Steph Steinhardt "Big Data, Open Infrastructure and Care: Following the Rise ...
Ian walden - data protection in cloud computing
1. Privacy, Data Protection
and Cloud Computing
16 July 2014
Professor Ian Walden
Centre for Commercial Law Studies, Queen Mary, University of London
www.cloudlegal.ccls.qmul.ac.uk
Presentation at the OII Doctoral Summer School
2. Introductory remarks
Understanding privacy and data protection laws
Understanding cloud computing
Personal data
Controllers, processors & others?
Location, location, location
Law enforcement access
3. Privacy laws
Different cultural values and practices
Identity, autonomy, personal development, establish &
develop relationships, reputation, democracy….
A constellation of legal rights
Constitutional, statutory, tortious, equitable, proprietal…
o Charter, art. 7: “Everyone has the right to respect for his or her
private and family life, home and communications”
Private (and public) realms
‘reasonable expectation of privacy’
o e.g. Gmail
Permitted interferences
e.g. national security, protection of rights of others
4. Data protection laws
Responding to the capabilities of ICTs
Council of Europe Convention 1981
o Processing principles: data quality & data subject rights
EU Directives 95/46/EC & 02/58/EC
o Charter, Article 8
1. Everyone has the right to the protection of personal data concerning him
or her.
2. Such data must be processed fairly for specified purposes and on the
basis of the consent of the person concerned or some other legitimate
basis laid down by law. Everyone has the right of access to data which
has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent
authority.
Draft Regulation
o Implications for cloud
5. Cloud computing?
‘X as a Service’
SaaS, PaaS, IaaS...
Flexible, location-independent (-ish), on-demand, shared,
virtualised
Cloud multi-layered ecosystem
Service providers
Cloud infrastructure providers
o Amazon Web Services
Communication providers
Deployment models
Public, private, community & hybrid
6. Virtualisation and abstraction
Hypervisor or Virtual Machine Monitor
Physical server
/ host OS
- (shared)
processor, memory,
network, storage
Linux, Unix, Windows…
7. Possible architectures: cloud layers or “stack”
Cloud Infrastructure
IaaS
PaaS
SaaS
Infrastructure as a Service (IaaS)
Architectures
Platform as a Service (PaaS)
Architectures
Software as a Service
(SaaS)
Architectures
Cloud Infrastructure
SaaS
Cloud Infrastructure
PaaS
SaaS
Cloud Infrastructure
IaaS
PaaS
Cloud Infrastructure
PaaS
Cloud Infrastructure
IaaS
From
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
9. Key features relevant to data protection law
Distributed storage
‘Sharding’, ‘chunking’ & ‘partitioning’
Data replication
For performance, availability, back-up & redundancy
Data deletion
System & service design: Cloud supply chain
“Stack”
Ancillary services, e.g. apps integration
Resources: shared, third party
10. ‘Personal data’ in the clouds
‘identified or identifiable natural person…’
‘sensitive data’
o Recital 26: “whether a person is identifiable, account should be
taken of all the means likely reasonably to be used either by the
controller or by any other person to identify the said person”
Anonymisation & pseudonymisation techniques
deletion/omission; substitution, aggregation, addition
As processing
Big data analytics
Paul Ohm: ‘Broken promises of privacy’ (2009)
Encrypted data
What is “good enough”?
11. Regulated entities
Controllers, processors & sub-processors
‘determine purpose & means’
o Google Spain v AEPD (ECJ, May 2014)
o Draft Regulation: Joint and severable liability
Cloud customer & provider(s)
Customer’s data / metadata
o Not even ‘processor’?
o Infrastructure providers – IaaS, PaaS, SaaS
End to end accountability, not binary controller/processor?
eCommerce Directive (00/31/EC) approach?
o Liability safe harbour: Mere conduit, hosting & caching
12. Applicable law
‘Establishment’: corporate structure / operations
Own data centre or 3rd party data centre in EEA?
‘in the context of the activities’
o Google Spain v AEPD (ECJ, May 2014)
‘Equipment’ / ‘means’ and EEA data centre
Use of EEA data centre by non-EEA customer or cloud
provider
o ‘Transit’ exception – ‘follow the sun’ Cloud support services
13. Data export
Can cloud customer control where its data are
stored in the clouds?
It depends!
Sometimes no choice
Regions (but, what is contractual status?)
Sometimes locally by default
Within the EEA
Lack of harmonisation
Draft Regulation: ‘One-stop-shop’
Public cloud may not be appropriate for regulated
data
14. ‘Where’: The way forward?
EEA Regional Cloud
e.g. AWS Regions, Microsoft
o e.g. ‘Schengen data area’ (ATOS) or ‘Schengen routing’ (DT)
Country of origin (intra EEA)
Draft Regulation: ‘main establishment’
Targeting (extra EEA)
Draft Regulation: Offering good & services or
monitoring behaviour of EU residents
End-to-end accountability
Technical: e.g. location of encryption keys
Legal: e.g. model contracts & BCRs
15. Law enforcement access
Commercial secrecy and privacy threats
From organised crime to law enforcement
o The ‘Patriot Act’ problem
An exercise of powers
Legality & enforceability
Questions of vires and regulatory boundaries
Obligations to assist
Jurisdictional reach
o Search & seizure: Microsoft (2014)
Evidential impact?
16. Dealing with law enforcement
Request recipients
EU: ‘electronic communication services’ & ‘information
society services’
o e.g. Yahoo! Belgium (2011)
US: providers of ‘electronic communication services’
and ‘remote computing services’ (18 U.S.C. § 2703)
Obligations to assist
Directive 02/58/EC, art. 5(1) & art. 15(1): interception
o Existing capability or build obligation?
Directive 06/24/EC: data retention
o Digital Rights Ireland v Ireland (ECJ, April 2014)
o UK: Data Retention and Investigatory Powers Bill
17. Law enforcement powers
Law enforcement access
Data ‘at rest’ & ‘in transmission’
Obtaining data: Covert & coercive investigative
techniques
o ‘in its ‘possession or control’: Rackspace (2013), Verizon (2014)
‘Exercising a power’
Permissible & impermissible conduct
o e.g. entrapment
Expedited preservation, retention & delivery-up
Obtaining authorisation
o Judicial, executive or administrative
18. Law enforcement powers
Issues of legality & enforceability
Executing the authorisation
o e.g. Microsoft (2014)
Recipient’s actions
o e.g. Rackspace (2004)
Interference with rights
‘conditions and safeguards’
o Notification: Pre & Post
o Oversight regime: ‘judicial or other independent supervision’
o Jurisdiction limitations
19. International co-operation
Mutual legal assistance
From harmonisation to mutual recognition
o Convention on Cybercrime
o TFEU, art. 82: European Evidence Warrant & European Investigation
Order
Informal co-operation with foreign LEAs
Proactive disclosure & 24/7 networks
Direct liaison with foreign service providers
Voluntary disclosures by cloud providers
o e.g. Google ‘Transparency Report, Microsoft, Twitter, Vodafone
o Cloud contractual provisions on disclosure
Engage directly with the material sought