Post on 18-Nov-2014
description
Eu
rop
ean
Data
Pro
tecti
on
Su
perv
isor
Cloud Computing Europe 2010, 1st March
Applying EU Data Protection
to Cloud Computing
Rosa Barcelo
Legal adviser
European Data Protection Supervisor
Eu
rop
ean
Data
Pro
tecti
on
Su
perv
isor
Cloud Computing Europe 2010, 1st March
Privacy risks in a nutshell
Eu
rop
ean
Data
Pro
tecti
on
Su
perv
isor
Cloud Computing Europe 2010, 1st March
Privacy risks in a nutshell I
• Cloud computing from a privacy perspective:
─ Many cloud applications for consumers
─ Terabytes of data (some sensitive)─ Stored in centres around the world
• Risks:
Eu
rop
ean
Data
Pro
tecti
on
Su
perv
isor
Cloud Computing Europe 2010, 1st March
Privacy risks in a nutshell II
– Security glitches (unintended)– Hacking– Risk of use of data for unrelated purposes– Accessibility restrictions (losing control)– Data stored in countries with poor data
protection laws– Wiretapping by Governments
Eu
rop
ean
Data
Pro
tecti
on
Su
perv
isor
Cloud Computing Europe 2010, 1st March
Application of EU data protection
legislation
Eu
rop
ean
Data
Pro
tecti
on
Su
perv
isor
Cloud Computing Europe 2010, 1st March
Application of EU data protection legislation I
• If Directives apply, cloud provider must (if it is “controller”):
−Ensure the security of the data and subsequent responsibility (Art 17)
‾ Provide information to individuals (Art 10)
Eu
rop
ean
Data
Pro
tecti
on
Su
perv
isor
Cloud Computing Europe 2010, 1st March
Application of EU data protection legislation II
─Application of the purpose limitation principle (Article 6)
─Restriction on international data transfers (Arts 25 and 26)
─Retention principle (Art 6)─Access rights (Art 14)
Eu
rop
ean
Data
Pro
tecti
on
Su
perv
isor
Cloud Computing Europe 2010, 1st March
Application of EU data protection legislation III
•Responsibilities if cloud computing provider fails to fulfill its obligations
•Authorities have enforcement powers
•Sanctions
Eu
rop
ean
Data
Pro
tecti
on
Su
perv
isor
Cloud Computing Europe 2010, 1st March
Challenges and gaps in EU data
protection legislation
Eu
rop
ean
Data
Pro
tecti
on
Su
perv
isor
Cloud Computing Europe 2010, 1st March
The Challenges I
•Is the cloud provider a data controller or a processor?
–The responsibilities are different; –Probably, processor but it will depend
on the circumstances;
Eu
rop
ean
Data
Pro
tecti
on
Su
perv
isor
Cloud Computing Europe 2010, 1st March
The Challenges II
•Determining whether the Directives apply:─Controller is established in the EU─Controller not established in the EU
but uses equipment located in the EU for the processing of personal data
Eu
rop
ean
Data
Pro
tecti
on
Su
perv
isor
Cloud Computing Europe 2010, 1st March
The Challenges III
• Compliance with provisions on international data transfers:
– Is it a data transfer? (Bodil Lindqvist)– Notification to authorities– Safe Harbour and adequacy findings– Putting contracts in place – BCRs & others
• Difficult to apply the rules in case of multiple transfers which are often the case
Eu
rop
ean
Data
Pro
tecti
on
Su
perv
isor
Cloud Computing Europe 2010, 1st March
The Challenges & Gaps IV •If cloud client is an individual
using the cloud for private purposes (eg calendar, storing pictures):
–Similar to Picasa; –Does the Directive apply at all? Is there a lacuna and thus a lack of protection?
–What are the responsibilities of the cloud provider in such cases?
Eu
rop
ean
Data
Pro
tecti
on
Su
perv
isor
Cloud Computing Europe 2010, 1st March
The Challenges & Gaps V
•WP 29 expected guidance
•Changes in the Data Protection Directive
─New principles: Privacy by design, accountability
– Updated rules on international data transfers
– Specific rules for cloud computing?
Eu
rop
ean
Data
Pro
tecti
on
Su
perv
isor
Cloud Computing Europe 2010, 1st March
Conclusions
• When engaging in cloud computing one must:
─ Be aware of EU legislation on data protection & ensure compliance:
─ Be aware that application may be “tricky”(international transfers).
• Hope for solutions:
─ WP 29 guidance─ Changes of the Directive? As part of a broader
attempt to solve other (wider) problems
Eu
rop
ean
Data
Pro
tecti
on
Su
perv
isor
Cloud Computing Europe 2010, 1st March
Questions?