Day1 1415 Plenary Keynote HawkesBilly

7/30/2019 Day1 1415 Plenary Keynote HawkesBilly

1/18

Data Protection in the

Cloud unclouding theIssues

Billy HawkesIrish Data Protection Commissioner

Cloud Security AllianceFrankfurt, 9 May 2012


2/18

Back to the Future.?

Data Controller to Data Processor(Cloud)


3/18

The Cloud What are theData Protection Issues? Security of Personal Data Location of Personal Data

Access to Personal Data


4/18

What is Personal Data? any information relating to an

identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified,directly or indirectly, in particular by

reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (Data Protection Directive 95/46/EC, A2)


5/18

Who is Responsible? The Data Controller ( the natural or legal

person, public authority, agency or any otherbody which alone or jointly with othersdetermines the purposes and means of theprocessing of personal data)

Data Controller remains responsible if dataoutsourced to Data Processor ( a personwho processes personal data on behalf of adata controller)

Cloud Provider
http://www.europa.eu.int/abc/symbols/emblem/index_en.htm


6/18

What Responsibilities? Transparency (A. 10,11)adequate information

Process fairly & lawfully(A.6)

Consent, contract, legal obligation, vital interests,public interest task, legitimate

interests (A.7) Specified , explicit and

legitimate purpose (A.6) Adequate, Relevant &

not excessive (A. 6)

Accurate, up-to-date (A.6) Retain for no longer

than is necessary (A.6)

Right of Access (A. 12) Data Security (A. 17)

Intl. Transfers

Right to Object (A. 14)Marketing, Other

Restrictions on AutomatedDecisions (A. 15)
http://www.europa.eu.int/abc/symbols/emblem/index_en.htm


7/18

What Security Obligations? ..Appropriate technical and organizational

measures to protect personal data againstaccidental or unlawful destruction or accidental loss,alteration, unauthorized disclosure or access, inparticular where the processing involves thetransmission of data over a network, and against allother unlawful forms of processing.

Having regard to the state of the art and the cost of their implementation, such measures shall ensure alevel of security appropriate to the risksrepresented by the processing and the nature of the data to be protected.

(Data Protection Directive, A17)


8/18

Outsourcing Obligations? . The controller must, where processing is carried

out on his behalf, choose a processor providingsufficient guarantees in respect of the technicalsecurity measures and organizational measuresgoverning the processing to be carried out, andmust ensure compliance with those measures

..governed by a contract or legal act binding the processor tothe controller and stipulating in particular that- the processorshall act only on instructions from the controller

- the (security) obligations set out in paragraph 1, asdefined by the law of the Member State in which the processoris established, shall also be incumbent on the processor .
http://images.google.ie/imgres?imgurl=http://agora.ex.nii.ac.jp/digital-typhoon/latest/globe/2048x2048/ir.jpg&imgrefurl=http://agora.ex.nii.ac.jp/digital-typhoon/&h=2048&w=2048&sz=2696&tbnid=7OtjpJiqgRsJ:&tbnh=150&tbnw=150&prev=/images%3Fq%3Dglobe%26hl%3Den%26lr%3D&oi=imagesr&start=1http://www.europa.eu.int/abc/symbols/emblem/index_en.htm


9/18

Location of Personal Data? OK if transferred within EU/EEA. Also OK if:

To Approved countries: Switzerland, Canada, Argentina, Isle of Man, Guernsey, Jersey, Faroe Islands, Israel, USA [Safe Harborites & PNR data only] [soon New Zealand and Uruguay]

Covered by Model Contracts or Binding Corporate Rules (BCRs)

Article 26 (1) Exceptions (contract requirements etc)
http://images.google.ie/imgres?imgurl=http://agora.ex.nii.ac.jp/digital-typhoon/latest/globe/2048x2048/ir.jpg&imgrefurl=http://agora.ex.nii.ac.jp/digital-typhoon/&h=2048&w=2048&sz=2696&tbnid=7OtjpJiqgRsJ:&tbnh=150&tbnw=150&prev=/images%3Fq%3Dglobe%26hl%3Den%26lr%3D&oi=imagesr&start=1http://www.europa.eu.int/abc/symbols/emblem/index_en.htm


10/18

New EU Law: DataControllers Privacy by Design

Privacy Impact Assessments Data Portability Right to be Forgotten

Requirement for retention policy

On request, delete unless clash with other rights (freedom of expression etc) Strengthened Data Security

Data Breach Notification


11/18

New EU Law: Data Processors

More prescriptive Obligations :Documentation Data Protection Officer Cooperation with DPA

International Transfers:BCRs for Processors Contractual Clauses (as for Controllers)


12/18

Data Security in The Cloud .the clouds economies of scale and flexibility

are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost- effective

European Network and Information Security Agency (ENISA) Report on Cloud Computing, November 2009 http://www.enisa.europa.eu/act/rm/files/deliverables/cloud- computing-risk-assessment


13/18

Data Protection Challenge Cloud computing poses several data protection risks

for cloud customers and providers. In some cases, it may be difficult for the cloud customer (in its role as data controller) to effectively check the data handling practices of the cloud provider and thus to be sure that the data is handled in a lawful way. This problem is exacerbated in cases of multiple transfers of data, e.g.,between federated clouds. On the other hand, some cloud providers do provide information on their data handling practices. Some also offer certification summaries on their data processing and data security activities and the data controls they have in place, e.g.,SAS70 certification

ENISA Report, November 2009


14/18

Challenges for Outsourcer Are you satisfied your data will be secure in the

cloud? security certification: ISO 27001, SAS 70/SSAE 16 Access controls, data recoverability, data breaches Right to Audit

Location of Data (inside or outside EEA) Does your contract with the CP give yousufficient control?

Ultimately, you can outsource responsibility but you can't outsource accountability (ENISA)


15/18

Challenges for Cloud Provider

Are you willing to take on the separate datasecurity obligations under EU Data ProtectionLaw?

Is this reflected in your contracts? Are you willing to accommodate EU restrictions

on international data transfers?Clarity on location of data?


16/18

Data Protection Guidance: Sopot Memorandum (1)

Recommendations of International Working Group on Data Protection in Telecommunications (Berlin Group): WorkingPaper on Cloud Computing, April 2012

http://www.datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083

EU Working Party 29 Guidance soon
http://www.datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083http://www.datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083http://www.datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083http://www.datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083http://www.datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083http://www.datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083http://www.datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083


17/18

Sopot Memorandum (2) Data Controllers : carry out privacy impact

and privacy assessments Cloud Providers : greater transparency,

security and accountability:More information on potential data security breaches more balanced contractual clauses to promote data portability and data control by cloud users


18/18

Thank YouOffice of the Data Protection CommissionerCanal HouseStation RoadPortarlington

Co LaoisPhone: LoCall 1890 252231057 8684800

Fax: 057 8684757Email: [email protected]: www.dataprotection.ie

Day1 1415 Plenary Keynote HawkesBilly

Documents

Transcript of Day1 1415 Plenary Keynote HawkesBilly