Privacy & Compliance Issues with Cloud Computing (in Theory and Practice)
Johan Vandendriessche
24 March 2011
Some key concepts
Cloud Computing (by layer)
• Salesforce.com
• Google Docs
• GmailSaaS
• Google App Engine
• Microsoft Azure Platform
• Oracle/AWSPaaS
• Amazon Web Services
• FlexiScaleIaaS
Some key concepts
Cloud Computing (by type)
Some key concepts
Cloud Computing (by type)
Managed by Ownership of infrastructure
Dedicated hardware
Public Cloud Service Provider
Cloud Service Provider
No
Private, external Cloud Service Provider
Cloud Service Provider
Yes
Private, internal Internal Organization Internal Organization Yes
Hybrid Mixed Mixed Depends on the contract with the CSP
Source: J. Ruiter and M. Warnier, Privacy Regulations for Cloud Computing – Compliance and Implementation in Theory and Practice.
Compliance Strict sense: “conforming to a rule, such as a specification,
policy, standard or law”
Tendency to include operational risks in regulations, thereby extending the notion ‘compliance’ to certain operational risk assessments MiFiD
CBFA Circular Letter PPB 2004/5 on good practices in relation to outsourcing by financial institutions and investment companies
Privacy (Data Protection) Set of limitations in relation to the processing of ‘personal
data’
Essential compliance obligation!
Some key concepts
UK Fine of 2.275.000 £ imposed by FSA on Zurich Insurance Company
due to data loss by service provider (outsourced data processing) Data loss related to 46.000 clients due to an unencrypted backup tape
No evidence that the data had been misused or compromised, but it was clear that Zurich had no effective data protection systems in place or systems to manage the risks to the security of customer data resulting from the outsourcing arrangement
Germany Fine of 1.100.000 EUR imposed by Berlin DPA on Deutsche Bahn
Screening of employee and supplier data to combat corruption
Monitoring communication sent via external e-mail accounts by employees
France Regular fines by CNIL
Importance of data protection compliance
Limitations in relation to the processing of personal data
Personal data: “any information in relation to an identified or identifiable physical person […]”
Very large legal interpretation to the concept of personal data
Not necessarily sensitive information (although stricter rules apply to special categories of personal data)
Processing: “any operation or set of operations which is performed upon personal data […]”
Purpose: impose strict (civil and criminal) liability to the entity that is processing the personal data
Data controller
Data processor (“service provider”)
Scope of Data Protection Law
Principles Processing of personal data is prohibited, unless allowed by
the Data Protection Law
The data processing must comply with specific principles Proportionality
Purpose limitation
Limited in time
(Individual and collective) Transparency
Data quality
Data security
(Individual and collective) Enforcement measures
No export of personal data to non-EEA countries, unless adequate protection is offered
Principles of Data Protection Law
Security obligation
General obligation
Specific obligations
Obligations in relation to the use of data processors
Belgian Data Protection Commission has issued a list of security measures that can be implemented
‘Reference Measures’
Description of 10 information security measures
Based on ISO 27000 series
Security Obligations
General obligation to implement security measures Technical measures
User access management
IT security (anti-virus, firewall, …)
Fire prevention measures
Organizational measures Data categorization (confidentiality level)
Employee policies
Protection against any unauthorized processing
Adequate level of protection taking into account: Available technology and costs;
Nature of concerned personal data and the potential risks
Both types of measures are interchangeable
Security Obligations
Data processing operations are often carried out by service providers (“data processors)
Security measures in case of data processors
Choice of data processor (quality requirement)
Security measures must be contractually imposed & verified
Determine the extent of liability of the data processor
Data controller is subject to strict liability
Data controller can be held liable for the acts of the data processor
Limit the mission of the data processor
Conclude a written data processing agreement
Paper document
Electronic document
Data Processing by Service Providers
Cloud Service Provider (CSP) is generally a ‘data processor’ Cloud Computing agreements Standard ‘click-wrap’-agreements
Generally considered valid under Belgian law in a B2B context Meets the requirements of ‘electronic medium’ in data protection
legislation
Security measures must be imposed and audited Issue: how to audit security measures in a Cloud setting?
Potentially multinational Locations may change Auditing CSPs may become very expensive
Solution: certification of the CSP (check the scope of the certificates!) SAS 70 Type II ISO 9000 series ISO 27000 series
Cloud Service Providers (CSP)
Issues relating to international dataflows
Data Import
CSP inside EEA
Data Export
Data Controller
outside EEA
Data Export
CSP outside EEA
Data Import
Data Controller inside EEA
Data Transfer
CSP inside EEA (but other EEA Member State)
Data Transfer
Data Controller inside EEA
Internal Market for Personal Data = European Economic Area (EEA)
2
1
3
Dataflow within the EEA (1)
Law of the country of establishment of data controller applies to data processing operation
Subsequent transfers to sub-processors located within the EEA are possible within the scope of the data processing agreement
Subsequent transfers to subprocessors located outside the EEA are in principle not possible within the scope of the data processing agreement
There is no P2P Model Contract
New Model Contract leaves the door partially open
Multiparty C2P Model Contract offers a solution
Issues relating to international dataflows
Dataflow from a data controller outside the EEA to a CSP inside the EEA (2) National data protection law applies if ‘means’ are applied by
the data controller on the territory of a member state
Cumulation of applicable laws if ‘means’ are applied on the territory of several member states
‘Worst case situation’ as the data controller is subjected to data protection law due to the location of the CSP (or its subcontractors)
Art. 29 WP Opinion 8/2010 on applicable law this criterion has shown to have undesirable consequences,
such as a possible universal application of EU law
Under review for the future data protection framework
Issues relating to international dataflows
Dataflow from a data controller inside the EEA to a CSP outside the EEA (3)
Law of the country of establishment of data controller applies to data processing operation
No export to countries outside EEA, except if they offer adequate protection
White-listed countries (e.g. Switzerland, USA if Safe Harbor, ...)
BCR / Model Contracts
Latest C2P Model Contract accepts ‘onward transfer’ to subprocessors, thereby facilitating Cloud Computing
Issues relating to international dataflows
Review the security mechanisms in place Security arrangements to mitigate the risks must be in place
Review the certification of the CSP Which certificates?
Scope of the certificates?
Back-ground on the certification process
Perform a due diligence in relation to the CSPs terms & conditions Performance levels
Contractual limitations
Exit Plan / Retransition Is there an obligation to hand over the client’s data in a readily
exploitable manner to the client or any subsequent service provider?
Belgian law is not very helpful on this issue
Practical approach to Cloud Computing
Cloud Computing is possible in a compliant manner in most cases Data security is a key issue
International dataflows are facilitated with the latest Model Contract
Choose the right type of Cloud Computing Service in function of compliance requirements
Security measures must be implemented and audited, especially where personal data are involved Potentially expensive (for client and CSP alike)
Certification offers a valid solutions if some precautions are taken (scope!)
Conclusion
Thank you for your attention! Questions?