SlideShare une entreprise Scribd logo

Ian walden - data protection in cloud computing

O
oiisdp
1  sur  20
Télécharger pour lire hors ligne
Privacy, Data Protection and Cloud Computing 16 July 2014 Professor Ian Walden Centre for Commercial Law Studies, Queen Mary, University of London www.cloudlegal.ccls.qmul.ac.uk Presentation at the OII Doctoral Summer School
Introductory remarks  Understanding privacy and data protection laws  Understanding cloud computing  Personal data  Controllers, processors & others?  Location, location, location  Law enforcement access
Privacy laws  Different cultural values and practices Identity, autonomy, personal development, establish & develop relationships, reputation, democracy….  A constellation of legal rights Constitutional, statutory, tortious, equitable, proprietal… o Charter, art. 7: “Everyone has the right to respect for his or her private and family life, home and communications”  Private (and public) realms ‘reasonable expectation of privacy’ o e.g. Gmail  Permitted interferences e.g. national security, protection of rights of others
Data protection laws  Responding to the capabilities of ICTs Council of Europe Convention 1981 o Processing principles: data quality & data subject rights EU Directives 95/46/EC & 02/58/EC o Charter, Article 8 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority. Draft Regulation o Implications for cloud
Cloud computing?  ‘X as a Service’  SaaS, PaaS, IaaS...  Flexible, location-independent (-ish), on-demand, shared, virtualised  Cloud multi-layered ecosystem  Service providers  Cloud infrastructure providers o Amazon Web Services  Communication providers  Deployment models  Public, private, community & hybrid
Virtualisation and abstraction  Hypervisor or Virtual Machine Monitor Physical server / host OS - (shared) processor, memory, network, storage  Linux, Unix, Windows…
Possible architectures: cloud layers or “stack” Cloud Infrastructure IaaS PaaS SaaS Infrastructure as a Service (IaaS) Architectures Platform as a Service (PaaS) Architectures Software as a Service (SaaS) Architectures Cloud Infrastructure SaaS Cloud Infrastructure PaaS SaaS Cloud Infrastructure IaaS PaaS Cloud Infrastructure PaaS Cloud Infrastructure IaaS From http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
Deployment models: private, community, public and hybrid clouds…
Key features relevant to data protection law  Distributed storage ‘Sharding’, ‘chunking’ & ‘partitioning’  Data replication For performance, availability, back-up & redundancy  Data deletion  System & service design: Cloud supply chain “Stack” Ancillary services, e.g. apps integration  Resources: shared, third party
‘Personal data’ in the clouds  ‘identified or identifiable natural person…’ ‘sensitive data’ o Recital 26: “whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person”  Anonymisation & pseudonymisation techniques deletion/omission; substitution, aggregation, addition  As processing Big data analytics Paul Ohm: ‘Broken promises of privacy’ (2009)  Encrypted data What is “good enough”?
Regulated entities  Controllers, processors & sub-processors ‘determine purpose & means’ o Google Spain v AEPD (ECJ, May 2014) o Draft Regulation: Joint and severable liability  Cloud customer & provider(s) Customer’s data / metadata o Not even ‘processor’? o Infrastructure providers – IaaS, PaaS, SaaS  End to end accountability, not binary controller/processor?  eCommerce Directive (00/31/EC) approach? o Liability safe harbour: Mere conduit, hosting & caching
Applicable law  ‘Establishment’: corporate structure / operations Own data centre or 3rd party data centre in EEA? ‘in the context of the activities’ o Google Spain v AEPD (ECJ, May 2014)  ‘Equipment’ / ‘means’ and EEA data centre Use of EEA data centre by non-EEA customer or cloud provider o ‘Transit’ exception – ‘follow the sun’ Cloud support services
Data export  Can cloud customer control where its data are stored in the clouds?  It depends!  Sometimes no choice  Regions (but, what is contractual status?)  Sometimes locally by default  Within the EEA Lack of harmonisation Draft Regulation: ‘One-stop-shop’  Public cloud may not be appropriate for regulated data
‘Where’: The way forward?  EEA Regional Cloud e.g. AWS Regions, Microsoft o e.g. ‘Schengen data area’ (ATOS) or ‘Schengen routing’ (DT)  Country of origin (intra EEA) Draft Regulation: ‘main establishment’  Targeting (extra EEA) Draft Regulation: Offering good & services or monitoring behaviour of EU residents  End-to-end accountability Technical: e.g. location of encryption keys Legal: e.g. model contracts & BCRs
Law enforcement access  Commercial secrecy and privacy threats From organised crime to law enforcement o The ‘Patriot Act’ problem  An exercise of powers Legality & enforceability  Questions of vires and regulatory boundaries Obligations to assist Jurisdictional reach o Search & seizure: Microsoft (2014) Evidential impact?
Dealing with law enforcement  Request recipients EU: ‘electronic communication services’ & ‘information society services’ o e.g. Yahoo! Belgium (2011) US: providers of ‘electronic communication services’ and ‘remote computing services’ (18 U.S.C. § 2703)  Obligations to assist Directive 02/58/EC, art. 5(1) & art. 15(1): interception o Existing capability or build obligation? Directive 06/24/EC: data retention o Digital Rights Ireland v Ireland (ECJ, April 2014) o UK: Data Retention and Investigatory Powers Bill
Law enforcement powers  Law enforcement access Data ‘at rest’ & ‘in transmission’ Obtaining data: Covert & coercive investigative techniques o ‘in its ‘possession or control’: Rackspace (2013), Verizon (2014)  ‘Exercising a power’ Permissible & impermissible conduct o e.g. entrapment  Expedited preservation, retention & delivery-up Obtaining authorisation o Judicial, executive or administrative
Law enforcement powers  Issues of legality & enforceability Executing the authorisation o e.g. Microsoft (2014) Recipient’s actions o e.g. Rackspace (2004)  Interference with rights ‘conditions and safeguards’ o Notification: Pre & Post o Oversight regime: ‘judicial or other independent supervision’ o Jurisdiction limitations
International co-operation  Mutual legal assistance From harmonisation to mutual recognition o Convention on Cybercrime o TFEU, art. 82: European Evidence Warrant & European Investigation Order  Informal co-operation with foreign LEAs Proactive disclosure & 24/7 networks  Direct liaison with foreign service providers Voluntary disclosures by cloud providers o e.g. Google ‘Transparency Report, Microsoft, Twitter, Vodafone o Cloud contractual provisions on disclosure  Engage directly with the material sought
Concluding remarks & questions?

Recommandé

Privacy, Social Network Sites and the law
Privacy, Social Network Sites and the lawPrivacy, Social Network Sites and the law
Privacy, Social Network Sites and the law
dariphagen
 
GDPR and Data Ethics considerations in personal data sharing
GDPR and Data Ethics considerations in personal data sharingGDPR and Data Ethics considerations in personal data sharing
GDPR and Data Ethics considerations in personal data sharing
Big Data Value Association
 
Key Modules for a trsuted and privacy preserving personal data marketplace
Key Modules for a trsuted and privacy preserving personal data marketplaceKey Modules for a trsuted and privacy preserving personal data marketplace
Key Modules for a trsuted and privacy preserving personal data marketplace
Big Data Value Association
 
Knowing Me, Knowing You - Managing & Using Contact Information
Knowing Me, Knowing You - Managing & Using Contact Information Knowing Me, Knowing You - Managing & Using Contact Information
Knowing Me, Knowing You - Managing & Using Contact Information
Catherine Madden
 
Andrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Andrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs UtrechtAndrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Andrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Infosecurity2010
 
Cloud computing - cooperating with law enforcement
Cloud computing - cooperating with law enforcementCloud computing - cooperating with law enforcement
Cloud computing - cooperating with law enforcement
Cloud Legal Project
 
eGov2017Keynote
eGov2017KeynoteeGov2017Keynote
eGov2017Keynote
Vestforsk.no
 
Data sovereignty issues: a 15 minute debrief for not-for-profits
Data sovereignty issues: a 15 minute debrief for not-for-profitsData sovereignty issues: a 15 minute debrief for not-for-profits
Data sovereignty issues: a 15 minute debrief for not-for-profits
rgtechnologies
 

Recommandé

Privacy, Social Network Sites and the law
Privacy, Social Network Sites and the lawPrivacy, Social Network Sites and the law
Privacy, Social Network Sites and the law
dariphagen
 
GDPR and Data Ethics considerations in personal data sharing
GDPR and Data Ethics considerations in personal data sharingGDPR and Data Ethics considerations in personal data sharing
GDPR and Data Ethics considerations in personal data sharing
Big Data Value Association
 
Key Modules for a trsuted and privacy preserving personal data marketplace
Key Modules for a trsuted and privacy preserving personal data marketplaceKey Modules for a trsuted and privacy preserving personal data marketplace
Key Modules for a trsuted and privacy preserving personal data marketplace
Big Data Value Association
 
Knowing Me, Knowing You - Managing & Using Contact Information
Knowing Me, Knowing You - Managing & Using Contact Information Knowing Me, Knowing You - Managing & Using Contact Information
Knowing Me, Knowing You - Managing & Using Contact Information
Catherine Madden
 
Andrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Andrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs UtrechtAndrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Andrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Infosecurity2010
 
Cloud computing - cooperating with law enforcement
Cloud computing - cooperating with law enforcementCloud computing - cooperating with law enforcement
Cloud computing - cooperating with law enforcement
Cloud Legal Project
 
eGov2017Keynote
eGov2017KeynoteeGov2017Keynote
eGov2017Keynote
Vestforsk.no
 
Data sovereignty issues: a 15 minute debrief for not-for-profits
Data sovereignty issues: a 15 minute debrief for not-for-profitsData sovereignty issues: a 15 minute debrief for not-for-profits
Data sovereignty issues: a 15 minute debrief for not-for-profits
rgtechnologies
 
Handboek social media voor fundraising
Handboek social media voor fundraisingHandboek social media voor fundraising
Handboek social media voor fundraising
Rik Mertens
 
Omobono: This is ERM
Omobono: This is ERMOmobono: This is ERM
Omobono: This is ERM
Omobono
 
Social Media Handbook
Social Media HandbookSocial Media Handbook
Social Media Handbook
Omobono
 
Als ik ondernemer was ...
Als ik ondernemer was ...Als ik ondernemer was ...
Als ik ondernemer was ...
Erwin Blom
 
Social Platforms Playbook
Social Platforms PlaybookSocial Platforms Playbook
Social Platforms Playbook
Judy Abel
 
Social Media Monitor 5 - Social Embassy
Social Media Monitor 5 - Social EmbassySocial Media Monitor 5 - Social Embassy
Social Media Monitor 5 - Social Embassy
Social Embassy
 
Creating a social media playbook
Creating a social media playbookCreating a social media playbook
Creating a social media playbook
Your Marketing Coach
 
Cloud Computing and Data Governance
Cloud Computing and Data GovernanceCloud Computing and Data Governance
Cloud Computing and Data Governance
Trillium Software
 
Social Media Handbook for Red Cross Field Units
Social Media Handbook for Red Cross Field UnitsSocial Media Handbook for Red Cross Field Units
Social Media Handbook for Red Cross Field Units
wharman
 
Data Portability & Application Portability - Cloud Security Expo 2017
Data Portability & Application Portability - Cloud Security Expo 2017Data Portability & Application Portability - Cloud Security Expo 2017
Data Portability & Application Portability - Cloud Security Expo 2017
CloudWATCH Consortium
 
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
Tom Kulik
 
Sible 09
Sible 09Sible 09
Sible 09
lilianedwards
 
Data Processing and Semantics for Advanced Internet of Things (IoT) Applicati...
Data Processing and Semantics for Advanced Internet of Things (IoT) Applicati...Data Processing and Semantics for Advanced Internet of Things (IoT) Applicati...
Data Processing and Semantics for Advanced Internet of Things (IoT) Applicati...
Artificial Intelligence Institute at UofSC
 
Data Residency: Challenges and the Need for Standards
Data Residency: Challenges and the Need for StandardsData Residency: Challenges and the Need for Standards
Data Residency: Challenges and the Need for Standards
Cloud Standards Customer Council
 
Kees stuurman
Kees stuurmanKees stuurman
Kees stuurman
Atıf ÜNALDI
 
Trust in the Cloud
Trust in the CloudTrust in the Cloud
Trust in the Cloud
blogzilla
 
Big Data, Cloud Computing, and Privacy Implications
Big Data, Cloud Computing, and Privacy ImplicationsBig Data, Cloud Computing, and Privacy Implications
Big Data, Cloud Computing, and Privacy Implications
Antigone Peyton
 
Cyber Crime Challanges
Cyber Crime ChallangesCyber Crime Challanges
Cyber Crime Challanges
yogendra singh chahar
 
Understanding big data using IoT
Understanding big data using IoTUnderstanding big data using IoT
Understanding big data using IoT
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic ApproachCloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
SLA-Ready Network
 
Privacy, the Internet of Things and Smart Cities
Privacy, the Internet of Things and Smart Cities Privacy, the Internet of Things and Smart Cities
Privacy, the Internet of Things and Smart Cities
Lilian Edwards
 
Data Modelling and Knowledge Engineering for the Internet of Things
Data Modelling and Knowledge Engineering for the Internet of ThingsData Modelling and Knowledge Engineering for the Internet of Things
Data Modelling and Knowledge Engineering for the Internet of Things
Cory Andrew Henson
 

Contenu connexe

En vedette

Handboek social media voor fundraising
Handboek social media voor fundraisingHandboek social media voor fundraising
Handboek social media voor fundraising
Rik Mertens
 
Social Media Handbook
Social Media HandbookSocial Media Handbook
Social Media Handbook
Omobono
 
Cloud Computing and Data Governance
Cloud Computing and Data GovernanceCloud Computing and Data Governance
Cloud Computing and Data Governance
Trillium Software
 

En vedette (9)

Handboek social media voor fundraising
Handboek social media voor fundraisingHandboek social media voor fundraising
Handboek social media voor fundraising
 
Omobono: This is ERM
Omobono: This is ERMOmobono: This is ERM
Omobono: This is ERM
 
Social Media Handbook
Social Media HandbookSocial Media Handbook
Social Media Handbook
 
Als ik ondernemer was ...
Als ik ondernemer was ...Als ik ondernemer was ...
Als ik ondernemer was ...
 
Social Platforms Playbook
Social Platforms PlaybookSocial Platforms Playbook
Social Platforms Playbook
 
Social Media Monitor 5 - Social Embassy
Social Media Monitor 5 - Social EmbassySocial Media Monitor 5 - Social Embassy
Social Media Monitor 5 - Social Embassy
 
Creating a social media playbook
Creating a social media playbookCreating a social media playbook
Creating a social media playbook
 
Cloud Computing and Data Governance
Cloud Computing and Data GovernanceCloud Computing and Data Governance
Cloud Computing and Data Governance
 
Social Media Handbook for Red Cross Field Units
Social Media Handbook for Red Cross Field UnitsSocial Media Handbook for Red Cross Field Units
Social Media Handbook for Red Cross Field Units
 

Similaire à Ian walden - data protection in cloud computing

Data Processing and Semantics for Advanced Internet of Things (IoT) Applicati...
Data Processing and Semantics for Advanced Internet of Things (IoT) Applicati...Data Processing and Semantics for Advanced Internet of Things (IoT) Applicati...
Data Processing and Semantics for Advanced Internet of Things (IoT) Applicati...
Artificial Intelligence Institute at UofSC
 
Data Residency: Challenges and the Need for Standards
Data Residency: Challenges and the Need for StandardsData Residency: Challenges and the Need for Standards
Data Residency: Challenges and the Need for Standards
Cloud Standards Customer Council
 
US eDiscovery v UK eDisclosure
US eDiscovery v UK eDisclosureUS eDiscovery v UK eDisclosure
US eDiscovery v UK eDisclosure
J. David Morris
 
Cloud Computing: legal issues
Cloud Computing: legal issuesCloud Computing: legal issues
Cloud Computing: legal issues
ISPABelgium
 

Similaire à Ian walden - data protection in cloud computing (20)

Data Portability & Application Portability - Cloud Security Expo 2017
Data Portability & Application Portability - Cloud Security Expo 2017Data Portability & Application Portability - Cloud Security Expo 2017
Data Portability & Application Portability - Cloud Security Expo 2017
 
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
Partly Sunny With a Chance of Rain: Forecasting the Legal Issues in Cloud Com...
 
Sible 09
Sible 09Sible 09
Sible 09
 
Data Processing and Semantics for Advanced Internet of Things (IoT) Applicati...
Data Processing and Semantics for Advanced Internet of Things (IoT) Applicati...Data Processing and Semantics for Advanced Internet of Things (IoT) Applicati...
Data Processing and Semantics for Advanced Internet of Things (IoT) Applicati...
 
Data Residency: Challenges and the Need for Standards
Data Residency: Challenges and the Need for StandardsData Residency: Challenges and the Need for Standards
Data Residency: Challenges and the Need for Standards
 
Kees stuurman
Kees stuurmanKees stuurman
Kees stuurman
 
Trust in the Cloud
Trust in the CloudTrust in the Cloud
Trust in the Cloud
 
Big Data, Cloud Computing, and Privacy Implications
Big Data, Cloud Computing, and Privacy ImplicationsBig Data, Cloud Computing, and Privacy Implications
Big Data, Cloud Computing, and Privacy Implications
 
Cyber Crime Challanges
Cyber Crime ChallangesCyber Crime Challanges
Cyber Crime Challanges
 
Understanding big data using IoT
Understanding big data using IoTUnderstanding big data using IoT
Understanding big data using IoT
 
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic ApproachCloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
 
Privacy, the Internet of Things and Smart Cities
Privacy, the Internet of Things and Smart Cities Privacy, the Internet of Things and Smart Cities
Privacy, the Internet of Things and Smart Cities
 
Data Modelling and Knowledge Engineering for the Internet of Things
Data Modelling and Knowledge Engineering for the Internet of ThingsData Modelling and Knowledge Engineering for the Internet of Things
Data Modelling and Knowledge Engineering for the Internet of Things
 
US eDiscovery v UK eDisclosure
US eDiscovery v UK eDisclosureUS eDiscovery v UK eDisclosure
US eDiscovery v UK eDisclosure
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Information Engineering in the Age of the Internet of Things
Information Engineering in the Age of the Internet of Things Information Engineering in the Age of the Internet of Things
Information Engineering in the Age of the Internet of Things
 
Cloud Computing: legal issues
Cloud Computing: legal issuesCloud Computing: legal issues
Cloud Computing: legal issues
 
Smart health
Smart healthSmart health
Smart health
 
SMART HEALTH AND Internet of Things (IoT) - RESEARCH Opportunities
SMART HEALTH AND Internet of Things (IoT) - RESEARCH Opportunities SMART HEALTH AND Internet of Things (IoT) - RESEARCH Opportunities
SMART HEALTH AND Internet of Things (IoT) - RESEARCH Opportunities
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniques
 

Plus de oiisdp

Zook making sense of geosocial media-final
Zook making sense of geosocial media-finalZook making sense of geosocial media-final
Zook making sense of geosocial media-final
oiisdp
 
Kathryn eccles digital humanities
Kathryn eccles digital humanitiesKathryn eccles digital humanities
Kathryn eccles digital humanities
oiisdp
 
Grant blank
Grant blankGrant blank
Grant blank
oiisdp
 
Jonathan bright - collecting social media data with the python programming la...
Jonathan bright - collecting social media data with the python programming la...Jonathan bright - collecting social media data with the python programming la...
Jonathan bright - collecting social media data with the python programming la...
oiisdp
 
Joss wright
Joss wrightJoss wright
Joss wright
oiisdp
 
Rebecca eynon learning & interaction in moo cs
Rebecca eynon learning & interaction in moo csRebecca eynon learning & interaction in moo cs
Rebecca eynon learning & interaction in moo cs
oiisdp
 
Rebecca eynon e research ethics 2014
Rebecca eynon e research ethics 2014Rebecca eynon e research ethics 2014
Rebecca eynon e research ethics 2014
oiisdp
 
Luciano Floridi
Luciano FloridiLuciano Floridi
Luciano Floridi
oiisdp
 
Ellen Brady OIISDP
Ellen Brady OIISDPEllen Brady OIISDP
Ellen Brady OIISDP
oiisdp
 
Ralph schroeder
Ralph schroederRalph schroeder
Ralph schroeder
oiisdp
 
Ralph schroeder and eric meyer
Ralph schroeder and eric meyerRalph schroeder and eric meyer
Ralph schroeder and eric meyer
oiisdp
 
Greg taylor
Greg taylorGreg taylor
Greg taylor
oiisdp
 
2014 digital ethography_eric meyer
2014 digital ethography_eric meyer2014 digital ethography_eric meyer
2014 digital ethography_eric meyer
oiisdp
 

Plus de oiisdp (14)

Zook making sense of geosocial media-final
Zook making sense of geosocial media-finalZook making sense of geosocial media-final
Zook making sense of geosocial media-final
 
Kathryn eccles digital humanities
Kathryn eccles digital humanitiesKathryn eccles digital humanities
Kathryn eccles digital humanities
 
Grant blank
Grant blankGrant blank
Grant blank
 
Jonathan bright - collecting social media data with the python programming la...
Jonathan bright - collecting social media data with the python programming la...Jonathan bright - collecting social media data with the python programming la...
Jonathan bright - collecting social media data with the python programming la...
 
Joss wright
Joss wrightJoss wright
Joss wright
 
Rebecca eynon learning & interaction in moo cs
Rebecca eynon learning & interaction in moo csRebecca eynon learning & interaction in moo cs
Rebecca eynon learning & interaction in moo cs
 
Rebecca eynon e research ethics 2014
Rebecca eynon e research ethics 2014Rebecca eynon e research ethics 2014
Rebecca eynon e research ethics 2014
 
Luciano Floridi
Luciano FloridiLuciano Floridi
Luciano Floridi
 
Ellen Brady OIISDP
Ellen Brady OIISDPEllen Brady OIISDP
Ellen Brady OIISDP
 
Ralph schroeder
Ralph schroederRalph schroeder
Ralph schroeder
 
Ralph schroeder and eric meyer
Ralph schroeder and eric meyerRalph schroeder and eric meyer
Ralph schroeder and eric meyer
 
Greg taylor
Greg taylorGreg taylor
Greg taylor
 
2014 digital ethography_eric meyer
2014 digital ethography_eric meyer2014 digital ethography_eric meyer
2014 digital ethography_eric meyer
 
Steph Steinhardt "Big Data, Open Infrastructure and Care: Following the Rise ...
Steph Steinhardt "Big Data, Open Infrastructure and Care: Following the Rise ...Steph Steinhardt "Big Data, Open Infrastructure and Care: Following the Rise ...
Steph Steinhardt "Big Data, Open Infrastructure and Care: Following the Rise ...
 

Ian walden - data protection in cloud computing

  • 1. Privacy, Data Protection and Cloud Computing 16 July 2014 Professor Ian Walden Centre for Commercial Law Studies, Queen Mary, University of London www.cloudlegal.ccls.qmul.ac.uk Presentation at the OII Doctoral Summer School
  • 2. Introductory remarks  Understanding privacy and data protection laws  Understanding cloud computing  Personal data  Controllers, processors & others?  Location, location, location  Law enforcement access
  • 3. Privacy laws  Different cultural values and practices Identity, autonomy, personal development, establish & develop relationships, reputation, democracy….  A constellation of legal rights Constitutional, statutory, tortious, equitable, proprietal… o Charter, art. 7: “Everyone has the right to respect for his or her private and family life, home and communications”  Private (and public) realms ‘reasonable expectation of privacy’ o e.g. Gmail  Permitted interferences e.g. national security, protection of rights of others
  • 4. Data protection laws  Responding to the capabilities of ICTs Council of Europe Convention 1981 o Processing principles: data quality & data subject rights EU Directives 95/46/EC & 02/58/EC o Charter, Article 8 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority. Draft Regulation o Implications for cloud
  • 5. Cloud computing?  ‘X as a Service’  SaaS, PaaS, IaaS...  Flexible, location-independent (-ish), on-demand, shared, virtualised  Cloud multi-layered ecosystem  Service providers  Cloud infrastructure providers o Amazon Web Services  Communication providers  Deployment models  Public, private, community & hybrid
  • 6. Virtualisation and abstraction  Hypervisor or Virtual Machine Monitor Physical server / host OS - (shared) processor, memory, network, storage  Linux, Unix, Windows…
  • 7. Possible architectures: cloud layers or “stack” Cloud Infrastructure IaaS PaaS SaaS Infrastructure as a Service (IaaS) Architectures Platform as a Service (PaaS) Architectures Software as a Service (SaaS) Architectures Cloud Infrastructure SaaS Cloud Infrastructure PaaS SaaS Cloud Infrastructure IaaS PaaS Cloud Infrastructure PaaS Cloud Infrastructure IaaS From http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
  • 8. Deployment models: private, community, public and hybrid clouds…
  • 9. Key features relevant to data protection law  Distributed storage ‘Sharding’, ‘chunking’ & ‘partitioning’  Data replication For performance, availability, back-up & redundancy  Data deletion  System & service design: Cloud supply chain “Stack” Ancillary services, e.g. apps integration  Resources: shared, third party
  • 10. ‘Personal data’ in the clouds  ‘identified or identifiable natural person…’ ‘sensitive data’ o Recital 26: “whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person”  Anonymisation & pseudonymisation techniques deletion/omission; substitution, aggregation, addition  As processing Big data analytics Paul Ohm: ‘Broken promises of privacy’ (2009)  Encrypted data What is “good enough”?
  • 11. Regulated entities  Controllers, processors & sub-processors ‘determine purpose & means’ o Google Spain v AEPD (ECJ, May 2014) o Draft Regulation: Joint and severable liability  Cloud customer & provider(s) Customer’s data / metadata o Not even ‘processor’? o Infrastructure providers – IaaS, PaaS, SaaS  End to end accountability, not binary controller/processor?  eCommerce Directive (00/31/EC) approach? o Liability safe harbour: Mere conduit, hosting & caching
  • 12. Applicable law  ‘Establishment’: corporate structure / operations Own data centre or 3rd party data centre in EEA? ‘in the context of the activities’ o Google Spain v AEPD (ECJ, May 2014)  ‘Equipment’ / ‘means’ and EEA data centre Use of EEA data centre by non-EEA customer or cloud provider o ‘Transit’ exception – ‘follow the sun’ Cloud support services
  • 13. Data export  Can cloud customer control where its data are stored in the clouds?  It depends!  Sometimes no choice  Regions (but, what is contractual status?)  Sometimes locally by default  Within the EEA Lack of harmonisation Draft Regulation: ‘One-stop-shop’  Public cloud may not be appropriate for regulated data
  • 14. ‘Where’: The way forward?  EEA Regional Cloud e.g. AWS Regions, Microsoft o e.g. ‘Schengen data area’ (ATOS) or ‘Schengen routing’ (DT)  Country of origin (intra EEA) Draft Regulation: ‘main establishment’  Targeting (extra EEA) Draft Regulation: Offering good & services or monitoring behaviour of EU residents  End-to-end accountability Technical: e.g. location of encryption keys Legal: e.g. model contracts & BCRs
  • 15. Law enforcement access  Commercial secrecy and privacy threats From organised crime to law enforcement o The ‘Patriot Act’ problem  An exercise of powers Legality & enforceability  Questions of vires and regulatory boundaries Obligations to assist Jurisdictional reach o Search & seizure: Microsoft (2014) Evidential impact?
  • 16. Dealing with law enforcement  Request recipients EU: ‘electronic communication services’ & ‘information society services’ o e.g. Yahoo! Belgium (2011) US: providers of ‘electronic communication services’ and ‘remote computing services’ (18 U.S.C. § 2703)  Obligations to assist Directive 02/58/EC, art. 5(1) & art. 15(1): interception o Existing capability or build obligation? Directive 06/24/EC: data retention o Digital Rights Ireland v Ireland (ECJ, April 2014) o UK: Data Retention and Investigatory Powers Bill
  • 17. Law enforcement powers  Law enforcement access Data ‘at rest’ & ‘in transmission’ Obtaining data: Covert & coercive investigative techniques o ‘in its ‘possession or control’: Rackspace (2013), Verizon (2014)  ‘Exercising a power’ Permissible & impermissible conduct o e.g. entrapment  Expedited preservation, retention & delivery-up Obtaining authorisation o Judicial, executive or administrative
  • 18. Law enforcement powers  Issues of legality & enforceability Executing the authorisation o e.g. Microsoft (2014) Recipient’s actions o e.g. Rackspace (2004)  Interference with rights ‘conditions and safeguards’ o Notification: Pre & Post o Oversight regime: ‘judicial or other independent supervision’ o Jurisdiction limitations
  • 19. International co-operation  Mutual legal assistance From harmonisation to mutual recognition o Convention on Cybercrime o TFEU, art. 82: European Evidence Warrant & European Investigation Order  Informal co-operation with foreign LEAs Proactive disclosure & 24/7 networks  Direct liaison with foreign service providers Voluntary disclosures by cloud providers o e.g. Google ‘Transparency Report, Microsoft, Twitter, Vodafone o Cloud contractual provisions on disclosure  Engage directly with the material sought
  • 20. Concluding remarks & questions?