Post on 28-Nov-2014
description
Privacy, Data Protection and Cloud Computing
16 July 2014
Professor Ian WaldenCentre for Commercial Law Studies, Queen Mary, University of London
www.cloudlegal.ccls.qmul.ac.uk
Presentation at the OII Doctoral Summer School
Introductory remarks
Understanding privacy and data protection laws
Understanding cloud computing
Personal data
Controllers, processors & others?
Location, location, location
Law enforcement access
Privacy laws
Different cultural values and practices Identity, autonomy, personal development, establish &
develop relationships, reputation, democracy….
A constellation of legal rightsConstitutional, statutory, tortious, equitable, proprietal…
o Charter, art. 7: “Everyone has the right to respect for his or her private and family life, home and communications”
Private (and public) realms ‘reasonable expectation of privacy’
o e.g. Gmail
Permitted interferencese.g. national security, protection of rights of others
Data protection laws
Responding to the capabilities of ICTsCouncil of Europe Convention 1981
o Processing principles: data quality & data subject rights
EU Directives 95/46/EC & 02/58/ECo Charter, Article 81. Everyone has the right to the protection of personal data concerning him
or her.2. Such data must be processed fairly for specified purposes and on the
basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.
Draft Regulationo Implications for cloud
Cloud computing?
‘X as a Service’ SaaS, PaaS, IaaS... Flexible, location-independent (-ish), on-demand, shared,
virtualised
Cloud multi-layered ecosystem Service providers Cloud infrastructure providers
o Amazon Web Services
Communication providers
Deployment models Public, private, community & hybrid
Virtualisation and abstraction
Hypervisor or Virtual Machine Monitor
Physical server/ host OS- (shared)processor, memory,network, storage
Linux, Unix, Windows…
Possible architectures: cloud layers or “stack”
Cloud InfrastructureIaaS
PaaS
SaaS
Infrastructure as a Service (IaaS) Architectures
Platform as a Service (PaaS)Architectures
Software as a Service (SaaS)
Architectures
Cloud Infrastructure
SaaS
Cloud Infrastructure
PaaS
SaaS
Cloud InfrastructureIaaS
PaaS
Cloud Infrastructure
PaaS
Cloud InfrastructureIaaS
Fromhttp://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
Key features relevant to data protection law
Distributed storage ‘Sharding’, ‘chunking’ & ‘partitioning’
Data replicationFor performance, availability, back-up & redundancy
Data deletion System & service design: Cloud supply chain“Stack”
Ancillary services, e.g. apps integration
Resources: shared, third party
‘Personal data’ in the clouds
‘identified or identifiable natural person…’ ‘sensitive data’
o Recital 26: “whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person”
Anonymisation & pseudonymisation techniquesdeletion/omission; substitution, aggregation, addition
As processingBig data analytics Paul Ohm: ‘Broken promises of privacy’ (2009)
Encrypted dataWhat is “good enough”?
Regulated entities
Controllers, processors & sub-processors ‘determine purpose & means’
o Google Spain v AEPD (ECJ, May 2014)o Draft Regulation: Joint and severable liability
Cloud customer & provider(s)Customer’s data / metadata
o Not even ‘processor’?o Infrastructure providers – IaaS, PaaS, SaaS
End to end accountability, not binary controller/processor? eCommerce Directive (00/31/EC) approach?
o Liability safe harbour: Mere conduit, hosting & caching
Applicable law
‘Establishment’: corporate structure / operationsOwn data centre or 3rd party data centre in EEA?
‘in the context of the activities’o Google Spain v AEPD (ECJ, May 2014)
‘Equipment’ / ‘means’ and EEA data centreUse of EEA data centre by non-EEA customer or cloud
providero ‘Transit’ exception – ‘follow the sun’ Cloud support services
Data export Can cloud customer control where its data are
stored in the clouds? It depends! Sometimes no choice Regions (but, what is contractual status?) Sometimes locally by default
Within the EEALack of harmonisationDraft Regulation: ‘One-stop-shop’
Public cloud may not be appropriate for regulated data
‘Where’: The way forward?
EEA Regional Cloude.g. AWS Regions, Microsoft
o e.g. ‘Schengen data area’ (ATOS) or ‘Schengen routing’ (DT)
Country of origin (intra EEA)Draft Regulation: ‘main establishment’
Targeting (extra EEA)Draft Regulation: Offering good & services or
monitoring behaviour of EU residents End-to-end accountabilityTechnical: e.g. location of encryption keysLegal: e.g. model contracts & BCRs
Law enforcement access
Commercial secrecy and privacy threatsFrom organised crime to law enforcement
o The ‘Patriot Act’ problem
An exercise of powersLegality & enforceability
Questions of vires and regulatory boundariesObligations to assist
Jurisdictional reacho Search & seizure: Microsoft (2014)
Evidential impact?
Dealing with law enforcement
Request recipientsEU: ‘electronic communication services’ & ‘information
society services’o e.g. Yahoo! Belgium (2011)
US: providers of ‘electronic communication services’ and ‘remote computing services’ (18 U.S.C. § 2703)
Obligations to assistDirective 02/58/EC, art. 5(1) & art. 15(1): interception
o Existing capability or build obligation?
Directive 06/24/EC: data retentiono Digital Rights Ireland v Ireland (ECJ, April 2014)o UK: Data Retention and Investigatory Powers Bill
Law enforcement powers
Law enforcement accessData ‘at rest’ & ‘in transmission’Obtaining data: Covert & coercive investigative
techniqueso ‘in its ‘possession or control’: Rackspace (2013), Verizon (2014)
‘Exercising a power’Permissible & impermissible conduct
o e.g. entrapment
Expedited preservation, retention & delivery-upObtaining authorisation
o Judicial, executive or administrative
Law enforcement powers
Issues of legality & enforceabilityExecuting the authorisation
o e.g. Microsoft (2014)
Recipient’s actionso e.g. Rackspace (2004)
Interference with rights ‘conditions and safeguards’
o Notification: Pre & Posto Oversight regime: ‘judicial or other independent supervision’o Jurisdiction limitations
International co-operation
Mutual legal assistanceFrom harmonisation to mutual recognition
o Convention on Cybercrimeo TFEU, art. 82: European Evidence Warrant & European Investigation
Order
Informal co-operation with foreign LEAsProactive disclosure & 24/7 networks
Direct liaison with foreign service providersVoluntary disclosures by cloud providers
o e.g. Google ‘Transparency Report, Microsoft, Twitter, Vodafoneo Cloud contractual provisions on disclosure
Engage directly with the material sought