Data Protection in the Cloud unclouding the Issues

Billy Hawkes Irish Data Protection Commissioner

Cloud Security Alliance Frankfurt, 9 May 2012

Back to the Future.?

Data Controller to Data Processor(Cloud)

The Cloud What are the Data Protection Issues?

Security of Personal Data Location of Personal Data Access to Personal Data

What is Personal Data?

any information relating to an

identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity
(Data Protection Directive 95/46/EC, A2)

Who is Responsible?
The Data Controller (the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data) Data Controller remains responsible if data outsourced to Data Processor ( a person who processes personal data on behalf of a data controller)

Cloud Provider

What Responsibilities?
Transparency (A. 10,11)

adequate information

Process fairly & lawfully (A.6)

Consent, contract, legal obligation, vital interests, public interest task, legitimate interests (A.7)

Accurate, up-to-date (A.6) Retain for no longer than is necessary (A.6) Right of Access (A. 12) Data Security (A. 17)

Intl. Transfers

Right to Object (A. 14)

Specified , explicit and legitimate purpose (A.6) Adequate, Relevant & not excessive (A. 6)

Marketing, Other

Restrictions on Automated Decisions (A. 15)

What Security Obligations?

..Appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. (Data Protection Directive, A17)

..governed by a contract or legal act binding the processor to the controller and stipulating in particular that- the processor shall act only on instructions from the controller - the (security) obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.

The controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures

Outsourcing Obligations?

Location of Personal Data?

OK if transferred within EU/EEA. Also OK if:

To Approved countries: Switzerland, Canada, Argentina, Isle of Man, Guernsey, Jersey, Faroe Islands, Israel, USA [Safe Harborites & PNR data only] [soon New Zealand and Uruguay] Covered by Model Contracts or Binding Corporate Rules (BCRs) Article 26 (1) Exceptions (contract requirements etc)

 Privacy by Design

New EU Law: Data Controllers

Privacy Impact Assessments

Data Portability Right to be Forgotten

Requirement for retention policy On request, delete unless clash with other rights (freedom of expression etc) Data Breach Notification

Strengthened Data Security

New EU Law: Data Processors

More prescriptive Obligations :

Documentation Data Protection Officer Cooperation with DPA

BCRs for Processors Contractual Clauses (as for Controllers)

International Transfers:

Data Security in The Cloud

.the clouds economies of scale and flexibility

are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost-effective

European Network and Information Security Agency (ENISA) Report on Cloud Computing, November 2009 http://www.enisa.europa.eu/act/rm/files/deliverables/cloudcomputing-risk-assessment

Data Protection Challenge

Cloud computing poses several data protection risks

for cloud customers and providers. In some cases, it may be difficult for the cloud customer (in its role as data controller) to effectively check the data handling practices of the cloud provider and thus to be sure that the data is handled in a lawful way. This problem is exacerbated in cases of multiple transfers of data, e.g., between federated clouds. On the other hand, some cloud providers do provide information on their data handling practices. Some also offer certification summaries on their data processing and data security activities and the data controls they have in place, e.g., SAS70 certification

ENISA Report, November 2009

Challenges for Outsourcer

Are you satisfied your data will be secure in the cloud?

security certification: ISO 27001, SAS 70/SSAE 16 Access controls, data recoverability, data breaches Right to Audit Location of Data (inside or outside EEA)

Does your contract with the CP give you sufficient control?

Ultimately, you can outsource responsibility but you can't outsource accountability (ENISA)

Challenges for Cloud Provider

Are you willing to take on the separate data security obligations under EU Data Protection Law?

Is this reflected in your contracts?

Are you willing to accommodate EU restrictions on international data transfers?

Clarity on location of data?

Data Protection Guidance: Sopot Memorandum (1)

Recommendations of International Working Paper on Cloud Computing, April 2012 http://www.datenschutzberlin.de/attachments/873/Sopot_Memorandu m_Cloud_Computing.pdf?1335513083 EU Working Party 29 Guidance soon

Group on Data Protection in Telecommunications (Berlin Group): Working

Sopot Memorandum (2)

Data Controllers: carry out privacy impact and privacy assessments Cloud Providers: greater transparency, security and accountability:

More information on potential data security breaches more balanced contractual clauses to promote data portability and data control by cloud users

Thank You
Office of the Data Protection Commissioner Canal House Station Road Portarlington Co Laois Phone: LoCall 1890 252231 057 8684800 Fax: 057 8684757 Email: info@dataprotection.ie Website: www.dataprotection.ie