SlideShare une entreprise Scribd logo

Data Protection Jurisdiction and International Transfers in Cloud Computing

C
Cloud Legal Project

Slides for talk at Institute of Advanced Legal Studies, London, on 1 Nov 2011

BusinessTechnologie
1  sur  30
Télécharger pour lire hors ligne
Institute of Advanced Legal Studies 1 November 2011 Data Protection Jurisdiction and International Data Transfers in Cloud Computing Julia Hörnle Kuan Hon Cloud Legal Project Centre for Commercial Law Studies, Queen Mary, University of London cloudlegalproject.org
Outline  Cloud Legal Project  Cloud computing  Data protection jurisdiction  International data transfers
Cloud Legal Project
Cloud Legal Project  History  Aims
Cloud computing
What is cloud computing?  IT resources over network, scalable on demand  US NIST service models  Software as a Service (SaaS) – incl. storage (eg. Salesforce; Oracle CRM on demand; Gmail, Hotmail, Yahoo! Mail; Google Apps, Microsoft Office 365; Facebook, Flickr) o Storage as a Service (also SaaS!) = convenient way of storing / backing-up data online (eg. box.net)  Infrastructure as a Service (IaaS) (eg. Amazon Web Services, Rackspace) – compute, storage  Platform as a Service (PaaS) (eg. Google App Engine, Microsoft Windows Azure, Force.com)  Classification may depend on viewpoint
Deployment models: private, community, public and hybrid clouds…
Cloud layers/‘stack’– different possible architectures, possible hidden layers --> Who holds user’s data? Where? + SaaS Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure IaaS Software as a Service on PaaS PaaS (SaaS) IaaS SaaS SaaS SaaS Architectures Cloud Infrastructure Cloud Infrastructure IaaS Platform as a Service (PaaS) PaaS PaaS Architectures + physical infrastructure Cloud Infrastructure for each! IaaS Infrastructure as a Service (IaaS) Architectures From http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
Key cloud computing features relevant to data protection law  Multiple providers? (layers)  Data replication, deletion  Sharding/chunking/fragmentation  Location – multiple; changing?  Design - provider access; encryption  Use of/dependence on shared, third party resources, incl connectivity
Some possible contractual structures User Provider Sub-provider User Integrator Provider Integrator User Provider
Data Protection Jurisdiction
When do EU data protection laws apply to a cloud user/controller?  Laws applied based on: 'Establishment'/'context o More than one law may apply! o Google Video case/Italy o Article 29 WP 179 o Incl. through third party Public international law 'Use' of EEA 'equipment‘/’means’ o But transit?
When do EU data protection laws apply to a cloud user/controller?  Cookies ('equipment') – SaaS  Use, by non-EEA customer, of: EEA data centre? o Data centre as an establishment? o Subsidiary as an establishment? EEA cloud provider?  Relevant/irrelevant establishment?
Cloud layers Layers - knowledge or intention? Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure IaaS Software as a Service + SaaS PaaS PaaS (SaaS) on SaaS SaaS SaaS Architectures IaaS Cloud Infrastructure Cloud Infrastructure IaaS Platform as a Service (PaaS) PaaS PaaS Architectures + physical Cloud Infrastructure infrastructure IaaS Infrastructure as a Service (IaaS) for each! Architectures Diagram from http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
When do EU data protection laws apply to a cloud user/controller?  Non-EEA users - France - CNIL’s relaxation for use of French providers  Full paper http://bit.ly/clouddataprotection3
Replacement of jurisdictional tests with targeting?  Has been used in other contexts, eg Consumer protection & applicable law to contracts o Cases C-585/08 and 144/09 Pammer and Hotel Alpenhof Trademark infringement on auction platform o Case C-324/09 L’Oreal v eBay  How could this be applied in a cloud context? Outside EEA: targeting Within EEA: country of origin rule?
International Data Transfers
'If we include entities outside the European Union, the data transfer that is inevitable with cloud computing — and which has no legitimacy under data privacy law — makes clouds inherently impermissible.' German regulator Thilo Weichert
'The DPA does not prohibit the overseas transfer of personal data, but it does require that it is protected adequately wherever it is located and whoever is processing it. Clearly, this raises compliance issues that organisations using internet-based computing need to address.' UK Information Commissioner
Restriction on international data transfers  Restriction on data export to country without “adequate protection”, with exceptions (articles 25 & 26)
How can personal data be transferred outside the EEA? - 1  Whitelisted countries a short list  Safe Harbor – 'processors' layers/sub-providers & onward transfers non-US/EEA data centres (Danish DPA ruling) concerns about adequacy eg German regulators
How can personal data be transferred outside the EEA? - 2 BCRs o within group only Model clauses – layered situation? o For EEA customer using a cloud provider – Provider Sub-provider Covered by model clauses? Non-EEA Non-EEA Yes EEA Non-EEA No
Regional clouds - can cloud users control where their data are stored in clouds?  It depends! No choice In practice, probably locally… Regions? oEEA ≠ EU ≠ Europe – Danish DPA decision oContractual commitment?
Even within the EEA…  Data centres in multiple EEA Member States  Obstacle: compliance with multiple national laws, which may conflict because of lack of harmonisation and inconsistencies re.: definitions eg special category data scope eg data on corporate persons security requirements eg Italy v UK
But… should location of data really matter?  Shouldn’t the focus be on who can access data in intelligible form? non-EEA location doesn’t mean bad protection EEA doesn’t guarantee good protection – question to European Parliament re. Dutch Minister’s statement  Given encryption, storage virtualisation & data fragmentation, what may be more important are System’s design, and Provider’s jurisdiction  Full paper http://bit.ly/clouddataprotection4
Data Protection Directive reform  Draft proposal – expected 2012  In by…?
Meanwhile…  Location, location, location  Encryption, encryption, encryption; but limitations - speed value-add operations on data key management critical  Contract, contract, contract
Meanwhile, in practice  Contract - procurement process  Internal controls  Due diligence  Contract – negotiate? eg Google – City of LA, Cambridge U  Controller/processor status  Any use of sub-‘processors’  Data location  Also:  Liability - integrity/breach/availability (backup!)  Modification/termination  Data retention/deletion  Right to disclose/monitor  Security (whose policy), audit rights?
Cloud Legal Project research  Data protection – other papers http://bit.ly/clouddataprotection1 http://bit.ly/clouddataprotection2  Links to regulatory etc pronouncements http://bit.ly/cloudlinks  EU consultation response http://bit.ly/clpeuresponse  Other papers http://cloudlegalproject.org/Research  Future papers  Negotiated cloud contracts  Cloud governance (not just data protection)  Consumer protection
Thanks for listening! Any questions? Julia Hörnle j.hornle@qmul.ac.uk Kuan Hon w.k.hon@qmul.ac.uk Cloud Legal Project, CCLS Queen Mary, University of London http://cloudlegalproject.org @cloudlegalteam Mailing list subscription http://cloudlegalproject.org/Contact

Recommandé

Cloud computing: identifying and managing legal risks
Cloud computing: identifying and managing legal risksCloud computing: identifying and managing legal risks
Cloud computing: identifying and managing legal risks
Cloud Legal Project
 
Cloud Computing Contracts and Services: What's Really Happening Out There? T...
Cloud Computing Contracts and Services: What's Really Happening Out There? T...Cloud Computing Contracts and Services: What's Really Happening Out There? T...
Cloud Computing Contracts and Services: What's Really Happening Out There? T...
Cloud Legal Project
 
Cloud Computing Contracts and Services: What’s Really Happening Out There?
Cloud Computing Contracts and Services: What’s Really Happening Out There?Cloud Computing Contracts and Services: What’s Really Happening Out There?
Cloud Computing Contracts and Services: What’s Really Happening Out There?
Cloud Legal Project
 
Cloud computing: opportunities and risks
Cloud computing: opportunities and risksCloud computing: opportunities and risks
Cloud computing: opportunities and risks
Cloud Legal Project
 
About Cloud Computing
About Cloud ComputingAbout Cloud Computing
About Cloud Computing
Naman Talati
 
Cloud computing 102711 - ccap
Cloud computing 102711 - ccapCloud computing 102711 - ccap
Cloud computing 102711 - ccap
William Mann
 
Demystifying the cloud
Demystifying the cloudDemystifying the cloud
Demystifying the cloud
Dean Bonehill ♠Technology for Business♠
 
Cloud Computing Technology_Usman
Cloud Computing Technology_UsmanCloud Computing Technology_Usman
Cloud Computing Technology_Usman
Usman Sait
 

Recommandé

Cloud computing: identifying and managing legal risks
Cloud computing: identifying and managing legal risksCloud computing: identifying and managing legal risks
Cloud computing: identifying and managing legal risks
Cloud Legal Project
 
Cloud Computing Contracts and Services: What's Really Happening Out There? T...
Cloud Computing Contracts and Services: What's Really Happening Out There? T...Cloud Computing Contracts and Services: What's Really Happening Out There? T...
Cloud Computing Contracts and Services: What's Really Happening Out There? T...
Cloud Legal Project
 
Cloud Computing Contracts and Services: What’s Really Happening Out There?
Cloud Computing Contracts and Services: What’s Really Happening Out There?Cloud Computing Contracts and Services: What’s Really Happening Out There?
Cloud Computing Contracts and Services: What’s Really Happening Out There?
Cloud Legal Project
 
Cloud computing: opportunities and risks
Cloud computing: opportunities and risksCloud computing: opportunities and risks
Cloud computing: opportunities and risks
Cloud Legal Project
 
About Cloud Computing
About Cloud ComputingAbout Cloud Computing
About Cloud Computing
Naman Talati
 
Cloud computing 102711 - ccap
Cloud computing 102711 - ccapCloud computing 102711 - ccap
Cloud computing 102711 - ccap
William Mann
 
Demystifying the cloud
Demystifying the cloudDemystifying the cloud
Demystifying the cloud
Dean Bonehill ♠Technology for Business♠
 
Cloud Computing Technology_Usman
Cloud Computing Technology_UsmanCloud Computing Technology_Usman
Cloud Computing Technology_Usman
Usman Sait
 
Cloud computing.pptx
Cloud computing.pptxCloud computing.pptx
Cloud computing.pptx
ProfRajivKumarShobhi
 
Cloud Computing Documentation Report
Cloud Computing Documentation ReportCloud Computing Documentation Report
Cloud Computing Documentation Report
Ajit Yadav
 
Cloud computing
Cloud computingCloud computing
Cloud computing
Soumitra Halder
 
Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...
PRISMACLOUD Project
 
Accenture 6 questions_executives_should_ask_about_cloud_computing
Accenture 6 questions_executives_should_ask_about_cloud_computingAccenture 6 questions_executives_should_ask_about_cloud_computing
Accenture 6 questions_executives_should_ask_about_cloud_computing
Ngy Ea
 
Cloud computing jason lannen_4-28-10
Cloud computing jason lannen_4-28-10Cloud computing jason lannen_4-28-10
Cloud computing jason lannen_4-28-10
Ngy Ea
 
Building the European Cloud Computing Strategy
Building the European Cloud Computing StrategyBuilding the European Cloud Computing Strategy
Building the European Cloud Computing Strategy
Carl-Christian Buhr
 
Briefing 47
Briefing 47Briefing 47
Briefing 47
Srinivas Reddy Manda
 
29896059 ppt-on-cloud-computing
29896059 ppt-on-cloud-computing29896059 ppt-on-cloud-computing
29896059 ppt-on-cloud-computing
abbu03oct
 
Cloud Computing on ISO/IEC JTC 1
Cloud Computing on ISO/IEC JTC 1Cloud Computing on ISO/IEC JTC 1
Cloud Computing on ISO/IEC JTC 1
Seungyun Lee
 
Cloud computing
Cloud computingCloud computing
Cloud computing
Kshitij Mittal
 
Cloud Computing & ITSM - For Better of for Worse?
Cloud Computing & ITSM - For Better of for Worse?Cloud Computing & ITSM - For Better of for Worse?
Cloud Computing & ITSM - For Better of for Worse?
ITpreneurs
 
Cloud Computing Myth Busters - Know the Cloud
Cloud Computing Myth Busters - Know the CloudCloud Computing Myth Busters - Know the Cloud
Cloud Computing Myth Busters - Know the Cloud
Microsoft Private Cloud
 
Cloud Computing for Universities Graduation Project
Cloud Computing for Universities Graduation ProjectCloud Computing for Universities Graduation Project
Cloud Computing for Universities Graduation Project
Mohamed Shorbagy
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
Kishor Satpathy
 
Cloud Computing Big Data Is Future Of It
Cloud Computing Big Data Is Future Of ItCloud Computing Big Data Is Future Of It
Cloud Computing Big Data Is Future Of It
Aman Ghei
 
F ernando sousa ibm_from hype to realiity
F ernando sousa ibm_from hype to realiityF ernando sousa ibm_from hype to realiity
F ernando sousa ibm_from hype to realiity
EuroCloud
 
Cloud computing 1
Cloud computing 1Cloud computing 1
Cloud computing 1
Sagar Kumar
 
cloud computing
cloud computingcloud computing
cloud computing
Mukhid Khan LashKari
 
Challenges in cloud computing to enable future internet of things v0.3
Challenges in cloud computing to enable future internet of things v0.3Challenges in cloud computing to enable future internet of things v0.3
Challenges in cloud computing to enable future internet of things v0.3
Ignacio M. Llorente
 
DPA-Training1
DPA-Training1DPA-Training1
DPA-Training1
Marketa Bumpus, M.S.
 
PDP Training Courses Catalogue - Ireland
PDP Training Courses Catalogue - IrelandPDP Training Courses Catalogue - Ireland
PDP Training Courses Catalogue - Ireland
PDP
 

Contenu connexe

Tendances

Accenture 6 questions_executives_should_ask_about_cloud_computing
Accenture 6 questions_executives_should_ask_about_cloud_computingAccenture 6 questions_executives_should_ask_about_cloud_computing
Accenture 6 questions_executives_should_ask_about_cloud_computing
Ngy Ea
 
Cloud computing jason lannen_4-28-10
Cloud computing jason lannen_4-28-10Cloud computing jason lannen_4-28-10
Cloud computing jason lannen_4-28-10
Ngy Ea
 
Cloud Computing for Universities Graduation Project
Cloud Computing for Universities Graduation ProjectCloud Computing for Universities Graduation Project
Cloud Computing for Universities Graduation Project
Mohamed Shorbagy
 
Cloud Computing Big Data Is Future Of It
Cloud Computing Big Data Is Future Of ItCloud Computing Big Data Is Future Of It
Cloud Computing Big Data Is Future Of It
Aman Ghei
 
F ernando sousa ibm_from hype to realiity
F ernando sousa ibm_from hype to realiityF ernando sousa ibm_from hype to realiity
F ernando sousa ibm_from hype to realiity
EuroCloud
 
Challenges in cloud computing to enable future internet of things v0.3
Challenges in cloud computing to enable future internet of things v0.3Challenges in cloud computing to enable future internet of things v0.3
Challenges in cloud computing to enable future internet of things v0.3
Ignacio M. Llorente
 

Tendances (20)

Cloud computing.pptx
Cloud computing.pptxCloud computing.pptx
Cloud computing.pptx
 
Cloud Computing Documentation Report
Cloud Computing Documentation ReportCloud Computing Documentation Report
Cloud Computing Documentation Report
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...
 
Accenture 6 questions_executives_should_ask_about_cloud_computing
Accenture 6 questions_executives_should_ask_about_cloud_computingAccenture 6 questions_executives_should_ask_about_cloud_computing
Accenture 6 questions_executives_should_ask_about_cloud_computing
 
Cloud computing jason lannen_4-28-10
Cloud computing jason lannen_4-28-10Cloud computing jason lannen_4-28-10
Cloud computing jason lannen_4-28-10
 
Building the European Cloud Computing Strategy
Building the European Cloud Computing StrategyBuilding the European Cloud Computing Strategy
Building the European Cloud Computing Strategy
 
Briefing 47
Briefing 47Briefing 47
Briefing 47
 
29896059 ppt-on-cloud-computing
29896059 ppt-on-cloud-computing29896059 ppt-on-cloud-computing
29896059 ppt-on-cloud-computing
 
Cloud Computing on ISO/IEC JTC 1
Cloud Computing on ISO/IEC JTC 1Cloud Computing on ISO/IEC JTC 1
Cloud Computing on ISO/IEC JTC 1
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Cloud Computing & ITSM - For Better of for Worse?
Cloud Computing & ITSM - For Better of for Worse?Cloud Computing & ITSM - For Better of for Worse?
Cloud Computing & ITSM - For Better of for Worse?
 
Cloud Computing Myth Busters - Know the Cloud
Cloud Computing Myth Busters - Know the CloudCloud Computing Myth Busters - Know the Cloud
Cloud Computing Myth Busters - Know the Cloud
 
Cloud Computing for Universities Graduation Project
Cloud Computing for Universities Graduation ProjectCloud Computing for Universities Graduation Project
Cloud Computing for Universities Graduation Project
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Cloud Computing Big Data Is Future Of It
Cloud Computing Big Data Is Future Of ItCloud Computing Big Data Is Future Of It
Cloud Computing Big Data Is Future Of It
 
F ernando sousa ibm_from hype to realiity
F ernando sousa ibm_from hype to realiityF ernando sousa ibm_from hype to realiity
F ernando sousa ibm_from hype to realiity
 
Cloud computing 1
Cloud computing 1Cloud computing 1
Cloud computing 1
 
cloud computing
cloud computingcloud computing
cloud computing
 
Challenges in cloud computing to enable future internet of things v0.3
Challenges in cloud computing to enable future internet of things v0.3Challenges in cloud computing to enable future internet of things v0.3
Challenges in cloud computing to enable future internet of things v0.3
 

En vedette

PDP Training Courses Catalogue - Ireland
PDP Training Courses Catalogue - IrelandPDP Training Courses Catalogue - Ireland
PDP Training Courses Catalogue - Ireland
PDP
 
Merit Event - Understanding and Managing Data Protection
Merit Event - Understanding and Managing Data ProtectionMerit Event - Understanding and Managing Data Protection
Merit Event - Understanding and Managing Data Protection
meritnorthwest
 

En vedette (7)

DPA-Training1
DPA-Training1DPA-Training1
DPA-Training1
 
PDP Training Courses Catalogue - Ireland
PDP Training Courses Catalogue - IrelandPDP Training Courses Catalogue - Ireland
PDP Training Courses Catalogue - Ireland
 
Charateristics of a good counselor
Charateristics of a good counselorCharateristics of a good counselor
Charateristics of a good counselor
 
Merit Event - Understanding and Managing Data Protection
Merit Event - Understanding and Managing Data ProtectionMerit Event - Understanding and Managing Data Protection
Merit Event - Understanding and Managing Data Protection
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
2014 dpa training february nn
2014 dpa training february nn2014 dpa training february nn
2014 dpa training february nn
 
Data protection ppt
Data protection pptData protection ppt
Data protection ppt
 

Similaire à Data Protection Jurisdiction and International Transfers in Cloud Computing

Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloud
nooralmousa
 
Spatial data infrastructure in the cloud, 2011
Spatial data infrastructure in the cloud, 2011Spatial data infrastructure in the cloud, 2011
Spatial data infrastructure in the cloud, 2011
Moullet
 
Moving to cloud computing step by step linthicum
Moving to cloud computing step by step linthicumMoving to cloud computing step by step linthicum
Moving to cloud computing step by step linthicum
David Linthicum
 

Similaire à Data Protection Jurisdiction and International Transfers in Cloud Computing (20)

Cloud Computing Overview
Cloud Computing OverviewCloud Computing Overview
Cloud Computing Overview
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloud
 
SoftwareGuru 2009 - Cloud Computing
SoftwareGuru 2009 - Cloud ComputingSoftwareGuru 2009 - Cloud Computing
SoftwareGuru 2009 - Cloud Computing
 
cloud computing
cloud computingcloud computing
cloud computing
 
Redefining cloud computing again linthicum with bonus
Redefining cloud computing again linthicum with bonusRedefining cloud computing again linthicum with bonus
Redefining cloud computing again linthicum with bonus
 
Spatial data infrastructure in the cloud, 2011
Spatial data infrastructure in the cloud, 2011Spatial data infrastructure in the cloud, 2011
Spatial data infrastructure in the cloud, 2011
 
Cloud computing by Bharat Bodage
Cloud computing by Bharat BodageCloud computing by Bharat Bodage
Cloud computing by Bharat Bodage
 
Intro To Cloud Computing
Intro To Cloud ComputingIntro To Cloud Computing
Intro To Cloud Computing
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Upmc tpdev3
Upmc tpdev3Upmc tpdev3
Upmc tpdev3
 
What is cloud computing
What is cloud computingWhat is cloud computing
What is cloud computing
 
Moving to cloud computing step by step linthicum
Moving to cloud computing step by step linthicumMoving to cloud computing step by step linthicum
Moving to cloud computing step by step linthicum
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Ppt cloud deployment
Ppt cloud deploymentPpt cloud deployment
Ppt cloud deployment
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
3.cloud service delivery models
3.cloud service delivery models3.cloud service delivery models
3.cloud service delivery models
 
Cloud Deployment
Cloud DeploymentCloud Deployment
Cloud Deployment
 
Cloud Computing-notes.doc
Cloud Computing-notes.docCloud Computing-notes.doc
Cloud Computing-notes.doc
 
UNIT - I.docx
UNIT - I.docxUNIT - I.docx
UNIT - I.docx
 

Dernier

GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowGUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
kapoorjyoti4444
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
allensay1
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
pr788182
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
ZurliaSoop
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
pr788182
 

Dernier (20)

GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowGUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
 
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTSDurg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business Potential
 
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGBerhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTSJAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NSCROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
 
Kalyan Call Girl 98350*37198 Call Girls in Escort service book now
Kalyan Call Girl 98350*37198 Call Girls in Escort service book nowKalyan Call Girl 98350*37198 Call Girls in Escort service book now
Kalyan Call Girl 98350*37198 Call Girls in Escort service book now
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
Buy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail AccountsBuy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail Accounts
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 

Data Protection Jurisdiction and International Transfers in Cloud Computing

  • 1. Institute of Advanced Legal Studies 1 November 2011 Data Protection Jurisdiction and International Data Transfers in Cloud Computing Julia Hörnle Kuan Hon Cloud Legal Project Centre for Commercial Law Studies, Queen Mary, University of London cloudlegalproject.org
  • 2. Outline  Cloud Legal Project  Cloud computing  Data protection jurisdiction  International data transfers
  • 4. Cloud Legal Project  History  Aims
  • 6. What is cloud computing?  IT resources over network, scalable on demand  US NIST service models  Software as a Service (SaaS) – incl. storage (eg. Salesforce; Oracle CRM on demand; Gmail, Hotmail, Yahoo! Mail; Google Apps, Microsoft Office 365; Facebook, Flickr) o Storage as a Service (also SaaS!) = convenient way of storing / backing-up data online (eg. box.net)  Infrastructure as a Service (IaaS) (eg. Amazon Web Services, Rackspace) – compute, storage  Platform as a Service (PaaS) (eg. Google App Engine, Microsoft Windows Azure, Force.com)  Classification may depend on viewpoint
  • 7. Deployment models: private, community, public and hybrid clouds…
  • 8. Cloud layers/‘stack’– different possible architectures, possible hidden layers --> Who holds user’s data? Where? + SaaS Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure IaaS Software as a Service on PaaS PaaS (SaaS) IaaS SaaS SaaS SaaS Architectures Cloud Infrastructure Cloud Infrastructure IaaS Platform as a Service (PaaS) PaaS PaaS Architectures + physical infrastructure Cloud Infrastructure for each! IaaS Infrastructure as a Service (IaaS) Architectures From http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
  • 9. Key cloud computing features relevant to data protection law  Multiple providers? (layers)  Data replication, deletion  Sharding/chunking/fragmentation  Location – multiple; changing?  Design - provider access; encryption  Use of/dependence on shared, third party resources, incl connectivity
  • 10. Some possible contractual structures User Provider Sub-provider User Integrator Provider Integrator User Provider
  • 11. Data Protection Jurisdiction
  • 12. When do EU data protection laws apply to a cloud user/controller?  Laws applied based on: 'Establishment'/'context o More than one law may apply! o Google Video case/Italy o Article 29 WP 179 o Incl. through third party Public international law 'Use' of EEA 'equipment‘/’means’ o But transit?
  • 13. When do EU data protection laws apply to a cloud user/controller?  Cookies ('equipment') – SaaS  Use, by non-EEA customer, of: EEA data centre? o Data centre as an establishment? o Subsidiary as an establishment? EEA cloud provider?  Relevant/irrelevant establishment?
  • 14. Cloud layers Layers - knowledge or intention? Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure IaaS Software as a Service + SaaS PaaS PaaS (SaaS) on SaaS SaaS SaaS Architectures IaaS Cloud Infrastructure Cloud Infrastructure IaaS Platform as a Service (PaaS) PaaS PaaS Architectures + physical Cloud Infrastructure infrastructure IaaS Infrastructure as a Service (IaaS) for each! Architectures Diagram from http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
  • 15. When do EU data protection laws apply to a cloud user/controller?  Non-EEA users - France - CNIL’s relaxation for use of French providers  Full paper http://bit.ly/clouddataprotection3
  • 16. Replacement of jurisdictional tests with targeting?  Has been used in other contexts, eg Consumer protection & applicable law to contracts o Cases C-585/08 and 144/09 Pammer and Hotel Alpenhof Trademark infringement on auction platform o Case C-324/09 L’Oreal v eBay  How could this be applied in a cloud context? Outside EEA: targeting Within EEA: country of origin rule?
  • 17. International Data Transfers
  • 18. 'If we include entities outside the European Union, the data transfer that is inevitable with cloud computing — and which has no legitimacy under data privacy law — makes clouds inherently impermissible.' German regulator Thilo Weichert
  • 19. 'The DPA does not prohibit the overseas transfer of personal data, but it does require that it is protected adequately wherever it is located and whoever is processing it. Clearly, this raises compliance issues that organisations using internet-based computing need to address.' UK Information Commissioner
  • 20. Restriction on international data transfers  Restriction on data export to country without “adequate protection”, with exceptions (articles 25 & 26)
  • 21. How can personal data be transferred outside the EEA? - 1  Whitelisted countries a short list  Safe Harbor – 'processors' layers/sub-providers & onward transfers non-US/EEA data centres (Danish DPA ruling) concerns about adequacy eg German regulators
  • 22. How can personal data be transferred outside the EEA? - 2 BCRs o within group only Model clauses – layered situation? o For EEA customer using a cloud provider – Provider Sub-provider Covered by model clauses? Non-EEA Non-EEA Yes EEA Non-EEA No
  • 23. Regional clouds - can cloud users control where their data are stored in clouds?  It depends! No choice In practice, probably locally… Regions? oEEA ≠ EU ≠ Europe – Danish DPA decision oContractual commitment?
  • 24. Even within the EEA…  Data centres in multiple EEA Member States  Obstacle: compliance with multiple national laws, which may conflict because of lack of harmonisation and inconsistencies re.: definitions eg special category data scope eg data on corporate persons security requirements eg Italy v UK
  • 25. But… should location of data really matter?  Shouldn’t the focus be on who can access data in intelligible form? non-EEA location doesn’t mean bad protection EEA doesn’t guarantee good protection – question to European Parliament re. Dutch Minister’s statement  Given encryption, storage virtualisation & data fragmentation, what may be more important are System’s design, and Provider’s jurisdiction  Full paper http://bit.ly/clouddataprotection4
  • 26. Data Protection Directive reform  Draft proposal – expected 2012  In by…?
  • 27. Meanwhile…  Location, location, location  Encryption, encryption, encryption; but limitations - speed value-add operations on data key management critical  Contract, contract, contract
  • 28. Meanwhile, in practice  Contract - procurement process  Internal controls  Due diligence  Contract – negotiate? eg Google – City of LA, Cambridge U  Controller/processor status  Any use of sub-‘processors’  Data location  Also:  Liability - integrity/breach/availability (backup!)  Modification/termination  Data retention/deletion  Right to disclose/monitor  Security (whose policy), audit rights?
  • 29. Cloud Legal Project research  Data protection – other papers http://bit.ly/clouddataprotection1 http://bit.ly/clouddataprotection2  Links to regulatory etc pronouncements http://bit.ly/cloudlinks  EU consultation response http://bit.ly/clpeuresponse  Other papers http://cloudlegalproject.org/Research  Future papers  Negotiated cloud contracts  Cloud governance (not just data protection)  Consumer protection
  • 30. Thanks for listening! Any questions? Julia Hörnle j.hornle@qmul.ac.uk Kuan Hon w.k.hon@qmul.ac.uk Cloud Legal Project, CCLS Queen Mary, University of London http://cloudlegalproject.org @cloudlegalteam Mailing list subscription http://cloudlegalproject.org/Contact