Webinar Cloud Edps

Eu

rop

ean

Data

Pro

tecti

on

Su

perv

isor

Cloud Computing Europe 2010, 1st March

Applying EU Data Protection

to Cloud Computing

Rosa Barcelo

Legal adviser

European Data Protection Supervisor

Eu

rop

ean

Data

Pro

tecti

on

Su

perv

isor


Privacy risks in a nutshell

Eu

rop

ean

Data

Pro

tecti

on

Su

perv

isor


Privacy risks in a nutshell I

• Cloud computing from a privacy perspective:

─ Many cloud applications for consumers

─ Terabytes of data (some sensitive)─ Stored in centres around the world

• Risks:

Eu

rop

ean

Data

Pro

tecti

on

Su

perv

isor


Privacy risks in a nutshell II

– Security glitches (unintended)– Hacking– Risk of use of data for unrelated purposes– Accessibility restrictions (losing control)– Data stored in countries with poor data

protection laws– Wiretapping by Governments

Eu

rop

ean

Data

Pro

tecti

on

Su

perv

isor


Application of EU data protection

legislation

Eu

rop

ean

Data

Pro

tecti

on

Su

perv

isor


Application of EU data protection legislation I

• If Directives apply, cloud provider must (if it is “controller”):

−Ensure the security of the data and subsequent responsibility (Art 17)

‾ Provide information to individuals (Art 10)

Eu

rop

ean

Data

Pro

tecti

on

Su

perv

isor


Application of EU data protection legislation II

─Application of the purpose limitation principle (Article 6)

─Restriction on international data transfers (Arts 25 and 26)

─Retention principle (Art 6)─Access rights (Art 14)

Eu

rop

ean

Data

Pro

tecti

on

Su

perv

isor


Application of EU data protection legislation III

•Responsibilities if cloud computing provider fails to fulfill its obligations

•Authorities have enforcement powers

•Sanctions

Eu

rop

ean

Data

Pro

tecti

on

Su

perv

isor


Challenges and gaps in EU data

protection legislation

Eu

rop

ean

Data

Pro

tecti

on

Su

perv

isor


The Challenges I

•Is the cloud provider a data controller or a processor?

–The responsibilities are different; –Probably, processor but it will depend

on the circumstances;

Eu

rop

ean

Data

Pro

tecti

on

Su

perv

isor


The Challenges II

•Determining whether the Directives apply:─Controller is established in the EU─Controller not established in the EU

but uses equipment located in the EU for the processing of personal data

Eu

rop

ean

Data

Pro

tecti

on

Su

perv

isor


The Challenges III

• Compliance with provisions on international data transfers:

– Is it a data transfer? (Bodil Lindqvist)– Notification to authorities– Safe Harbour and adequacy findings– Putting contracts in place – BCRs & others

• Difficult to apply the rules in case of multiple transfers which are often the case

Eu

rop

ean

Data

Pro

tecti

on

Su

perv

isor


The Challenges & Gaps IV •If cloud client is an individual

using the cloud for private purposes (eg calendar, storing pictures):

–Similar to Picasa; –Does the Directive apply at all? Is there a lacuna and thus a lack of protection?

–What are the responsibilities of the cloud provider in such cases?

Eu

rop

ean

Data

Pro

tecti

on

Su

perv

isor


The Challenges & Gaps V

•WP 29 expected guidance

•Changes in the Data Protection Directive

─New principles: Privacy by design, accountability

– Updated rules on international data transfers

– Specific rules for cloud computing?

Eu

rop

ean

Data

Pro

tecti

on

Su

perv

isor


Conclusions

• When engaging in cloud computing one must:

─ Be aware of EU legislation on data protection & ensure compliance:

─ Be aware that application may be “tricky”(international transfers).

• Hope for solutions:

─ WP 29 guidance─ Changes of the Directive? As part of a broader

attempt to solve other (wider) problems

Eu

rop

ean

Data

Pro

tecti

on

Su

perv

isor


Questions?

Webinar Cloud Edps

Technology

Transcript of Webinar Cloud Edps