Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Cloud
Is it legal or illegal to use American
cloud services in Europe?
PATRICIA AYODEJI
Dual qualified Lawyer, England & S...
Dropbox, Google Drive, Gmail.., Microsoft
Office 365.., Mailchimp & many others….
2016 E-PDP PROTECCIÓN DE DATOS PERSONALES
CLOUD DOES NOT…
Remove our responsibility for data protection,
data security, da...
Before & After
Mass-surveillance on
foreigners abroad
What you should know......
Not on a par......
Data is governed by a patchwork of state and federal laws, with new reforms ...
Privacy
Security
Confidentiality
Data integrity
Business continuity
The European Approach
2016 E-PDP PROTECCIÓN DE DATOS PERSONALES
Charter of Fundamental Rights of the
European Union
Title II Freedoms
Article 8 ...
Data Protection
Directive 95/46/EC -> L.OPD 15/1999
PROTECTS PERSONAL DATA OF EU CITIZENS AS USERS OF CLOUD
& WHEN IN CUST...
Some Data Protection questions
• Do they share data with third party subcontractors? Do you know who
they are & what servi...
JURISPRUDENCE & CLOUD
SOURCED DATA
2015 'annus horribilis' for Google,
Facebook, Apple Yahoo etc.
2016 E-PDP PROTECCIÓN DE DATOS PERSONALES
US Safe Harbour Scheme
Turning point in international transfers to
the US....The...
AGPD : Spanish Data Protection Authority’s response to
EU Court of Justice Schrems Judgment, Madrid, 29th October
2015
In ...
The US Government’s response to Schrems
U.S. Secretary of Commerce Penny Pritzker
“…..We are deeply disappointed in today’...
How do we use American cloud services in Europe without
running afoul of EU data protection law! Alternative
compliant dat...
#FLISH FLASH Successor to Safe Harbour:
EU-US Privacy Shield
2nd February 2016
http://ec.europa.eu/avservices/video/player...
EU-US Privacy Shield
The situation has not
changed since Schrems
WP29, ( body of representatives of individual European Me...
Security
Employees remain the weakest link within an organisation!
What security measures does it have in place and does i...
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Data security breaches continue t...
Confidentiality
Encryption?
Who holds the Access keys? How are they protected?
Usernames. Passwords. Password recovery.
Data integrity
• Measures taken by the provider to mitigate risks
of data being involuntarily compromised?
• Who can acces...
Continuity: Portability & Interoperability
Ability to retrieve and shift data & services between
different cloud systems.
...
Go for it but remember……
PATRICIA AYODEJI
IP/IT/Privacy
payodeji@icab.cat
www.e-pdp.es
Thank you!
Don’t panic.....
We protect your company data, di...
Patricia Ayojedi V SCTC day Cloud 24 feb16
Prochain SlideShare
Chargement dans…5
×

Patricia Ayojedi V SCTC day Cloud 24 feb16

Is it legal or illegal to use american cloud services in Europe?
Patricia Ayojedi presentation about the controversial between USA an Europe regarding cloud business.

  • Identifiez-vous pour voir les commentaires

  • Soyez le premier à aimer ceci

Patricia Ayojedi V SCTC day Cloud 24 feb16

  1. 1. Cloud Is it legal or illegal to use American cloud services in Europe? PATRICIA AYODEJI Dual qualified Lawyer, England & Spain Member of The Law Society, London & Ilustre Colegio de la Abogacía, Barcelona Founding Lawyer E-PDP payodeji@icab.cat 24th February 2016 www.e-pdp.es
  2. 2. Dropbox, Google Drive, Gmail.., Microsoft Office 365.., Mailchimp & many others….
  3. 3. 2016 E-PDP PROTECCIÓN DE DATOS PERSONALES CLOUD DOES NOT… Remove our responsibility for data protection, data security, data integrity, data confidentiality and business continuity . We cannot entrust or delegate these to the cloud provider. Contractual clause invalid!
  4. 4. Before & After Mass-surveillance on foreigners abroad
  5. 5. What you should know...... Not on a par...... Data is governed by a patchwork of state and federal laws, with new reforms added all the time. Europe has a more harmonised regime – and there are big changes planned! Privacy Act 1974 Guarantees three primary rights which federal agencies must abide by: •The right to see records about oneself, subject to Privacy Act exemptions; •The right to request the amendment of records that are not accurate, relevant, timely or complete; and •The right of individuals to be protected against unwarranted invasion of their privacy resulting from the collection, maintenance, use, and disclosure of personal information. Only applies to U.S CITIZENS OR non-U.S citizens who are permanent residents. Judicial Redress Act 2015 Gives citizens from approved EU countries (“U.S.-allied countries”) the right to sue federal agencies that mishandle their personal data in a similar way to rights Americans enjoy under the Privacy Act. Americans already enjoy similar rights in Europe. The right to redress is subject to the same restrictions U.S. citizens face under the Privacy Act, including broad exemptions for national security.
  6. 6. Privacy Security Confidentiality Data integrity Business continuity The European Approach
  7. 7. 2016 E-PDP PROTECCIÓN DE DATOS PERSONALES Charter of Fundamental Rights of the European Union Title II Freedoms Article 8 Protection of Personal Data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly and on the basis of the consent of the person concerned or some other legitimate reason laid down by the law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.
  8. 8. Data Protection Directive 95/46/EC -> L.OPD 15/1999 PROTECTS PERSONAL DATA OF EU CITIZENS AS USERS OF CLOUD & WHEN IN CUSTODY OF A CLIENT OF CLOUD SERVICES. In process of reform! New EU Data Protection Regulation. Expected to be formally agreed shortly and in place in 2018. ONE SINGLE LAW, which will enter into force after a transition period of 2 years). Higher fines–up to 4% of turnover when companies have violated the privacy of a European. Extended territory includes all non-EU companies with no establishment in EU who offer goods/services (including free of charge) to EU citizens. Ireland will cease to be a soft option for U.S companies.
  9. 9. Some Data Protection questions • Do they share data with third party subcontractors? Do you know who they are & what services are outsourced? where their servers are located? WhatsApp, Gmail… involve the processing of data via undetermined servers and companies throughout the world. • Are you sure data not used for other purposes? • In case of breach do they have the appropriate insurance? If our cloud provider does not provide us with certain guarantees all responsibility for the data lies with us!
  10. 10. JURISPRUDENCE & CLOUD SOURCED DATA 2015 'annus horribilis' for Google, Facebook, Apple Yahoo etc.
  11. 11. 2016 E-PDP PROTECCIÓN DE DATOS PERSONALES US Safe Harbour Scheme Turning point in international transfers to the US....The strike down of Safe Harbour! 6 October 2015, EU Court of Justice– Schrems vs. Facebook Judgment C-362/14 (Facebook- mass-surveillance programs by NSA. Snowden’s NSA leaks demonstrated that European data stored by US companies was not safe from the type of surveillance which would be considered illegal in Europe) proclaims that the 15 year old Safe Harbour, the legal framework that American companies have used to handle European citizens’ data does not provide an adequate level of protection and does not provide guarantees equivalent to those established in the European Union. Judgment invalidated the legal basis for US-EU Safe Harbour. If your company relying on Safe Harbour it is in an illegal situation and may face enforcement proceedings depending on the DPAs in question!!
  12. 12. AGPD : Spanish Data Protection Authority’s response to EU Court of Justice Schrems Judgment, Madrid, 29th October 2015 In exercise of its powers the AEPD, Spanish Data Protection Authority required that at the earliest, and in any case before 29 January 2016, that all transfers of data from Spain to the U.S be notified or modified in the General Data Protection Registry and, if necessary, include details of their compliance with data protection legislation. Failing to do so within this period, the Authority may initiate proceedings, if necessary, to temporarily suspend such international transfers. https://www.agpd.es/portalwebAGPD/canalresponsable/transferencias_internacionales/common/Comunicacion_r esponsables_-_Puerto_Seguro.pdf
  13. 13. The US Government’s response to Schrems U.S. Secretary of Commerce Penny Pritzker “…..We are deeply disappointed in today’s decision from the European Court of Justice, which creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy. Among other things, the decision does not credit the benefits to privacy and growth that have been afforded by this Framework over the last 15 years….”
  14. 14. How do we use American cloud services in Europe without running afoul of EU data protection law! Alternative compliant data transfer mechanisms ..... Data localisation- actual whereabouts of data Choose Spanish/EU provider e.g. migrate from Georgia based Mailchimp (Privacy policy disclose personal information to comply with court orders and subpoenas) to Madrid based Mailrelay (data centres in EU). Basic, but effective means to influence jurisdiction. Option for large organisations. EU model contractual clauses For transfers to countries or territories that do not ensure an adequate level of protection (which now includes the USA). In Spanish & English! Binding Corporate Rules ( BCRs ) A set of legally enforceable internal rules ( such as a Code of Conduct ) regarding data privacy and security, to ensure that transfers of personal data outside of the EU take place in accordance with EU rules. A valid solution. Greater flexibility THESE OPTIONS REMAIN FORMALLY EFFECTIVE & LEGAL
  15. 15. #FLISH FLASH Successor to Safe Harbour: EU-US Privacy Shield 2nd February 2016 http://ec.europa.eu/avservices/video/player.cfm?ref=I115848&sitelang=en EU Commission & US Dept. of Commerce •New living framework for transatlantic data flows with continuous process of monitoring by EU Commission & annual review which will look at all aspects of the agreement. •Multiple channels for EU citizens to report any “misuse” of their personal data. Companies will have deadlines in which to respond to complaints. •EU citizens will benefit from legal redress for privacy violations . •Severe restrictions on indiscriminate mass surveillance of European citizens by U.S
  16. 16. EU-US Privacy Shield The situation has not changed since Schrems WP29, ( body of representatives of individual European Member States’ DPAs ) EU- US data transfers won’t be blocked while Privacy Shield details are hammered out! Is the arrangement robust enough? Not in fact certain that will pass scrutiny of the WP29 (quality, content, legal consequences) or the ECJ (the ultimate authority on enforceability of the new pact). Plenty of questions remain & a deal is not really done yet! Uncertainty likely to prevail for some time!
  17. 17. Security Employees remain the weakest link within an organisation! What security measures does it have in place and does it offer levels of security equivalent to local access? Preventative measures for viruses, hackers, spies? Do they keep security copies? ISO certification? ISO/IEC 27018 (Aug. 2014 ) code of practice to ensure cloud service providers offer suitable information security controls to protect PII processed in public cloud ISO/IEC 27017 Cloud specific information security controls & advice for cloud service customers and providers. Published end of 2015. Agreement with information security roles & responsibilities of both parties.
  18. 18. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ Data security breaches continue to climb World's Biggest Data Breaches Selected losses greater than 30,000 records (updated 2nd October 2015) www.informationisbeautiful.net
  19. 19. Confidentiality Encryption? Who holds the Access keys? How are they protected? Usernames. Passwords. Password recovery.
  20. 20. Data integrity • Measures taken by the provider to mitigate risks of data being involuntarily compromised? • Who can access data? What can they do with it? • What happens when you want to change cloud provider? Will critical data be inaccessible? For how long ? 2016 E-PDP PROTECCIÓN DE DATOS PERSONALES
  21. 21. Continuity: Portability & Interoperability Ability to retrieve and shift data & services between different cloud systems. Portability a new right under the new Regulation designed especially for cloud services. i.e. ability to get structured, legible information in a format compatible with other systems!
  22. 22. Go for it but remember……
  23. 23. PATRICIA AYODEJI IP/IT/Privacy payodeji@icab.cat www.e-pdp.es Thank you! Don’t panic..... We protect your company data, digital products and services in different legal jurisdictions. • Information Security and Data Protection • Copyright and Trade marks • e-Legal proceedings • International legal services

×