Archive for the ‘Cloud computing’ Category

« Older Entries

What will happen to Safe Harbor?

avatar Posted on April 27th, 2013 by Eduardo Ustaran

As data protection-related political dramas go, the debate about the suitability and future viability of Safe Harbor is right at the top. The truth is that even when the concept was first floated by the US Department of Commerce as a self-regulatory mechanism to enable personal data transfers between the EU and the USA, and avert the threat of a trade war, it was clear that the idea would prove controversial. The fact that an agreement was finally reached between the US Government and the European Commission after several years of negotiations did not settle the matter, and European data protection authorities have traditionally been more or less publicly critical of the arrangement. The level of discomfort with Safe Harbor as an adequate mechanism in accordance with European standards was made patently obvious in the Article 29 Working Party Opinion on cloud computing of 2012, which argued that sole self-certification with Safe Harbor would not be sufficient to protect personal data in a cloud environment.

The Department of Commerce has now issued its own clarifications in response to the concerns raised by the Working Party Opinion. Understandably, the Department of Commerce makes a fierce defence of Safe Harbor as an officially recognised mechanism, which was approved by the European Commission and cannot be dismissed by the EU regulators. That is and will always be correct. Whilst the clarifications do not go into the detail of the Working Party Opinion, they certainly confirm that as far as data transfers are concerned, a Safe Harbor certification provides a public guarantee of adequate protection under the scrutiny of the Federal Trade Commission.

Such robust remarks will be music to the ears of those US cloud computing service providers that have chosen to rely on Safe Harbor to show their European compliance credentials. But the debate is far from over. The European regulators are unlikely to change their mind any time soon and if their enforcement powers increase and allow them to go after cloud service providers directly (rather than their customers) as intended by the draft Data Protection Regulation, they will be keen to put those powers into practice. In addition, we are at least a year away from the new EU data protection legal framework being agreed but some of the stakeholders are using the opportunity of a new law to reopen the validity of Safe Harbor adding to the sense of uncertainty about its future.

If I were to make a prediction about what will happen to Safe Harbor, I would say that the chances of Safe Harbor disappearing altogether are nil. However, it is very likely that the European Commission will be forced to reopen the discussions about the content of the Safe Harbor Principles in an attempt to bring them closer to the requirements of the new EU framework and indeed Binding Corporate Rules. That may actually be a good outcome for everyone because it will help the US Government assert its position that Safe Harbor matches the desired privacy standards – particularly if some tweaks are eventually introduced to incorporate new elements of the EU framework – and it may address for once and for all the perennial concerns of the EU regulators.

 

Posted in Article 29 Working Party, Binding Corporate Rules, Cloud computing, Legislative reform

Position of Spain on the General Data Protection Regulation: flexibility, common sense and self-regulation

avatar Posted on March 7th, 2013 by Nuria Pastor

As expectation and concerns rise whilst we wait for the final position of the LIBE committee and the European Parliament on the General Data Protection Regulation (the “Regulation”), the report issued by the Spanish Ministry of Justice on the Regulation (the “Report”) and the recent statements of the Spanish Minister of Justice is music to our ears.

A few weeks ago the Spanish Minister of Justice expressed concern that SMEs could be ‘suffocated’ by the new data protection framework. This concern seems to have inspired some of the amendments suggested in the Report which are designed to make the Regulation more flexible. These include substantive changes to reduce the administrative burdens for organisations with a DPO or for those that have adhered to a certification scheme, and the calculation of fines on profits rather than turnover.

Spain favours a Regulation that relies on self-regulation and accountability, clearly steering away from a restrictive ‘one size fits all’ approach which establishes an onerous (and expensive to comply with) framework . The underlying objective of these proposals seems to be the protection of the SMEs at the core of the Spanish economy. A summary of the Spanish position is provided below:

- Regulation v Directive: there is agreement that a Regulation is the best instrument to standardise data protection within the EU. This is despite the fact that this will cause complications under Spanish Constitutional law.

- Data protection principles: the Report favours the language of the Data Protection Directive (which uses the expression “adequate, relevant and not excessive”) as it allows more flexibility than the language of the Regulation which refers to personal data being “limited to the minimum necessary”. In updating personal data, the Report suggests that this should only be required “whenever necessary” and depending upon its expected use as opposed to the general obligation currently set out by the Regulation.

- Information: the requirement to inform individuals about the period during which personal data will be kept is considered excessive and very difficult to comply with. The Report suggests that this should only be required “whenever it is possible”.

- Consent: the requirement of express consent is seen as too onerous in practice and “properly informed consent” is favoured, the focus being on whether individuals understand the meaning of their actions. The adoption of sector by sector solutions in this context is not ruled out.

- Right to be forgotten: this right is considered paramount but the point is made that a balance has to be found between “theoretical technological possibilities” and “real limitations”. Making an organisation solely responsible for the erasure of personal data which has been disseminated to third parties is regarded as excessive.

- Security incidents: various amendments to the articles that regulate breach notifications are suggested to introduce less stringent requirements to the proposed regime. The suggested amendments remove the duty to notify the controller within 24 hours and also limit the obligation to notify for serious breaches only. Notifications to data subjects are also limited to those that would not have a negative impact on the investigations.

- DPOs: it is proposed that the appointment of DPOs should not be compulsory but should be encouraged by incentives such as the suppression of certain administrative burdens (as referred to below). Organisations without the resources to appoint a DPO may also be encouraged to adopt a “flexible and rigorous” certification policy or scheme. Such certifications would be by sector, revocable and renewable.

- Documentation, impact assessments and prior authorisation: the suggested amendments propose a solution whereby organisations which hold a valid certificate or which have appointed a DPO, would not have to maintain documentation, carry out PIAs or request authorisation to data protection authorities as provided for by Articles 28.2, 33 and 34 of the Regulation respectively.

- International transfers: Spain favours the current system but suggests that this could be made more flexible by only requiring the authorisation of the data protection authority for contractual clauses (which have not been adopted by the Commission or an authority) when the organisation does not have a DPO or a certificate.

- One-stop-shop: this concept is endorsed in general but the Report proposes that where a corporation is established in more than one Member State, the DPA established in the country of residence of an individual complainant should have jurisdiction to deal with the matter. The consistency mechanism would be used to ensure a coherent decision where there were several similar complaints in different countries.

- Sanctions and alternatives: Spain considers that the current system could be improved by providing less stringent alternatives to the imposition of fines. Furthermore, it is proposed that the way in which sanctions are calculated is reviewed on the basis that annual turnover does not equal benefits obtained. This is to avoid the imposition of disproportionate sanctions.

- Technological neutrality: technological neutrality is supported although the Report expresses concerns that such neutrality does not provide for adequate solutions for particular challenges, such as those presented by cloud computing or the transfer of personal data over the Internet.

- Cloud computing: the Report suggests that the Regulation takes this “new reality” into account and suggests the adoption some measures, for example, those aimed at (1) finding a balance between the roles of controllers and processors in order to avoid cloud service providers becoming solely responsible for the processing of personal data; and (2) simplifying the rules on international transfers of personal data; for example, by extending binding corporate rules to the network of sub-processors.

Posted in 95 directive, Accountability, Cloud computing, Consent, Financial penalties, Legislative reform, Right to be forgotten, Sanctions

Technology issues that will shape privacy in 2013

avatar Posted on December 13th, 2012 by Eduardo Ustaran

Making predictions as we approach a new year has become a bit of a tradition.  The degree of error is typically proportional to the level of boldness of those predictions, but as in the early days of weather forecasting, the accuracy expectations attached to big statements about what may or may not happen in today’s uncertain world are pretty low.  Having said that, it wouldn’t be particularly risky to assume that during 2013, the EU legislative bodies will be thinking hard about things like whether the current definition of personal data is wide enough, what kind of security breach should trigger a public disclosure, the right amount for monetary fines or the scope of the European Commission’s power to adopt ‘delegated acts’.  But whilst it is easy to get distracted by the fascinating data protection legislative developments currently taking place in the EU, next year’s key privacy developments will be significantly shaped by the equally fascinating technological revolution of our time.

A so far low profile issue from a regulatory perspective has been the ever growing mobile app phenomenon.  Like having a website in the late 90s, launching a mobile app has become a ‘must do’ for any self-respecting consumer-facing business.  However, even the simplest app is likely to be many times more sophisticated than the early websites and will collect much more useful and clever data about its users and their lifestyles.  That is a fact and, on the whole, apps are a very beneficial technological development for the 21st century homo-mobile.  The key issue is how this development can be reconciled with the current data protection rules dealing with information provision, grounds for processing and data proportionality.  Until now, technology has as usual led the way and the law is clumsily trying to follow, but in the next few months we are likely to witness much more legal activity on this front than what we have seen to date.

Mobile data collection via apps has been a focus of attention in theUSAfor a while but recent developments are a clue to what is about to happen.  The spark may well have been ignited by the California Attorney General who in the first ever legal action under the state’s online privacy law, is suing Delta Air Lines for distributing a mobile application without a privacy policy.  Delta had reportedly been operating its mobile app without a privacy policy since at least 2010 and did not manage to post one after being ordered by the authorities to do so.  On a similar although slightly more alarming note, children’s mobile game company Mobbles is being accused by the Center for Digital Democracy of violating COPPA, which establishes strict parental consent rules affecting the collection of children’s data.  These are unlikely to be isolated incidents given that app operators tend to collect more data than what is necessary to run the app.  In fact, these cases are almost certainly the start of a trend that will extend toEuropein 2013 and lead EU data protection authorities and mobile app developers to lock horns on how to achieve a decent degree of compliance in this environment.

Speaking of locking horns, next year (possibly quite early on) we will see the first instances of enforcement of the cookie consent requirement.  What is likely to be big about this is not so much the amount of the fines or the volume of enforcement actions, but the fact that we will see for real what the regulators’ compliance expectations actually are.  Will ‘implied consent’ become the norm or will websites suddenly rush to present their users with hard opt-in mechanisms before placing cookies on their devices?  Much would need to change for the latter to prevail but at the same time, the ‘wait and see’ attitude that has ruled to date will be over soon, as the bar will be set and the decision to comply or not will be based purely on risk – an unfortunate position to be in, caused by an ill-drafted law.  Let that be a lesson for the future.

The other big technological phenomenon that will impact on privacy and security practices – probably in a positive way – will be the cloud.  Much has been written on the data protection implications of cloud computing in the past months.  Regulators have given detailed advice.  Policy makers have made grand statements.  But the real action will be seen in 2013, when a number of leaders in the field start rolling out Binding Safe Processor Rules programmes and regulators are faced with the prospect of scrutinising global cloud vendors’ data protection offerings.  Let us hope that we can use this opportunity to listen to each other’s concerns, agree a commercially realistic set of standards and get the balance right.  That would be a massive achievement.

 

This article was first published in Data Protection Law & Policy in December 2012.

Posted in Binding Safe Processor Rules, Children Privacy, Cloud computing, Cookie rule, Mobile telecoms, Smartphones

Article 29 Working Party pushes for Binding Safe Processor Rules

avatar Posted on December 9th, 2012 by Eduardo Ustaran

 

The Article 29 Working Party has taken another crucial step towards the full recognition of BCR for processors or ‘Binding Safe Processor Rules’. Following the unqualified backing by the European Commission in the proposal for a Data Protection Regulation early in 2012 and the publication of the criteria for approval by the Working Party itself last summer, an agreement has now been reached by the European data protection authorities on the application and approval process.

The official announcement of a mutual recognition and cooperation procedure-type approach will take place in January 2013 and shortly after, the Working Party will issue the appropriate application form. This is the strongest indication to date that applications for BCR for processors will be dealt with in the same way as the traditional BCR, opening the door for hybrid BCRs for those organisations with global data protection programmes that apply to their dual role as controllers (in respect of their own data) and processors (in respect of their clients’ data, as in the case of cloud service providers).

 

Posted in Article 29 Working Party, Binding Corporate Rules, Binding Safe Processor Rules, Cloud computing

Privacy’s greatest threat and how to overcome it

avatar Posted on October 22nd, 2012 by Phil Lee

After some erroneous newspaper reports in 1897 that he had passed away, Mark Twain famously said that the reports of his death were greatly exaggerated.  The same might also be said of privacy.  Scott G. McNealy, former CEO of Sun Microsystems, reportedly once said “You already have zero privacy. Get over it.“.  However, if last week’s IAPP Privacy Academy in San Jose was anything to go by, privacy is very much alive and kicking.

It’s easy to understand why concerns about the death of privacy arise though.  Today’s data generation, processing and exploitation is simply vast – way beyond a level any of us could meaningfully hope to comprehend or, dare I suggest, control.  The real danger to privacy though is not the scale of data processing that goes on – that’s simply a reality of living in a modern day, technology-enabled, society; a Pandora’s box that, now opened, cannot now be closed.  Instead, the real danger to privacy is excessive and unrealistic regulation.

Better regulation drives better compliance

From many years of working in privacy, it’s been my experience that most businesses work hard to be compliant.  Naturally, there are outliers, but these few cases should not drive the regulation that determines how the majority conduct their business.  It’s also been my experience that compliance is most often achieved where the standards applied by legislators and regulators are accurate, proportionate and not excessive – the same standards they expect our controllers to apply when processing personal data.  In other words, legislation and regulation drives the best behaviour when it is achievable.

By contrast, excessive, disproportionate regulation that does not accurately reflect the way that technology works or recognise the societal benefits that data processing can deliver often brings about the opposite effect.  By making compliance impossible, or at least, disproportionately burdensome to achieve, businesses, unsurprisingly, often find themselves falling short of expected regulatory standards – in many cases, wholly unintentionally.

The recent “cookie law” is a good example of this: a law that, though well-intentioned, is effectively seen as regulating a technology (cookies) rather than a purpose (tracking), leading to widespread confusion about the standards that apply and – let’s be honest – non-compliance currently on an unprecedented scale throughout the EU.

Why the Regulation mustn’t make the same mistake

In its current form, the proposed General Data Protection Regulation also runs this risk.  The reform of Europe’s data protection laws is a golden, once-in-a-generation opportunity to re-visit how we do privacy and build a better, more robust framework that fosters new technologies and business innovation, while still protecting against unwarranted privacy intrusions and harm.

But instead of focussing on the “what”, the legislation focuses too much on the “how”: rather than looking to the outputs we should strive to achieve (namely, ensuring that ever-evolving technologies do not make unwarranted intrusions into our private lives) the draft legislation instead mandates excessive accountability standards that do not take proper account of context or actual likelihood of harm.

For example:

*  How, exactly, does an online business ensure that its processing of child data is predicated only on parental or guardian consent (Article 8)?  My prediction: many websites will build meaningless terms into their website privacy policies that children must not use the site – delivering no “real” protection in practice.

*  Why is it necessary for an organisation transferring data internationally to inform individuals “on the level of protection afforded by that third country … by reference to an adequacy decision of the Commission” (Article 14)? Do data subjects really care where their data goes and whether the Commission has made an adequacy decision – or do they just want assurance that their data will be used for legitimate purposes and at all times kept safe and secure, wherever it is?  How does this work in a technology environment that is increasingly shifting to the cloud?

*  Why should controllers be required to provide data portability to data subjects in an “electronic and structured format which is commonly used” (Article 18)?  Surely confidentiality and data security is best achieved through the use of proprietary systems whose technology is not “commonly used”, therefore less understood and vulnerable to external attack?  Are we legislating for a future of security weakness?

*  Why should data controllers and processors maintain such extensive levels of data processing documentation (Article 28)?  How will smaller businesses cope with this burden?  Yes, an exemption applies for businesses employing less than 250 persons but only if their data processing is “ancillary” to the main business activities – immediately ruling out most technology start-ups.

*  And how can we still, in this day and age, operate on a misguided assumption that model contracts provide a sound basis for protecting international exports of data (Article 42)?  Wouldn’t it make more sense to require controllers to make their own adequacy assessment and to hold them to account if they fall short of the mark?

Make your voice heard!

For the past 17 years, the European Union has been a standard-bearer in operating an effective legal and regulatory framework for privacy.  That framework is now showing its age and, if not reformed in a way that understands, respects and addresses the range of different (and competing) stakeholder interests, risks being ruinous to the privacy advancements Europe has achieved to date.

The good news is that reforming an entire European legal framework doesn’t happen overnight, and the process through to approval and adoption of the General Data Protection Regulation is a long one.  While formal consultation periods are now closed, there remain many opportunities to get involved in reform discussions through legislative and regulatory liaisons at both a European and national level.

To make their voices heard, businesses throughout the data processing spectrum must seize this opportunity to get involved.  Only through informed dialogue with stakeholders can Europe hope to output technology-neutral, proportionate legislation that delivers meaningful data protection in practice.  If it does this, then Europe stands the best chance of remaining a standard-bearer for privacy for the next 17 years too.

Posted in 95 directive, Accountability, Children Privacy, Cloud computing, Cookie rule

Weather forecast for cloud computing in Europe is “overall good”

avatar Posted on October 8th, 2012 by Dominika Kupczyk

The end of September has seen the UK Information Commissioner’s Office release its guidance on cloud computing, shortly followed by the European Commission’s announcement on a new strategy for “Unleashing the potential of cloud computing in Europe”.

ICO

The ICO’s new guidance starts with a helpful ‘setting the scene’ introduction for those new to the topic of cloud computing by going through definitions, different deployment and service models before moving on to an analysis of the data protection obligations.

According to the ICO, based on the fact of determining the purposes and the manner in which any personal data may be processed, the cloud customer is most likely to be the data controller. The guidance does contain a caveat that each case of outsourcing to the cloud and the controller/processor roles of each party will need to be determined separately. The end of the document has a useful checklist of considerations.

The guidance sets out a logical approach that should be followed by potential customers of cloud computing services and which comprises the following steps:

  1. Data selection – selecting which data to move to the cloud and creating a record of which categories of data you are planning to move.
  2. Risk assessment – carrying out privacy impact assessments is recommended for large and complex personal data processing operations in the cloud.
  3. The type of service and provider selection– taking into account the maturity of the service offered and whether it targets a specific market.
  4. Monitoring performance – ongoing obligation throughout the time the outsourcing to the cloud takes place.
  5. Informing cloud users – this reflects the transparency principle; cloud customers who are data controllers (who make services that run on the cloud available to individuals) will need to consider informing the individuals/cloud end users of the service about the processing in the cloud.
  6. Written contract – it is a legal requirement under the Data Protection Act to have a written contract in place between a data controller and a data processor.

 

With regard to selecting a cloud provider the ICO points potential cloud users to the need to look at the security offered, how the data will be protected and the access controls that have been put in place. Helpfully for data controllers, the ICO recognises that it is not always possible to carry out physical audits of the cloud provider but highlights the importance of ensuring that appropriate technical and organisational security measures are maintained at all times.

On the data transfers front the ICO states that cloud customers should ask potential cloud providers for a list of countries where data is likely to be processed and for information relating to the safeguards in place there. It is unfortunate that in this aspect the ICO follows the recent Article 29 Working Party Opinion on Cloud Computing.

EU

Turning to the European Commission’s announcement of a new strategy for “Unleashing the potential of cloud computing in Europe”, the main aim of the strategy is to support the take-up of cloud computing services through creating new homogenised technical standards on interoperability, data portability and reversibility by 2013; as well as certification schemes for cloud providers. A key area where, according to the strategy document, the Commission will concentrate its work on will be safe and fair contract terms and conditions for cloud computing services. This will involve developing model terms for service level agreements. The strategy stresses the importance of the ongoing work on the proposed Data Protection Regulation and the expectation that this work should be completed in 2013.

The new strategy when coupled with the recent Article 29 Working Party Opinion shows clear signs that cloud computing is fast gaining prominence on the European Commission’s Digital Agenda. At this stage it is important to track the developments in this area and for industry members to continue providing their feedback to proposals. The ICO’s guidance proves that a pragmatic approach to cloud computing is achievable without minimising the protection afforded to individuals’ personal data.

In short, the key takeaways from these developments are that in addition to contributing to the development of model contract terms, customers of cloud computing services must look at the selection process and the contractual documentation as their top priorities when approaching a cloud service relationship.

Posted in Article 29 Working Party, Cloud computing

A balanced approach to the cloud

avatar Posted on July 27th, 2012 by Eduardo Ustaran

Cloud computing is not a fashion or a swanky new name given to technology outsourcing.  Cloud computing is not a marketing plot to sell more Internet connections and fibre optics.  Cloud computing is not a twisted way of helping data hungry governments get their hands on corporate secrets.  Cloud computing is in fact the most obvious business application of networked computing and essentially what the Internet was created for in the first place.  However, the unstoppable growth and increasing power of cloud service providers and the suspicion of their critics have jointly contributed to a climate where controversies and horror stories abound, which is unfortunate when data protection and the cloud are in fact made for each other.

The development of cloud computing is commonly associated with the evolution of the Internet giants.  It is kind of obvious that the Internet pioneers with massive servers and an even greater vision would be the ones to spot the opportunities presented by the cloud.  The rest is now history and today, the leading cloud service providers are technology powerhouses that dictate the way businesses, governments and consumers can make the most of the information economy.  This position of power is very visible and often criticised for being incapable of accommodating requests for specific levels of data protection.

Rightly or wrongly, the cloud providers’ stance is seen by the EU data protection authorities as obstinate and the recent Article 29 Working Party Opinion on cloud computing makes that very clear.  So whilst coyly acknowledging the potential benefits of cloud computing, the Working Party firmly focuses on the risks that it presents for data protection and sets out a detailed ‘wish list’ of how to overcome them.  However, as if trying to compensate for the perceived inflexibility of the cloud providers, the Opinion of the authorities has set the bar for compliance with data protection in the context of cloud computing considerably above today’s standards.  The risk with that approach is that both customers and providers of cloud computing services may regard it as so unrealistic that rather than attempting to get close to it, they may decide to simply ignore it.

The EU data protection regulators should certainly be praised for being brave in setting their expectations.  But unfortunately some of those expectations are not only over and above the actual legal requirements, but they are also unachievable in a commercial world.  Once the potential customer of cloud services gets past the risk analysis stage – which is correctly identified by the Working Party as a crucial first step – the key element of the commercial relationship is the contract between customer and provider.  So not surprisingly, the regulators have focused their efforts on emphasising that the imbalance in the contractual power of a small controller with respect to a large service provider should not be considered as a justification for the controller to accept contractual terms which are not in compliance with data protection law.

The challenge is that if the standards for compliance involve things like getting the names of all subcontractors commissioned by the provider, being told about the locations of all data centres, getting the provider to help the customer comply with its obligations and inform that customer of changes to the cloud, plus adding an array of technical measures ranging from isolation to portability of data, compliance is simply never going to happen.  We cannot afford that to be the case when so much of the world’s information is already residing in the cloud.  Clearly, the right balance needs to be achieved by making sure that cloud customers can choose wisely and spot responsible providers, whilst those providers are encouraged to adopt the right practices.

Ultimately, it is not about who is in the strongest position to negotiate a contract, but about taking privacy and data security responsibilities truly seriously.  Aiming for a realistic level of compliance does not mean letting cloud providers off the hook.  The regulators’ frustration is more than justified when uncompromising providers try to hide behind an empty Safe Harbor registration.  Data protection is not an unachievable aim but an essential ingredient of cloud computing.  Like in all immature markets, it is still too early to distinguish fully between the good and the bad players but that is not to say that a balanced and realistic approach to the cloud will not result in an optimal level of data protection.

 

This article was first published in Data Protection Law & Policy in July 2012

Posted in Article 29 Working Party, Binding Safe Processor Rules, Cloud computing

A belt and braces approach to the Cloud

avatar Posted on July 4th, 2012 by Brian Davidson

The EU’s Article 29 Working Party has published its latest Opinion, setting out its views on the key data protection issues and challenges of ‘Cloud Computing’ – a term which not only invokes debate in data privacy circles about what it is (it’s essentially the use of technologies which focus on efficient internet-based delivery of IT applications, processing services and memory space) but also the risks of such technology. The truth is, cloud services are here to stay, delivering efficiencies to a huge number of public authorities and global organisations – witness the City of Los Angeles who signed a deal with Google for the use of its cloud services to deliver more efficient public services and store data; or more recently Apple’s ‘iCloud’ service which allows its army of users to purchase, store and access media content and personal documents across their Apple devices.

Whilst acknowledging the economic and societal advantages that cloud technologies can bring, the Opinion is very keen to express the privacy risks facing public and private sector organisations when deploying cloud services and the actions they should therefore take. Indeed, the Opinion begins by highlighting those risks, emphasising the lack of control experienced by ‘cloud clients’ as they surrender their personal data to the ‘cloud providers’ and therefore their control of technical and organisational measures to ensure the availability, confidentiality and transparency of that data. (At this point, we should highlight that the Working Party generally refers to ‘cloud clients’ as data controllers – on the basis that they generally determine the purpose and outsourcing of the processing and ‘cloud providers’ as ‘data processors’ on the basis that they provide the cloud services – based on the instructions of their clients.)

The Opinion also highlights a lack of ‘transparency’ as another risk, whereby insufficient information on a cloud provider’s operations poses a risk to clients and data subjects;  on the basis that they may not be aware of potential threats to their data and therefore cannot take appropriate actions. Therefore, the Working Party highlights the need for such ‘cloud clients’ to carry out adequate risk assessments of potential cloud providers before implementation of any project.

The Opinion emphasises that even in complex cloud data processing arrangements, where parties play different roles in processing personal data, compliance with relevant data protection rules and responsibilities must be clearly allocated. The Opinion recognises that many cloud clients ‘may not have room for manoeuvre’ with regard to contractual terms when negotiating with cloud providers – particularly many of the larger providers who offer ‘standardised’ services. Nevertheless the Opinion emphasises that it is still the cloud client who assumes the role of ‘data controller’ (regardless of how small they are) and must therefore ensure that appropriate guarantees are in place to ensure compliance with data protection legislation for the duration of the agreement.

In addition to identifying compliance with the basic principles of data protection (such as transparency; purpose specification and limitation; security and erasure/anonymisation issues) the Opinion stipulates the standard provisions that the Working Party would expect to see in any contract for cloud services, including:

- the technical and/organisational measures to be implemented by the cloud provider, including clarification of the responsibilities of the cloud provider to notify the cloud client in the event of a data breach.

- relevant details of the instructions issued by the client to the cloud provider, with particular regard to applicable SLAs and penalties.

- subject and time frame of the services to be provided by the cloud provider; including the extent, manner and purpose of the personal data processing by the cloud provider.

- inclusion of a confidentiality clause, binding on both the cloud provider and its employees who may have access to the data.

- the inclusion of express provisions that the cloud provider may not communicate the personal data to third parties, even for preservation purposes, unless it is provided for in the contract that subcontractors will be used. The contract should also stipulate that sub-processors should not be utilised without the consent of the client, in line with a clear duty for the provider to inform the client of any intended changes in this regard – with the client retaining the power to object to such changes and/or terminate the contract.

- an obligation on the cloud provider to provide a list of locations where the personal data may be processed.

Finally, the Opinion recognises the need to regulate data transfers to so-called ‘third countries’ in the context of cloud services but acknowledges that, owing to the lack of a stable understanding of where data is going to be at any given time, some of the current mechanisms in place to ensure the ‘adequacy’ of such transfers are somewhat limited. In this regard, the opinion starts by rejecting the Safe Harbor mechanism as a transfer solution (on the basis that Safe Harbor certification alone cannot substitute for the relevant contractual arrangements and guarantees which may be required by Data Protection Authorities at the national level – particularly on the data security issues applicable to cloud computing – the Working Party emphasises that it does not consider the relevant Safe Harbor data security provisions to be effective in this regard).

Therefore, the Opinion leans towards the use of the 2010 Model Clauses (with its applicable sub-processor provisions) but more importantly recognises the suitability of the BCR framework; and specifically the ongoing development of Binding Safe Processor Rules (BSPR) which would allow the client to entrust their data to the cloud service provider while being assured that onward transfers for sub-processing purposes would receive an adequate level of protection.

In conclusion, whilst acknowledging the significant growth in this area and consequently the need for flexible mechanisms, the Working Party Opinion suggests a belt and braces approach which today puts European customers of cloud service providers in an awkward position. Time will tell if the Working Party’s expectations are realistic but in the meantime, the specific acknowledgement of BSPR as the future model to ensure compliance whilst allowing for the flexibilities presented by cloud computing can be seen as a step in the right direction.

Posted in 95 directive, Article 29 Working Party, Binding Safe Processor Rules, Cloud computing

Why the Big Buzz about Big Data?

avatar Posted on June 29th, 2012 by Phil Lee

Another year, another buzz word, and this time around it’s “Big Data” that’s getting everyone’s attention. But what exactly is Big Data, and why is everyone – commercial organisations, regulators and lawyers – so excited about it?

Put simply, the term Big Data refers to datasets that are very, very large – so large that, traditionally, supercomputers would ordinarily have been required to process them. But, with the irrepressible evolution of technology, falling computing costs, and scalable, distributed data processing models (think cloud computing) Big Data processing is increasingly within the capability of most commercial and research organisations.

In its oft-quoted article “The Data Deluge”, the Economist reports that “Everywhere you look, the quantity of information in the world is soaring. According to one estimate, mankind created 150 exabytes (billion gigabytes) of data in 2005. [In 2010], it will create 1,200 exabytes.“  Let’s put that in perspective – 1,200 exabytes is 1,200,000,000,000 gigabytes of data. A typical Blu-Ray disc can hold 25 gigabytes – so 1,200 exabytes is about the equivalent of about 48 billion Blu-Ray discs. Estimating your typical Blu-Ray movie at about 2 hours long (excluding special features and the like), then there’s at least 96 billion hours of viewing time there, or about 146,000 human life times.  OK, this is a slightly fatuous example, but you get my point – and bear in mind that global data is growing year-on-year at an exponential rate so these figures are already well out of date.

Much of this Big Data will be highly personal to us: think about the value of the data we all put “out there” when we shop online or post status updates, photos and other content through our various social networking accounts (I have at least 5). And don’t forget the search terms we post when we use our favourite search engines, or the data we generate when using mobile – particularly location-enabled – services. Imagine how organisations, if they had access to all this information, could use it to better advertise their products and services, roadmap product development to take account of shifting consumer patterns, spot and respond to potentially-brand damaging viral complaints – ultimately, keep their customers happier and improve their revenues.

The potential benefits of Big Data are vast and, as yet, still largely unrealised. It goes against the grain of any privacy professional to admit that there are societal advantages to data maximisation, but it would be disingenuous to deny this. Peter Fleischer, Google’s Privacy Counsel, expressed it very eloquently on his blog when he wrote “I’m sure that more and more data will be shared and published, sometimes openly to the Web, and sometimes privately to a community of friends or family. But the trend is clear. Most of the sharing will be utterly boring: nope, I don’t care what you had for breakfast today. But what is boring individually can be fascinating in crowd-sourcing terms, as big data analysis discovers ever more insights into human nature, health, and economics from mountains of seemingly banal data bits. We already know that some data sets hold vast information, but we’ve barely begun to know how to read them yet, like genomes. Data holds massive knowledge and value, even, perhaps especially, when we do not yet know how to read it. Maybe it’s a mistake to try to minimize data generation and retention. Maybe the privacy community’s shibboleth of data deletion is a crime against science, in ways that we don’t even understand yet.” (You can access Peter’s blog “Privacy…?” here.)

This quote raises the interesting question of whether the compilation and analysis of Big Data sets should really be considered personal data processing. Of course, many of the individual records within commercial Big Data sets will be personal – but the true value of Big Data processing is often (though not always) in the aggregate trends and patterns they reveal – less about predicting any one individual’s behaviours, reactions and preferences, and more about understanding the global picture. Perhaps its time that we stop thinking of privacy in terms of merely collecting data, and look more to the intrusiveness (or otherwise) of the purposes to which our data are put?

This is perhaps something for a wider, philosophical debate about the pros and cons of Big Data, and I wouldn’t claim to have the answers. What I can say, though, is that Big Data faces some big issues under data protection law as it stands today, not least in terms of data protection principles that mandate user notice and choice, purpose limitation, data minimisation, data retention and – of course – data exports. These are not issues that will go away under the new General Data Protection Regulation which, as if to gear itself up for a fight with Big Data proponents, further bolsters transparency, consent and data minimisation principles, while also proposing a new, highly controversial ‘right to be forgotten’.

So what can and should Big Data collectors do for now? Fundamentally, accountability for the data you collect and process will be key. Your data subjects need to understand how their data will be used, both at the individual and the Big Data level, to feel in control of this and to be comforted that their data won’t be used in ways that sit outside their reasonable expectations of privacy. This is not just a matter of external facing privacy policies, but also a matter of carefully-constructed internal policies that impose sensible checks and balances on the organisation’s use of data. It’s also about adopting Privacy Impact Assessments as a matter of organisational culture to identify and address risks whenever using Big Data analysis for new or exciting reasons.

Big Data is, and should be, the future of data processing, and our laws should not prevent this. But, equally, organisations need to be careful that they do not see the Big Data age as a free for all hunting season on user data that invades personal privacy and control. Big issues for Big Data indeed.

Posted in 95 directive, Accountability, Cloud computing, Data minimisation, Right to be forgotten, Targeted advertising

The ‘watchdog for the data-protection watchdogs’ releases its priorities for 2012

avatar Posted on January 12th, 2012 by Christopher Thomas

The European Data Protection Supervisor (EDPS) has prepared a public inventory and accompanying note setting out its key issues for 2012.  Given that the EDPS is one of the most influential figures in the data protection world, this is a reflection of what is likely to be hot in data protection during the next twelve months.

The four areas of strategic importance that the EDPS has identified are: 

1.  A completely new legal framework for data protection

Once the Commission has finalised its proposal for a new legislative framework (expected in the coming weeks), the EDPS will issue an opinion giving particular attention to: trans-border data processing activities, third-country transfers, data subjects’ rights, data controllers’ obligations and mechanisms with regard to cooperation and consistency.  However, with a new framework likely to be several years in the making, this will no doubt still be an issue in 2013 and beyond.

2.  Technological developments

As the development of new technologies continues, the EDPS has said that in 2012 it will pay particular attention to issues concerning internet monitoring and ‘cloud computing’ services, amongst others.  With some arguing that the economic crisis will accelerate the move toward cloud services, but the current European regulatory trend being towards restricting cloud computing services geographically, this is an important issue in demand of consideration.

3.  Developing freedom, security and justice

With the European Commission’s agenda currently concentrating on immigration/border control and anti-terrorism/internal security, the EDPS states that in 2012 it will focus on initiatives to ensure the balance between security and privacy is maintained.  The EDPS therefore seems prepared to exert its independence from the Commission and to fight the corner of the data protection principles. 

4.  Financial sector reform

During 2011 the EDPS was concerned about data protection issues arising from the development of financial legislation led by the Commission. In 2012 it plans to monitor developments by issuing opinions on proposals concerning the regulation and supervision of financial markets and actors.

 

Time will tell whether the EDPS’ actions in 2012 match its forecast, or rather whether an unforeseen event or new political mood will actually determine its conduct to a greater degree.

Posted in 95 directive, Cloud computing, Data security, Uncategorized

« Older Entries