Privacy, Data Protection and Cloud Computing

16 July 2014

Professor Ian WaldenCentre for Commercial Law Studies, Queen Mary, University of London

www.cloudlegal.ccls.qmul.ac.uk

Presentation at the OII Doctoral Summer School

Introductory remarks

Understanding privacy and data protection laws

Understanding cloud computing

Personal data

Controllers, processors & others?

Location, location, location

Law enforcement access

Privacy laws

Different cultural values and practices Identity, autonomy, personal development, establish &

develop relationships, reputation, democracy….

A constellation of legal rightsConstitutional, statutory, tortious, equitable, proprietal…

o Charter, art. 7: “Everyone has the right to respect for his or her private and family life, home and communications”

Private (and public) realms ‘reasonable expectation of privacy’

o e.g. Gmail

Permitted interferencese.g. national security, protection of rights of others

Data protection laws

Responding to the capabilities of ICTsCouncil of Europe Convention 1981

o Processing principles: data quality & data subject rights

EU Directives 95/46/EC & 02/58/ECo Charter, Article 81. Everyone has the right to the protection of personal data concerning him

or her.2. Such data must be processed fairly for specified purposes and on the

basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.

Draft Regulationo Implications for cloud

Cloud computing?

‘X as a Service’ SaaS, PaaS, IaaS... Flexible, location-independent (-ish), on-demand, shared,

virtualised

Cloud multi-layered ecosystem Service providers Cloud infrastructure providers

o Amazon Web Services

Communication providers

Deployment models Public, private, community & hybrid

Virtualisation and abstraction

Hypervisor or Virtual Machine Monitor

Physical server/ host OS- (shared)processor, memory,network, storage

Linux, Unix, Windows…

Possible architectures: cloud layers or “stack”

Cloud InfrastructureIaaS

PaaS

SaaS

Infrastructure as a Service (IaaS) Architectures

Platform as a Service (PaaS)Architectures

Software as a Service (SaaS)

Architectures

Cloud Infrastructure

SaaS

Cloud Infrastructure

PaaS

SaaS

Cloud InfrastructureIaaS

PaaS

Cloud Infrastructure

PaaS

Cloud InfrastructureIaaS

Fromhttp://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt

Deployment models: private, community, public and hybrid clouds…

Key features relevant to data protection law

Distributed storage ‘Sharding’, ‘chunking’ & ‘partitioning’

Data replicationFor performance, availability, back-up & redundancy

Data deletion System & service design: Cloud supply chain“Stack”

Ancillary services, e.g. apps integration

Resources: shared, third party

‘Personal data’ in the clouds

‘identified or identifiable natural person…’ ‘sensitive data’

o Recital 26: “whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person”

Anonymisation & pseudonymisation techniquesdeletion/omission; substitution, aggregation, addition

As processingBig data analytics Paul Ohm: ‘Broken promises of privacy’ (2009)

Encrypted dataWhat is “good enough”?

Regulated entities

Controllers, processors & sub-processors ‘determine purpose & means’

o Google Spain v AEPD (ECJ, May 2014)o Draft Regulation: Joint and severable liability

Cloud customer & provider(s)Customer’s data / metadata

o Not even ‘processor’?o Infrastructure providers – IaaS, PaaS, SaaS

End to end accountability, not binary controller/processor? eCommerce Directive (00/31/EC) approach?

o Liability safe harbour: Mere conduit, hosting & caching

Applicable law

‘Establishment’: corporate structure / operationsOwn data centre or 3rd party data centre in EEA?

‘in the context of the activities’o Google Spain v AEPD (ECJ, May 2014)

‘Equipment’ / ‘means’ and EEA data centreUse of EEA data centre by non-EEA customer or cloud

providero ‘Transit’ exception – ‘follow the sun’ Cloud support services

Data export Can cloud customer control where its data are

stored in the clouds? It depends! Sometimes no choice Regions (but, what is contractual status?) Sometimes locally by default

Within the EEALack of harmonisationDraft Regulation: ‘One-stop-shop’

Public cloud may not be appropriate for regulated data

‘Where’: The way forward?

EEA Regional Cloude.g. AWS Regions, Microsoft

o e.g. ‘Schengen data area’ (ATOS) or ‘Schengen routing’ (DT)

Country of origin (intra EEA)Draft Regulation: ‘main establishment’

Targeting (extra EEA)Draft Regulation: Offering good & services or

monitoring behaviour of EU residents End-to-end accountabilityTechnical: e.g. location of encryption keysLegal: e.g. model contracts & BCRs

Law enforcement access

Commercial secrecy and privacy threatsFrom organised crime to law enforcement

o The ‘Patriot Act’ problem

An exercise of powersLegality & enforceability

Questions of vires and regulatory boundariesObligations to assist

Jurisdictional reacho Search & seizure: Microsoft (2014)

Evidential impact?

Dealing with law enforcement

Request recipientsEU: ‘electronic communication services’ & ‘information

society services’o e.g. Yahoo! Belgium (2011)

US: providers of ‘electronic communication services’ and ‘remote computing services’ (18 U.S.C. § 2703)

Obligations to assistDirective 02/58/EC, art. 5(1) & art. 15(1): interception

o Existing capability or build obligation?

Directive 06/24/EC: data retentiono Digital Rights Ireland v Ireland (ECJ, April 2014)o UK: Data Retention and Investigatory Powers Bill

Law enforcement powers

Law enforcement accessData ‘at rest’ & ‘in transmission’Obtaining data: Covert & coercive investigative

techniqueso ‘in its ‘possession or control’: Rackspace (2013), Verizon (2014)

‘Exercising a power’Permissible & impermissible conduct

o e.g. entrapment

Expedited preservation, retention & delivery-upObtaining authorisation

o Judicial, executive or administrative

Law enforcement powers

Issues of legality & enforceabilityExecuting the authorisation

o e.g. Microsoft (2014)

Recipient’s actionso e.g. Rackspace (2004)

Interference with rights ‘conditions and safeguards’

o Notification: Pre & Posto Oversight regime: ‘judicial or other independent supervision’o Jurisdiction limitations

International co-operation

Mutual legal assistanceFrom harmonisation to mutual recognition

o Convention on Cybercrimeo TFEU, art. 82: European Evidence Warrant & European Investigation

Order

Informal co-operation with foreign LEAsProactive disclosure & 24/7 networks

Direct liaison with foreign service providersVoluntary disclosures by cloud providers

o e.g. Google ‘Transparency Report, Microsoft, Twitter, Vodafoneo Cloud contractual provisions on disclosure

Engage directly with the material sought

Concluding remarks & questions?