Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Ian walden - data protection in cloud computing

  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Ian walden - data protection in cloud computing

  1. 1. Privacy, Data Protection and Cloud Computing 16 July 2014 Professor Ian Walden Centre for Commercial Law Studies, Queen Mary, University of London www.cloudlegal.ccls.qmul.ac.uk Presentation at the OII Doctoral Summer School
  2. 2. Introductory remarks  Understanding privacy and data protection laws  Understanding cloud computing  Personal data  Controllers, processors & others?  Location, location, location  Law enforcement access
  3. 3. Privacy laws  Different cultural values and practices Identity, autonomy, personal development, establish & develop relationships, reputation, democracy….  A constellation of legal rights Constitutional, statutory, tortious, equitable, proprietal… o Charter, art. 7: “Everyone has the right to respect for his or her private and family life, home and communications”  Private (and public) realms ‘reasonable expectation of privacy’ o e.g. Gmail  Permitted interferences e.g. national security, protection of rights of others
  4. 4. Data protection laws  Responding to the capabilities of ICTs Council of Europe Convention 1981 o Processing principles: data quality & data subject rights EU Directives 95/46/EC & 02/58/EC o Charter, Article 8 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority. Draft Regulation o Implications for cloud
  5. 5. Cloud computing?  ‘X as a Service’  SaaS, PaaS, IaaS...  Flexible, location-independent (-ish), on-demand, shared, virtualised  Cloud multi-layered ecosystem  Service providers  Cloud infrastructure providers o Amazon Web Services  Communication providers  Deployment models  Public, private, community & hybrid
  6. 6. Virtualisation and abstraction  Hypervisor or Virtual Machine Monitor Physical server / host OS - (shared) processor, memory, network, storage  Linux, Unix, Windows…
  7. 7. Possible architectures: cloud layers or “stack” Cloud Infrastructure IaaS PaaS SaaS Infrastructure as a Service (IaaS) Architectures Platform as a Service (PaaS) Architectures Software as a Service (SaaS) Architectures Cloud Infrastructure SaaS Cloud Infrastructure PaaS SaaS Cloud Infrastructure IaaS PaaS Cloud Infrastructure PaaS Cloud Infrastructure IaaS From http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
  8. 8. Deployment models: private, community, public and hybrid clouds…
  9. 9. Key features relevant to data protection law  Distributed storage ‘Sharding’, ‘chunking’ & ‘partitioning’  Data replication For performance, availability, back-up & redundancy  Data deletion  System & service design: Cloud supply chain “Stack” Ancillary services, e.g. apps integration  Resources: shared, third party
  10. 10. ‘Personal data’ in the clouds  ‘identified or identifiable natural person…’ ‘sensitive data’ o Recital 26: “whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person”  Anonymisation & pseudonymisation techniques deletion/omission; substitution, aggregation, addition  As processing Big data analytics Paul Ohm: ‘Broken promises of privacy’ (2009)  Encrypted data What is “good enough”?
  11. 11. Regulated entities  Controllers, processors & sub-processors ‘determine purpose & means’ o Google Spain v AEPD (ECJ, May 2014) o Draft Regulation: Joint and severable liability  Cloud customer & provider(s) Customer’s data / metadata o Not even ‘processor’? o Infrastructure providers – IaaS, PaaS, SaaS  End to end accountability, not binary controller/processor?  eCommerce Directive (00/31/EC) approach? o Liability safe harbour: Mere conduit, hosting & caching
  12. 12. Applicable law  ‘Establishment’: corporate structure / operations Own data centre or 3rd party data centre in EEA? ‘in the context of the activities’ o Google Spain v AEPD (ECJ, May 2014)  ‘Equipment’ / ‘means’ and EEA data centre Use of EEA data centre by non-EEA customer or cloud provider o ‘Transit’ exception – ‘follow the sun’ Cloud support services
  13. 13. Data export  Can cloud customer control where its data are stored in the clouds?  It depends!  Sometimes no choice  Regions (but, what is contractual status?)  Sometimes locally by default  Within the EEA Lack of harmonisation Draft Regulation: ‘One-stop-shop’  Public cloud may not be appropriate for regulated data
  14. 14. ‘Where’: The way forward?  EEA Regional Cloud e.g. AWS Regions, Microsoft o e.g. ‘Schengen data area’ (ATOS) or ‘Schengen routing’ (DT)  Country of origin (intra EEA) Draft Regulation: ‘main establishment’  Targeting (extra EEA) Draft Regulation: Offering good & services or monitoring behaviour of EU residents  End-to-end accountability Technical: e.g. location of encryption keys Legal: e.g. model contracts & BCRs
  15. 15. Law enforcement access  Commercial secrecy and privacy threats From organised crime to law enforcement o The ‘Patriot Act’ problem  An exercise of powers Legality & enforceability  Questions of vires and regulatory boundaries Obligations to assist Jurisdictional reach o Search & seizure: Microsoft (2014) Evidential impact?
  16. 16. Dealing with law enforcement  Request recipients EU: ‘electronic communication services’ & ‘information society services’ o e.g. Yahoo! Belgium (2011) US: providers of ‘electronic communication services’ and ‘remote computing services’ (18 U.S.C. § 2703)  Obligations to assist Directive 02/58/EC, art. 5(1) & art. 15(1): interception o Existing capability or build obligation? Directive 06/24/EC: data retention o Digital Rights Ireland v Ireland (ECJ, April 2014) o UK: Data Retention and Investigatory Powers Bill
  17. 17. Law enforcement powers  Law enforcement access Data ‘at rest’ & ‘in transmission’ Obtaining data: Covert & coercive investigative techniques o ‘in its ‘possession or control’: Rackspace (2013), Verizon (2014)  ‘Exercising a power’ Permissible & impermissible conduct o e.g. entrapment  Expedited preservation, retention & delivery-up Obtaining authorisation o Judicial, executive or administrative
  18. 18. Law enforcement powers  Issues of legality & enforceability Executing the authorisation o e.g. Microsoft (2014) Recipient’s actions o e.g. Rackspace (2004)  Interference with rights ‘conditions and safeguards’ o Notification: Pre & Post o Oversight regime: ‘judicial or other independent supervision’ o Jurisdiction limitations
  19. 19. International co-operation  Mutual legal assistance From harmonisation to mutual recognition o Convention on Cybercrime o TFEU, art. 82: European Evidence Warrant & European Investigation Order  Informal co-operation with foreign LEAs Proactive disclosure & 24/7 networks  Direct liaison with foreign service providers Voluntary disclosures by cloud providers o e.g. Google ‘Transparency Report, Microsoft, Twitter, Vodafone o Cloud contractual provisions on disclosure  Engage directly with the material sought
  20. 20. Concluding remarks & questions?

    Sé el primero en comentar

    Inicia sesión para ver los comentarios

Vistas

Total de vistas

663

En Slideshare

0

De embebidos

0

Número de embebidos

1

Acciones

Descargas

8

Compartidos

0

Comentarios

0

Me gusta

0

×