – His summary in the Guardian • Same ol’ same ol’, words vs action? (eg jail for unlawfully obtaining personal data…) – Following 'best practice' guidelines should be enough, so long as we are willing to prosecute those who misuse personal data… In considering further legislation we should institute increased penalties – not only loss of accreditation and much heavier fines, but also imprisonment in cases of deliberate and harmful misuses of data.
- 23. 19/05/2013 23 @kuan∅ Cloud Open data Big data @kuan∅ Big data vs personal data • Data protection compliance (eg security) & anonymisation, again… • Less data good? • Other issues? eg IP
- 24. 19/05/2013 24 @kuan∅ New technologies and paradigms, old laws @kuan∅ Old laws • Outdated assumptions • Appropriate to new paradigms?? • But - the law is the law! • Until laws are updated properly… • Same ol’ strategy still sensible: – RRRR + EEEE
- 25. 19/05/2013 25 @kuan∅ Key takeaways 1 • RRRR: – requirements evaluation, for – real life intended use – review & understand tech / model – risk assessment – technological, legal, reputational, public trust etc (for intended data type/use case) @kuan∅ Key takeaways 2 • EEEE – get: – expert input / advice – legal, IT, risk, security, stats etc – based on exact data type, use case – explain the tech / model properly – early, not last minute or after!
- 26. 19/05/2013 26 @kuan∅ Thank you! Kuan Hon Twitter: @kuan∅ Email: k @ domain below kuan∅.com/publications.html blog.kuan∅.com Half lawyer | half geek | mostly harmless