Data Protection in the Cloud – unclouding the Issues Billy Hawkes Irish Data Protection Commissioner Cloud Security Alliance Frankfurt, 9 May 2012 Back to the Future…….? Data Controller to Data Processor(“Cloud”) “The Cloud” – What are the Data Protection Issues? • Security of Personal Data • Location of Personal Data • Access to Personal Data What is “Personal Data”? • “any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (Data Protection Directive 95/46/EC, A2) Who is Responsible? • The Data Controller (“the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data”) • Data Controller remains responsible if data outsourced to Data Processor (“ a person …who processes personal data on behalf of a data controller”) Cloud Provider What Responsibilities? • Transparency (A. 10,11) • • • • Process fairly & lawfully • (A.6) • adequate information • Consent, contract, legal obligation, vital interests, public interest task, legitimate • interests (A.7) Specified , explicit and • legitimate purpose (A.6) Adequate, Relevant & not excessive (A. 6) Accurate, up-to-date (A.6) Retain for no longer than is necessary (A.6) Right of Access (A. 12) Data Security (A. 17) Intl. Transfers Right to Object (A. 14) Marketing, Other Restrictions on Automated Decisions (A. 15) What Security Obligations? • “..Appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.” • “Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. “ (Data Protection Directive, A17) “Outsourcing” Obligations? The controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures” • “. • “..governed by a contract or legal act binding the processor to the controller and stipulating in particular that- the processor shall act only on instructions from the controller • - the (security) obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor. Location of Personal Data? • OK if transferred within EU/EEA. Also OK if: To Approved countries: Switzerland, Canada, Argentina, Isle of Man, Guernsey, Jersey, Faroe Islands, Israel, USA [“Safe Harborites” & PNR data only] [soon New Zealand and Uruguay] Covered by Model Contracts or Binding Corporate Rules (BCRs) Article 26 (1) Exceptions (contract requirements etc) New EU Law: Data Controllers • Privacy by Design Privacy Impact Assessments • Data Portability • “Right to be Forgotten” Requirement for retention policy On request, delete unless clash with other rights (freedom of expression etc) • Strengthened Data Security Data Breach Notification New EU Law: Data Processors • More prescriptive Obligations : Documentation Data Protection Officer Cooperation with DPA • International Transfers: BCRs for Processors Contractual Clauses (as for Controllers) Data Security in The Cloud • “….the cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost-effective” European Network and Information Security Agency (ENISA) Report on Cloud Computing, November 2009 http://www.enisa.europa.eu/act/rm/files/deliverables/cloudcomputing-risk-assessment Data Protection Challenge • “Cloud computing poses several data protection risks for cloud customers and providers. In some cases, it may be difficult for the cloud customer (in its role as data controller) to effectively check the data handling practices of the cloud provider and thus to be sure that the data is handled in a lawful way. This problem is exacerbated in cases of multiple transfers of data, e.g., between federated clouds. On the other hand, some cloud providers do provide information on their data handling practices. Some also offer certification summaries on their data processing and data security activities and the data controls they have in place, e.g., SAS70 certification” ENISA Report, November 2009 Challenges for Outsourcer • Are you satisfied your data will be secure in the “cloud”? security certification: ISO 27001, SAS 70/SSAE 16 Access controls, data recoverability, data breaches Right to Audit Location of Data (inside or outside EEA) • Does your contract with the CP give you sufficient control? “Ultimately, you can outsource responsibility but you can't outsource accountability” (ENISA) Challenges for Cloud Provider • Are you willing to take on the separate data security obligations under EU Data Protection Law? Is this reflected in your contracts? • Are you willing to accommodate EU restrictions on international data transfers? Clarity on location of data? Data Protection Guidance: “Sopot Memorandum” (1) • Recommendations of International Working Group on Data Protection in Telecommunications (“Berlin Group”): Working Paper on Cloud Computing, April 2012 • http://www.datenschutzberlin.de/attachments/873/Sopot_Memorandu m_Cloud_Computing.pdf?1335513083 • EU Working Party 29 Guidance soon “Sopot Memorandum” (2) • Data Controllers: carry out privacy impact and privacy assessments • Cloud Providers: greater transparency, security and accountability: More information on potential data security breaches more balanced contractual clauses to promote data portability and data control by cloud users Thank You Office of the Data Protection Commissioner Canal House Station Road Portarlington Co Laois Phone: LoCall 1890 252231 057 8684800 Fax: 057 8684757 Email: info@dataprotection.ie Website: www.dataprotection.ie