SlideShare a Scribd company logo

Cloud computing : legal , privacy and contract issues

Download as PPTX, PDF
Lilian Edwards, profile picture
Lilian Edwards

This document discusses the legal implications of cloud computing, particularly in relation to data protection laws under GDPR. It highlights key legal issues surrounding data controllers and processors, data exports, and security breach obligations, emphasizing the challenges posed by transatlantic data transfers and the 'right to be forgotten.' Additionally, it addresses contract negotiations and potential liabilities between cloud service providers and users.

Law
Related topics:
Cloud Computing Insights
1 of 21
Downloaded 25 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
CLOUD COMPUTING: LEGAL ISSUES FLORENCE APRIL 2016 Lilian Edwards Professor of E-Governance, University of Strathclyde, Deputy Director, CREATe Lilian.edwards@strath.ac.uk @lilianedwards
Cloud computing : legal , privacy and contract issues
WHAT IS CLOUD COMPUTING?  Hon and Millard (2013): “a way of delivering computing resources as a utility service via a network, typically the Internet, scalable up and down according to user requirements. As such the cloud may prove to be as disruptive an innovation as was the emergence of cheap electricity”.  Microsoft (2010) : “cloud computing represents a transformation of the industry [which] will let you focus on your business, not on running infrastructure. It will also let you create better applications, then deploy those applications wherever makes the most sense: in your own data center, at a regional service provider, or in our global cloud. In short, IT as a Service will let you deliver more business value”
KEY FEATURES  B2B and B2C : Amazon, Microsoft, Google etc B2B services; B2C - Gmail, Facebook, Dropbox, Blogger  Remote storage plus on demand self service by clients  Ubiquitous access to data/resources – from office, mobile, tablet etc – also enables group distributed working  Resource management – provides scaleable and just in time acquisition of resources by customers (“rapid elasticity”)  Pay per use – not buy and use. Cloud provision not just of data storage but services or more (see next). No need for local support, upgrading etc.  Not entirely new: logical extension of (a) data warehousing (b) outsourcing of services – involves the complicated legal issues of both.
CLOUD COMPUTING MODELS
KEY LEGAL ISSUES  Data protection obligations  1. Is Cloud provider (CP) a data controller (DC) or data processor (DP)?  Obligations – security; right to be forgotten  2.Data exports – can personal data be “exported” from the EC into the Cloud?  How can the Cloud operate for US-based CSPs after Schrems?  3. Security breach notification  Contract  Standard term contracts – are they fair to users?  If not what can be done?
DATA PROTECTION – 1 - WHO IS RESPONSIBLE?  Data Protection Directive (DPD)  Art 2  (d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data;  (e) 'processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;  Unchanged by GDPR art 4
DATA PROTECTION PRINCIPLES (DPD ART 6; GDPR, ART 5 (MAINLY) ) 1. Personal Data shall be processed lawfully and fairly. (GDPR adds transparently) 2. Personal Data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in a manner incompatible with those purposes. (“purpose limitation”) 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it was processed (“data minimisation”) 4. Personal data shall be accurate and kept to date if necessary. (“accuracy”)
DP PRINCIPLES (CONT.) 5. Personal data shall not be kept for a longer time than it is necessary for its purpose. (data retention” now “storage limitation”) 6. Personal data can only be processed in accordance with the rights of the data subjects. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing (“integrity and confidentiality”). (Note new security oblign on processor, art 32 GDPR) 8. Restriction on transferring personal data to countries that do not provide adequate data protection. GDPR adds accountability principle.
DPD -> GDPR : DATA CONTROLLERS AND PROCESSORS  DPD regarded DCs as having primary legal responsibility for meeting DP principles and other duties and paying for breaches  Art 17(2) DPD : obligation on DCs to make sure they chose a data processors who guaranteed to meet security obligation  DC also had to make written contract with DP that DP acted only on DC’s instructions (art17(3))  Cloud service providers (CSPs) mainly thought of as processors (and sub processors) – but great uncertainty – different types of CSPs and circs.  Art 29 WP on SWIFT case – Opinion 10/2006  Held : SWIFT not just agent of Belgian banks (processor) but itself controller  Art 29 WP Report 169, Feb 2010 definition of processor vs controller – distinction based on “the possibility of pluralistic control (“which alone or jointly with others”), and.. the essential elements to distinguish the controller from other actors (“determines the purposes and the means of the processing of personal data”). Factual not an open choice.
THE CLOUD, RESPONSIBILTY AND CONTROLLER/PROCESSOR  GDPR art 24 -28 expand on old art 17(2)  The controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation  Possibility of joint controllers made explicit in art 26 and division of responsibilities to be “transparent”  Art 28 provides that “processor shall not engage another processor without prior specific or general written authorisation of the controller” with v detailed contents mandated  Distinguishing between different CSPs as controllers, processors or sub processors become crucial.  And note the CLIENT in cloud computing will usually be solely or jointly a controller
DC:DP CONTRACTS A29 guidance and national regulator guidance (say Hon and Millard) suggests DCs should review and conduct risk assessment in cloud provision contracts now GDPR is here  In particular check and give individual instructions taking into a/c  Nature and sensitivity of personal data in cloud  Type of intended processing  Risk assessment for future events  Due diligence re selection of sub service providers  Clear allocation of respective responsibilities of DC and DP  Data location  Data export  The DPs security measures including logging & auditing  Hon and Millard regard as impractical – cloud providers cannot efficiently follow detailed instructions from every client - but should rather merely be certified generally as meeting security standards
THE DEATH OF THE CLOUD IN EU?  Kitchen example: SaaS is like buying a ready meal from M&S; Infrastructure as a S is like renting a catering service or kitchen.  You expect to be able to give detailed and unique instrns to kitchen, but if you don’t like one ready meal you buy another one.  You don’t expect or have the legal right to make M and S make one for you with less salt, or no gluten, or no onions – and if you could demand this , M and S would go bust!  Hon: imagine user X (DC) using Dropbox (SaaS, processor) built on Amazon Web Service Iaas, sub processor ?); user has no interest in giving instrns to AWS and AWS isn’t configured to deal with requests of individual DCs.
HON “KILLING CLOUD QUICKLY WITH GDPR” SCL JNL, MARCH 2016  “the GDPR would set in stone the most prescriptive cloud-impracticable elements of [A29] WP 196 while omitting parts of WP 196 that actually recognised how cloud worked..  Rather than making data protection laws truly technology-neutral, the GDPR will perpetuate the 1970s model of computing/outsourcing embedded in the DPD”
ONE PARTICULAR OBLIGATION  “Right to be forgotten”? = right to seek erasure of PD  GDPR Reg, art 17-19  For hosts not just search engines!  But for controllers or processors?  Right to “obtain from the DC the erasure of [their] personal data” where processing out of data, consent withdrawn, unlawful etc (art 17(1)).  But also “the controller, taking account of available  technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data”  What kind of obligation is this for CSPs? And which ones? Will they have to consider exceptions art 17(3)?
DP – 2 – DATA EXPORTS & LEA ACCESS  DP 8th principle in DPD  “Personal Data shall not be transferred to a country outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data subjects in relation to the processing of personal data”.  Challenge for the Cloud where data often held outside EU, in varying and changing locations (not always known to user OR CSP). Especially in US!  NB EU DP law may be held to apply to non EU DC by virtue of art 4 (has an EU establishment (expanded after Google Spain v Costeja); or uses “equipment” in EU other than merely for transit (eg wires, cookies);
DP-2- EXPORT AND LEA ACCESS  Export outside EU allowed by DPD if  Finding of “adequacy” (art 25) (11 states)  US safe harbor membership  Art 26 – use of model contractual clauses issued by EU Comm or BCRs  Unambiguous consent – but high standard (free, informed); also revocable; DC may not be the data subject but processing data of others (eg posting FB group photo)  A29 questioned use of art 26 exemptions in Cloud transfers if transfers “massive, recurrent or structural”;  Schrems decision (CJEU, 2015 case C362/14) held safe harbor invalid because of post Snowden awareness that US laws - FISA , Patriot Act – allowed NSA and other agencies access to personal data held in servers in US and controlled by US companies. And US public authorities could not be made subject to EU oversight by EU contracts.  “compromises the essence of the fundamental right to private life” .. “To effective judicial protection”
DP – 2 – FALLOUT  Schrems resulted in safe harbour declared invalid  Very bad for non EU CP B2B business – reports of EU businesses withdrawing contracts  V bad for B2C trust  Law?  Attempt to replace safe harbour with “Privacy Shield” (February 2016)  Some improvements eg an ombudsman for EU data subjects to go to  But no fundamental change in US law  -> April 2016 A29 WP essentially declared Privacy Shield still unsatisfactory  _> CJEU?
DP- 2- ALTERNATE GROUNDS FOR TRANSFER OF DATA TO US  Varying from EU DPA to DPA  Schleswig-Holstein eg immediately declared all alternate grounds – standard contract terms, BCRs etc – equally invalid on grounds essentially that US could not provide the safeguards these forms depend on as sub for “adequacy”  All need “enforceable data subject rights and effective legal remedies for data subject” (GDPR)  All German DPAs have however agreed that explicit user consent remains valid pro tem  BUT  Note A29 warnings re “massive, structural” exports of PD reliant only on consent and GDPR art 49(1) ref to such (non repetitive ltd transfers)  US unlikely to change law further?  Best solutions- build Clouds in EU? Demand them? Deutschebank, Microsoft in Germany
DP – 3- SECURITY BREACH OBLIGATIONS  GDPR art 33  Controllers must notify the DPA of a data breach  “without undue delay and, where feasible, no later than 72 hours after having become aware of it ( unless the breach is “unlikely to result in a risk for the rights and freedoms of individuals”).  ”Controllers must notify data subjects of a breach where it creates a “high risk to the rights and freedoms of individuals” although exceptions can apply.  Fines up to 4% annual turnover or 20 m Euro may apply for some breaches  For first time in GDPR Data Processors have independent security obligation so may be subject to these fines (CSPs??) and breach notifn oblign to DC, art 33(2)  Level of fine linked to speedy mitigation so CSPs should be on alert..  Fights over indemnities/allocation of blame in cloud contracts may get more heated?
CONTRACT  Distinguish  Standard term contract service provision  Negotiated contract service provision  This cannot be easily mapped as B2B, B2C – eg many SMEs and public sector bodies universities, will use Gmail.  Distinguish “free”/paying ToS – former likely to have more freedom!  Terms of service (ToS) survey by Bradshaw, Millard, Walden 2010-2013 found many problematic standard terms even in non-free services  Very comprehensive limitation of liability clauses, even including liability for poor security by CP  Governing law that of US states (to exclude unfair terms law?). Location of actual servers often not specified.  Monitoring of customer activity  Right to vary T-S unilaterally, or terminate unilaterally without retaining customer data  Note that German, Fr courts starting to knock down unfair terms in digital standard form B2C contracts!

More Related Content

PPT
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Brian Miller, Solicitor
 
PPT
Cloud computing legal issues
Adv Prashant Mali
 
PDF
Legal ethics & cloud computing
Patrick Fowler
 
PPTX
Cloud Computing Legal Issues
Ikuo Takahashi
 
PPTX
Is There Sun Behind Those Clouds
Janine Anthony Bowen, Esq.
 
PDF
Securing data in the cloud: A challenge for UK Law Firms
CloudMask inc.
 
PPTX
Cloud
alberto0
 
PPT
Cloud computing and law-India legal summit 2011
Adv Prashant Mali
 
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Brian Miller, Solicitor
 
Cloud computing legal issues
Adv Prashant Mali
 
Legal ethics & cloud computing
Patrick Fowler
 
Cloud Computing Legal Issues
Ikuo Takahashi
 
Is There Sun Behind Those Clouds
Janine Anthony Bowen, Esq.
 
Securing data in the cloud: A challenge for UK Law Firms
CloudMask inc.
 
Cloud
alberto0
 
Cloud computing and law-India legal summit 2011
Adv Prashant Mali
 

What's hot (18)

PDF
Cybersecurity and Data Privacy
WilmerHale
 
PDF
Cybersecurity and Data Privacy Update
WilmerHale
 
PPT
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
anthonywong
 
PDF
Cloud Computing for Lawyers- Chicago Bar Association Presentation
Nicole Black
 
PPTX
Email and cloud ethics (continuing legal education course)
Chad Gilles
 
PDF
Judicial Frameworks and Privacy Issues of Cloud Computing
International Journal of Science and Research (IJSR)
 
PPT
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
guestd7fc9c
 
PDF
Security & Compliance in the Cloud - Proactively Managing Governance, Risk & ...
Chad Lawler
 
PDF
Iowa Weighs in on Ethics of Cloud Computing for Lawyers
Nicole Black
 
PPTX
Misa cloud computing workshop lhm final
Lou Milrad
 
PPT
S719a
ecommerce
 
PPTX
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
PPTX
The Cloud Computing Contract Playbook: Contracting for Cloud Services
This account is closed
 
PDF
GDPR: how IT works
Morris Dorfer
 
PPT
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
DLA Piper Nederland N.V.
 
PDF
Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013
Franck Franchin
 
PDF
Data security and privacy
rajab ssemwogerere
 
PPTX
Data Protection in India
Home
 
Cybersecurity and Data Privacy
WilmerHale
 
Cybersecurity and Data Privacy Update
WilmerHale
 
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
anthonywong
 
Cloud Computing for Lawyers- Chicago Bar Association Presentation
Nicole Black
 
Email and cloud ethics (continuing legal education course)
Chad Gilles
 
Judicial Frameworks and Privacy Issues of Cloud Computing
International Journal of Science and Research (IJSR)
 
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
guestd7fc9c
 
Security & Compliance in the Cloud - Proactively Managing Governance, Risk & ...
Chad Lawler
 
Iowa Weighs in on Ethics of Cloud Computing for Lawyers
Nicole Black
 
Misa cloud computing workshop lhm final
Lou Milrad
 
S719a
ecommerce
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
The Cloud Computing Contract Playbook: Contracting for Cloud Services
This account is closed
 
GDPR: how IT works
Morris Dorfer
 
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
DLA Piper Nederland N.V.
 
Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013
Franck Franchin
 
Data security and privacy
rajab ssemwogerere
 
Data Protection in India
Home
 
Ad

Similar to Cloud computing : legal , privacy and contract issues (20)

PPSX
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Brian Miller, Solicitor
 
PDF
Impact of GDPR on Third Party and M&A Security
EQS Group
 
PDF
Webinar: An EU regulation affecting companies worldwide - GDPR
panagenda
 
PDF
Ian walden - data protection in cloud computing
oiisdp
 
PPTX
SCCE Processors and GDPR
Robert Bond
 
PPTX
GDPR Benefits and a Technical Overview
Ernest Staats
 
PDF
GDPR: Requirements for Cloud Providers
IT Governance Ltd
 
PPT
Contracting in the Cloud by Tammy Bortz
itnewsafrica
 
PDF
OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...
NETWAYS
 
PDF
EU Data Protection Regulation Skyhigh Networks
Alberto Peñaranda Echevarría
 
PPTX
GDPR & Your Cloud Provider - What You Need to Know
Rachel Roach
 
PPT
Kawser Hamid : ICO and Data Protection in the Cloud
Gurbir Singh
 
PDF
Ivan Horodyskyy - Сloud and GDPR Legal and Organizational Steps to be Taken
Cloud Security Alliance Lviv Chapter
 
PPTX
Practical Guide to GDPR 2017
Dryden Geary
 
PPTX
Prepare Your Firm for GDPR
MyComplianceOffice
 
PPTX
GDPR, Data Privacy.
Liviu Claudiu Cismaru
 
PDF
Legal issues in the cloud renzo marchini & gene landy
IFCLA - International Federation of Computer Law Associations
 
PPTX
Patricia Ayojedi V SCTC day Cloud 24 feb16
Agustin Argelich Casals
 
PDF
Cloud Regulations and Security Standards by Ran Adler
Idan Tohami
 
PPTX
Introdction to Cloud Regulation for Enterprise by 2Bsecure
Idan Tohami
 
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Brian Miller, Solicitor
 
Impact of GDPR on Third Party and M&A Security
EQS Group
 
Webinar: An EU regulation affecting companies worldwide - GDPR
panagenda
 
Ian walden - data protection in cloud computing
oiisdp
 
SCCE Processors and GDPR
Robert Bond
 
GDPR Benefits and a Technical Overview
Ernest Staats
 
GDPR: Requirements for Cloud Providers
IT Governance Ltd
 
Contracting in the Cloud by Tammy Bortz
itnewsafrica
 
OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...
NETWAYS
 
EU Data Protection Regulation Skyhigh Networks
Alberto Peñaranda Echevarría
 
GDPR & Your Cloud Provider - What You Need to Know
Rachel Roach
 
Kawser Hamid : ICO and Data Protection in the Cloud
Gurbir Singh
 
Ivan Horodyskyy - Сloud and GDPR Legal and Organizational Steps to be Taken
Cloud Security Alliance Lviv Chapter
 
Practical Guide to GDPR 2017
Dryden Geary
 
Prepare Your Firm for GDPR
MyComplianceOffice
 
GDPR, Data Privacy.
Liviu Claudiu Cismaru
 
Legal issues in the cloud renzo marchini & gene landy
IFCLA - International Federation of Computer Law Associations
 
Patricia Ayojedi V SCTC day Cloud 24 feb16
Agustin Argelich Casals
 
Cloud Regulations and Security Standards by Ran Adler
Idan Tohami
 
Introdction to Cloud Regulation for Enterprise by 2Bsecure
Idan Tohami
 
Ad

More from Lilian Edwards (20)

PPTX
Global Governance of Generative AI: The Right Way Forward
Lilian Edwards
 
PPTX
How to regulate foundation models: can we do better than the EU AI Act?
Lilian Edwards
 
PPTX
Can ChatGPT be compatible with the GDPR? Discuss.
Lilian Edwards
 
PPTX
What Do You Do with a Problem Like AI?
Lilian Edwards
 
PPTX
The GDPR, Brexit, the UK and adequacy
Lilian Edwards
 
PPTX
Slave to the Algorithm 2016
Lilian Edwards
 
PPTX
Privacy, the Internet of Things and Smart Cities
Lilian Edwards
 
PPTX
From Privacy Impact Assessment to Social Impact Assessment: Preserving TRrus...
Lilian Edwards
 
PPTX
UK copyright, online intermediaries and enforcement
Lilian Edwards
 
PPTX
The GDPR for Techies
Lilian Edwards
 
PPTX
the Death of Privacy in Three Acts
Lilian Edwards
 
PPTX
Revenge porn: punish, remove, forget, forgive?
Lilian Edwards
 
PPTX
From piracy to “The Producers?
Lilian Edwards
 
PPTX
The Death of Privacy in Three Acts
Lilian Edwards
 
PPTX
Police surveillance of social media - do you have a reasonable expectation of...
Lilian Edwards
 
PPTX
IT law : the middle kingdom between east and West
Lilian Edwards
 
PPTX
What do we do with aproblem like revenge porn ?
Lilian Edwards
 
PPTX
Slave to the Algo-Rhythms?
Lilian Edwards
 
PPTX
9worlds robots
Lilian Edwards
 
PPTX
The death of data protection
Lilian Edwards
 
Global Governance of Generative AI: The Right Way Forward
Lilian Edwards
 
How to regulate foundation models: can we do better than the EU AI Act?
Lilian Edwards
 
Can ChatGPT be compatible with the GDPR? Discuss.
Lilian Edwards
 
What Do You Do with a Problem Like AI?
Lilian Edwards
 
The GDPR, Brexit, the UK and adequacy
Lilian Edwards
 
Slave to the Algorithm 2016
Lilian Edwards
 
Privacy, the Internet of Things and Smart Cities
Lilian Edwards
 
From Privacy Impact Assessment to Social Impact Assessment: Preserving TRrus...
Lilian Edwards
 
UK copyright, online intermediaries and enforcement
Lilian Edwards
 
The GDPR for Techies
Lilian Edwards
 
the Death of Privacy in Three Acts
Lilian Edwards
 
Revenge porn: punish, remove, forget, forgive?
Lilian Edwards
 
From piracy to “The Producers?
Lilian Edwards
 
The Death of Privacy in Three Acts
Lilian Edwards
 
Police surveillance of social media - do you have a reasonable expectation of...
Lilian Edwards
 
IT law : the middle kingdom between east and West
Lilian Edwards
 
What do we do with aproblem like revenge porn ?
Lilian Edwards
 
Slave to the Algo-Rhythms?
Lilian Edwards
 
9worlds robots
Lilian Edwards
 
The death of data protection
Lilian Edwards
 

Recently uploaded (20)

PDF
APPELLANT'S AMENDED BRIEF – DPW ENTERPRISES LLC & MOUNTAIN PRIME 2018 LLC v. ...
Jeremy Bass
 
PDF
Notes to accompany the TMT and FRAND Overview Slides
Jane Lambert
 
PDF
The AI & LegalTech Surge Reshaping the Indian Legal Landscape
Vidhikarya Legal Services LLP
 
PPTX
2.....FORMULATION OF THE RESEARCH PROBLEM.pptx
pacifey700
 
PPTX
Law of Torts , unit I for BA.LLB integrated course
theworthlessone69
 
PPT
Cyber-Crime-in- India at Present day and Laws
rajmohanjangid
 
PDF
A SEP and FRAND Overview 13 Aug 2024.pdf
Jane Lambert
 
PPTX
Peter Maatouk Is Redefining What It Means To Be A Local Lawyer Who Truly List...
Maatouks Law Group
 
PDF
SUMMARY CASES-42-47.pdf tax -1 257++/ hsknsnd
ibrahimnorlainie
 
PPTX
Digital Security in Cyber Law and Mitigating Cyberxrimes
Shibly Ahamed
 
PDF
The Advocate, Vol. 34 No. 1 Fall 2024
LexArchive
 
PDF
Nancy Gorby Sucessor Trustee Invoice.pdf
VOLUNTÁRIA CAUSA SOCIAL
 
PDF
OpenAi v. Open AI Summary Judgment Order
Mike Keyes
 
PDF
Constitution of India and fundamental rights pdf
abiramianitha2509
 
PDF
New York State Bar Association Journal, September 2014
LexArchive
 
PPTX
Ethiopian Law of Contract short note.pptx
awesomeabebe
 
PPTX
Ethiopian Civil procedure short note.pptx
awesomeabebe
 
PPTX
Income under income Tax Act..pptx Introduction
Vaishali Sharma
 
PDF
Notes on Plausibility - A Review of the English and EPO Cases
Jane Lambert
 
PPT
3. INDUTRIAL RELATIONS INTRODUCTION AND CONCEPTS.ppt
muthukumark49
 
APPELLANT'S AMENDED BRIEF – DPW ENTERPRISES LLC & MOUNTAIN PRIME 2018 LLC v. ...
Jeremy Bass
 
Notes to accompany the TMT and FRAND Overview Slides
Jane Lambert
 
The AI & LegalTech Surge Reshaping the Indian Legal Landscape
Vidhikarya Legal Services LLP
 
2.....FORMULATION OF THE RESEARCH PROBLEM.pptx
pacifey700
 
Law of Torts , unit I for BA.LLB integrated course
theworthlessone69
 
Cyber-Crime-in- India at Present day and Laws
rajmohanjangid
 
A SEP and FRAND Overview 13 Aug 2024.pdf
Jane Lambert
 
Peter Maatouk Is Redefining What It Means To Be A Local Lawyer Who Truly List...
Maatouks Law Group
 
SUMMARY CASES-42-47.pdf tax -1 257++/ hsknsnd
ibrahimnorlainie
 
Digital Security in Cyber Law and Mitigating Cyberxrimes
Shibly Ahamed
 
The Advocate, Vol. 34 No. 1 Fall 2024
LexArchive
 
Nancy Gorby Sucessor Trustee Invoice.pdf
VOLUNTÁRIA CAUSA SOCIAL
 
OpenAi v. Open AI Summary Judgment Order
Mike Keyes
 
Constitution of India and fundamental rights pdf
abiramianitha2509
 
New York State Bar Association Journal, September 2014
LexArchive
 
Ethiopian Law of Contract short note.pptx
awesomeabebe
 
Ethiopian Civil procedure short note.pptx
awesomeabebe
 
Income under income Tax Act..pptx Introduction
Vaishali Sharma
 
Notes on Plausibility - A Review of the English and EPO Cases
Jane Lambert
 
3. INDUTRIAL RELATIONS INTRODUCTION AND CONCEPTS.ppt
muthukumark49
 

Cloud computing : legal , privacy and contract issues

  • 1. CLOUD COMPUTING: LEGAL ISSUES FLORENCE APRIL 2016 Lilian Edwards Professor of E-Governance, University of Strathclyde, Deputy Director, CREATe Lilian.edwards@strath.ac.uk @lilianedwards
  • 3. WHAT IS CLOUD COMPUTING?  Hon and Millard (2013): “a way of delivering computing resources as a utility service via a network, typically the Internet, scalable up and down according to user requirements. As such the cloud may prove to be as disruptive an innovation as was the emergence of cheap electricity”.  Microsoft (2010) : “cloud computing represents a transformation of the industry [which] will let you focus on your business, not on running infrastructure. It will also let you create better applications, then deploy those applications wherever makes the most sense: in your own data center, at a regional service provider, or in our global cloud. In short, IT as a Service will let you deliver more business value”
  • 4. KEY FEATURES  B2B and B2C : Amazon, Microsoft, Google etc B2B services; B2C - Gmail, Facebook, Dropbox, Blogger  Remote storage plus on demand self service by clients  Ubiquitous access to data/resources – from office, mobile, tablet etc – also enables group distributed working  Resource management – provides scaleable and just in time acquisition of resources by customers (“rapid elasticity”)  Pay per use – not buy and use. Cloud provision not just of data storage but services or more (see next). No need for local support, upgrading etc.  Not entirely new: logical extension of (a) data warehousing (b) outsourcing of services – involves the complicated legal issues of both.
  • 6. KEY LEGAL ISSUES  Data protection obligations  1. Is Cloud provider (CP) a data controller (DC) or data processor (DP)?  Obligations – security; right to be forgotten  2.Data exports – can personal data be “exported” from the EC into the Cloud?  How can the Cloud operate for US-based CSPs after Schrems?  3. Security breach notification  Contract  Standard term contracts – are they fair to users?  If not what can be done?
  • 7. DATA PROTECTION – 1 - WHO IS RESPONSIBLE?  Data Protection Directive (DPD)  Art 2  (d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data;  (e) 'processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;  Unchanged by GDPR art 4
  • 8. DATA PROTECTION PRINCIPLES (DPD ART 6; GDPR, ART 5 (MAINLY) ) 1. Personal Data shall be processed lawfully and fairly. (GDPR adds transparently) 2. Personal Data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in a manner incompatible with those purposes. (“purpose limitation”) 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it was processed (“data minimisation”) 4. Personal data shall be accurate and kept to date if necessary. (“accuracy”)
  • 9. DP PRINCIPLES (CONT.) 5. Personal data shall not be kept for a longer time than it is necessary for its purpose. (data retention” now “storage limitation”) 6. Personal data can only be processed in accordance with the rights of the data subjects. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing (“integrity and confidentiality”). (Note new security oblign on processor, art 32 GDPR) 8. Restriction on transferring personal data to countries that do not provide adequate data protection. GDPR adds accountability principle.
  • 10. DPD -> GDPR : DATA CONTROLLERS AND PROCESSORS  DPD regarded DCs as having primary legal responsibility for meeting DP principles and other duties and paying for breaches  Art 17(2) DPD : obligation on DCs to make sure they chose a data processors who guaranteed to meet security obligation  DC also had to make written contract with DP that DP acted only on DC’s instructions (art17(3))  Cloud service providers (CSPs) mainly thought of as processors (and sub processors) – but great uncertainty – different types of CSPs and circs.  Art 29 WP on SWIFT case – Opinion 10/2006  Held : SWIFT not just agent of Belgian banks (processor) but itself controller  Art 29 WP Report 169, Feb 2010 definition of processor vs controller – distinction based on “the possibility of pluralistic control (“which alone or jointly with others”), and.. the essential elements to distinguish the controller from other actors (“determines the purposes and the means of the processing of personal data”). Factual not an open choice.
  • 11. THE CLOUD, RESPONSIBILTY AND CONTROLLER/PROCESSOR  GDPR art 24 -28 expand on old art 17(2)  The controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation  Possibility of joint controllers made explicit in art 26 and division of responsibilities to be “transparent”  Art 28 provides that “processor shall not engage another processor without prior specific or general written authorisation of the controller” with v detailed contents mandated  Distinguishing between different CSPs as controllers, processors or sub processors become crucial.  And note the CLIENT in cloud computing will usually be solely or jointly a controller
  • 12. DC:DP CONTRACTS A29 guidance and national regulator guidance (say Hon and Millard) suggests DCs should review and conduct risk assessment in cloud provision contracts now GDPR is here  In particular check and give individual instructions taking into a/c  Nature and sensitivity of personal data in cloud  Type of intended processing  Risk assessment for future events  Due diligence re selection of sub service providers  Clear allocation of respective responsibilities of DC and DP  Data location  Data export  The DPs security measures including logging & auditing  Hon and Millard regard as impractical – cloud providers cannot efficiently follow detailed instructions from every client - but should rather merely be certified generally as meeting security standards
  • 13. THE DEATH OF THE CLOUD IN EU?  Kitchen example: SaaS is like buying a ready meal from M&S; Infrastructure as a S is like renting a catering service or kitchen.  You expect to be able to give detailed and unique instrns to kitchen, but if you don’t like one ready meal you buy another one.  You don’t expect or have the legal right to make M and S make one for you with less salt, or no gluten, or no onions – and if you could demand this , M and S would go bust!  Hon: imagine user X (DC) using Dropbox (SaaS, processor) built on Amazon Web Service Iaas, sub processor ?); user has no interest in giving instrns to AWS and AWS isn’t configured to deal with requests of individual DCs.
  • 14. HON “KILLING CLOUD QUICKLY WITH GDPR” SCL JNL, MARCH 2016  “the GDPR would set in stone the most prescriptive cloud-impracticable elements of [A29] WP 196 while omitting parts of WP 196 that actually recognised how cloud worked..  Rather than making data protection laws truly technology-neutral, the GDPR will perpetuate the 1970s model of computing/outsourcing embedded in the DPD”
  • 15. ONE PARTICULAR OBLIGATION  “Right to be forgotten”? = right to seek erasure of PD  GDPR Reg, art 17-19  For hosts not just search engines!  But for controllers or processors?  Right to “obtain from the DC the erasure of [their] personal data” where processing out of data, consent withdrawn, unlawful etc (art 17(1)).  But also “the controller, taking account of available  technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data”  What kind of obligation is this for CSPs? And which ones? Will they have to consider exceptions art 17(3)?
  • 16. DP – 2 – DATA EXPORTS & LEA ACCESS  DP 8th principle in DPD  “Personal Data shall not be transferred to a country outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data subjects in relation to the processing of personal data”.  Challenge for the Cloud where data often held outside EU, in varying and changing locations (not always known to user OR CSP). Especially in US!  NB EU DP law may be held to apply to non EU DC by virtue of art 4 (has an EU establishment (expanded after Google Spain v Costeja); or uses “equipment” in EU other than merely for transit (eg wires, cookies);
  • 17. DP-2- EXPORT AND LEA ACCESS  Export outside EU allowed by DPD if  Finding of “adequacy” (art 25) (11 states)  US safe harbor membership  Art 26 – use of model contractual clauses issued by EU Comm or BCRs  Unambiguous consent – but high standard (free, informed); also revocable; DC may not be the data subject but processing data of others (eg posting FB group photo)  A29 questioned use of art 26 exemptions in Cloud transfers if transfers “massive, recurrent or structural”;  Schrems decision (CJEU, 2015 case C362/14) held safe harbor invalid because of post Snowden awareness that US laws - FISA , Patriot Act – allowed NSA and other agencies access to personal data held in servers in US and controlled by US companies. And US public authorities could not be made subject to EU oversight by EU contracts.  “compromises the essence of the fundamental right to private life” .. “To effective judicial protection”
  • 18. DP – 2 – FALLOUT  Schrems resulted in safe harbour declared invalid  Very bad for non EU CP B2B business – reports of EU businesses withdrawing contracts  V bad for B2C trust  Law?  Attempt to replace safe harbour with “Privacy Shield” (February 2016)  Some improvements eg an ombudsman for EU data subjects to go to  But no fundamental change in US law  -> April 2016 A29 WP essentially declared Privacy Shield still unsatisfactory  _> CJEU?
  • 19. DP- 2- ALTERNATE GROUNDS FOR TRANSFER OF DATA TO US  Varying from EU DPA to DPA  Schleswig-Holstein eg immediately declared all alternate grounds – standard contract terms, BCRs etc – equally invalid on grounds essentially that US could not provide the safeguards these forms depend on as sub for “adequacy”  All need “enforceable data subject rights and effective legal remedies for data subject” (GDPR)  All German DPAs have however agreed that explicit user consent remains valid pro tem  BUT  Note A29 warnings re “massive, structural” exports of PD reliant only on consent and GDPR art 49(1) ref to such (non repetitive ltd transfers)  US unlikely to change law further?  Best solutions- build Clouds in EU? Demand them? Deutschebank, Microsoft in Germany
  • 20. DP – 3- SECURITY BREACH OBLIGATIONS  GDPR art 33  Controllers must notify the DPA of a data breach  “without undue delay and, where feasible, no later than 72 hours after having become aware of it ( unless the breach is “unlikely to result in a risk for the rights and freedoms of individuals”).  ”Controllers must notify data subjects of a breach where it creates a “high risk to the rights and freedoms of individuals” although exceptions can apply.  Fines up to 4% annual turnover or 20 m Euro may apply for some breaches  For first time in GDPR Data Processors have independent security obligation so may be subject to these fines (CSPs??) and breach notifn oblign to DC, art 33(2)  Level of fine linked to speedy mitigation so CSPs should be on alert..  Fights over indemnities/allocation of blame in cloud contracts may get more heated?
  • 21. CONTRACT  Distinguish  Standard term contract service provision  Negotiated contract service provision  This cannot be easily mapped as B2B, B2C – eg many SMEs and public sector bodies universities, will use Gmail.  Distinguish “free”/paying ToS – former likely to have more freedom!  Terms of service (ToS) survey by Bradshaw, Millard, Walden 2010-2013 found many problematic standard terms even in non-free services  Very comprehensive limitation of liability clauses, even including liability for poor security by CP  Governing law that of US states (to exclude unfair terms law?). Location of actual servers often not specified.  Monitoring of customer activity  Right to vary T-S unilaterally, or terminate unilaterally without retaining customer data  Note that German, Fr courts starting to knock down unfair terms in digital standard form B2C contracts!

Editor's Notes

  • #6: Implications for how much control the user has --- Eg Software as a Service eg Dropbox, Salesforce – customer can’t control any of the non local infrastructure or settings or security by and large eg where data stored, so security mainly job for cloud provider PaaS – delivers operating system plus services over net – no need to download or update. Typically just key services not whole infrastructure. Eg Java developmnt Cf Infrastructure as a Service - like buying a server , - hardware, os, apps and data only its not in your office – full control to user – eg Amazon Elastic Cloud – user typically takes resp for the secuerity of all but the basic remote infrastructure