Cloud Computing – Data Protection Implications

Chartered Accountants House, 47-49 Pearse St, Dublin 2

Rob CorbetPartner

Arthur Cox23 January 2013

CPD Reference Code: 2013 – 0003

Overview

• Cloud Computing– What is it?– Why is everyone talking about it?– What’s new about it?

• Legal Issues– Contract non-negotiation!– Security and Data Protection– Contractual Risk Management– Technical Risk Management

Does everyone understand the Cloud?

• Of the 88% of key decision-makers that do not use cloud computing, 39% said it was because they don't know enough about it

• Gartner: “A style of Computing where scalable and elastic IT capabilities are provided as a service to multiple customers using Internet technologies.”

What is it? Demystifying the Cloud

Source: Mike Kavis blog at http://it.toolbox.com

The Jargon• Infrastructure as a Service (IaaS)

– Scalable/elastic computer resources– Via internet– Range from storage to computing/processing power– Generally pay-per-use model– Attractive commercial model and proven success– Backbone of many SaaS offerings

• Platform as a Service (PaaS)– Development environment to code/host/deliver applications

• e.g. Google’s App Engine, Microsoft Windows Azure and Salesforce’s Force.com

– Attractive commercial model and proven success• Software as a Service (SaaS)

– Delivery of software functionality via browser– Typically (not always) multi-tenanted offering i.e. customer holds

account on single instance of s/w running on virtualised infrastructure – e.g. Google Gmail, Microsoft Office 365 and Salesforce.com

• Transfer of data and processing to third party

Different Clouds

• Public Cloud– Created by vendor and offered to public– Multi-tenanted– Low cost

• Private Cloud– Hosted by enterprise using the service– Not multi-tenancy

• Hybrid Cloud– Enterprise set up private cloud services in combination with

external public cloud services or community type cloud set up by group of users of certain offering

Why is everyone talking about it?

Pros• Flexibility

– e.g. log-in remotely from any device, multi-view and work on files simultaneously

• Quick and Easy– Log in and off you go, no software

downloads etc• Cheap

– “Utility” computing without need for upgrades, replacement etc and less in-house IT support

– Cap-ex -> Op-ex• Green

– Burns less energy

Cons• Security and Privacy

– Can I trust the Cloud with my data?• Availability

– What if my core Applications are down?– What if the Internet goes down?– Am I trapped with this Provider?

• Performance – Will it deliver like the existing model?– What are my remedies if it doesn’t?

• Legal Cover– What’s in the contract?

What’s New? Cloud v Traditional Models

• Traditional delivery models– Software licensing– Remote managed service e.g. payroll– ICT outsourcing i.e. ICT resources given to another to manage

• Cloud model– Internet/intranet accessible– Scalable (sometimes massively so) and user-configurable computing

resources- PaaS and IaaS– Multi-tenancy – customers share single software instance– Subscription or usage based payment – at least an element of pay-for-

what-you-use– Self-service model– Typically not location specific– New concerns for the ICT security professional and compliance

community

Challenges for the DP / Compliance / Legal Departments

• Traditional Models– Customer-led– Contract-driven– Contracts with big paydays get negotiated and approved before

signing

• Cloud Model– Supplier-led– Standard T&Cs in return for cheap service (“click to proceed”)– Early adopters are US corporations who either have:

(i) experience of getting things their way – Amazon, Google, Microsoft; or

(ii) have set themselves up to get their way - Salesforce– Subscription model –no single payday– Low(ish) regular payment = low risk assumption by Supplier

Risk Management

• Security• Service Levels• Liability Management• Exit management• Data Protection• Litigation Support• Disaster recovery• Audit and inspection• None of these are “new” legal or compliance issues• But usually heavily negotiated and formally approved in traditional

“outsourcing” models

A Quick Whose Who

Financial Services Customer– Data Controller under EU law– Primary responsibility for DP

compliance – Duty of care to customers– Client confidentiality

paranoia– Risk averse – Regulated– Contracts are to be drafted,

negotiated and executed– Expensive = high risk

assumption– Who can I sue?

Cloud Provider– Data Processor under EU law– Default responsibility only for data

security– No duty of care to clients– Won’t join the paranoid!– Risk managers– Unregulated– Contacts are to there to be clicked– Cheap(er) = low risk assumption– You can’t sue me!

What are the data security standards?

Data Protection Implications

• Compatibility with EU Data Protection Directive?• Exports of Data outside of the EEA

– Adequate Level of Data Protection per Article 25– Model Clauses? Safe Harbor? “Consent”?

• DP Directive: Art 17: – Data controller must take “appropriate technical and organizational

measures” – “Having regard to the state of the art and the cost of their

implementation, … and the nature of the data to be protected”– “choose a processor providing sufficient guarantees in respect of the

technical security measures and organizational measures … and must ensure compliance with those measures”

– processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that the processor shall act only on instructions from the controller”

Other DP Requirements

• DP Directive Art 6: Keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected

• DP Directive Art 12: Right of access and rectification for the data subject

• Is the data controller able to meet these obligations in its chosen cloud environment?

Proposed EU Data Protection Regulation {SEC(2012) 72 final}

• Controller and Processor – Largely repeats the same standards as under the Directive

• Introduces some new concepts – Sanctions, mandatory data breach reporting, “Privacy by

Design” and “Right to be Forgotten” have captured the headlines• Clarifies applicable law - single set of rules apply across all 27

Member States• Bureaucracy on data transfer survives

– Binding corporate rules, “adequacy” decisions by the Commission etc

– Difficult to comply in a classic cloud construct• EU Commission hoping to progress the Regulation during Irish

presidency of EU in 2013

Data Protection Implications

• “EU Clouds” available• Some Suppliers allow Customer decide the data venue• But e.g. AWS

– “We participate in the safe harbor programs described in the Privacy Policy. You may specify the AWS regions in which Your Content will be stored and accessible by End Users. We will not move Your Content from your selected AWS regions without notifying you, unless required to comply with the law or requests of governmental entities”

• “Notify” is not “Consent”– Governmental request - US Patriot Act? UK RIP Act?

Contractual Risk Management

Liability Issues

• Typically blanket exclusions and limitations of liability– Always pro-Supplier – Distinction between “direct” and “indirect” loss?

• What if Supplier disappears or goes bust?• 24 of the 31 Cloud T&Cs analysed by Queen Mary University

required the customer to indemnify the provider against any claim against the provider arising from the customer’s use of the service

• Remedies?– Sue?– Service Credits?– Recover data?

• Most regulated organisations do not accept material supply contracts “as is” but SMEs do

• Negotiability of terms is a function of deal value

Will customers accept disclaimers post DP Regulation?• Proposed EU DP Regulation• Art 77

– Right to compensation and liability – Extends right to damages caused by processors and applies

joint and several liability where controller and processor at fault • Art 78

– Obliges Member States to lay down rules on penalties • Art 79

– Obliges DPCs to impose fines (max 2% of global turnover), with due regard to circumstances of each individual case

• Cloud providers not in a hurry to take on this liability risk

Technical Risk Management Measures

Technical Solutions

• Encryption/Anonymisation:– EU law: Personal data must be kept in a form which permits

identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

• Draft EU DP Regulation– To determine whether a person is identifiable, account should be taken

of all the means likely reasonably to be used either by the controller or by any other person to identify the individual

• So, properly anonymised/encrypted data can avoid the application of the DP principles (encrypted data is not personal data)

• But Supervisory Authorities are sceptical about anonymisation• Security certification:

– ISO 27001, SAS 70, SSAE 16• Exercise Right to Audit? Contentious point for cloud operators• Private Clouds

Transparency

• “… a lack of transparency in terms of the information a controller is able to provide to a data subject on how their personal data is processed is highlighted in the opinion as matter of serious concern. Data subjects must be informed who processes their data for what purposes and to be able to exercise the rights afforded to them in this respect.

• A key conclusion of this Opinion is that businesses and administrations wishing to use cloud computing should conduct, as a first step, a comprehensive and thorough risk analysis. All cloud providers offering services in the EEA should provide the cloud client with all the information necessary to rightly assess the pros and cons of adopting such a service. Security, transparency and legal certainty for the clients should be key drivers behind the offer of cloud computing services.”

• Art 29 Working Party Opinion 05/2012 on Cloud Computing

Conclusion

• As with all Internet innovations, the early adopters are not pre-occupied with legal risk

• Commercial proposition looks compelling• But – the “what ifs” need to be considered

– Suppliers not providing clear answers on data protection– “Trust us” is not good enough, even if the DP Directive didn’t place a

legal obligation on you to guarantee that trust– Other considerations also core

• Over-reliance on one supplier• Ceding of control• Disaster Recovery• Exit management• Ongoing Regulatory compliance• Remedies and Legal liability

• DPC – You can outsource your data management but you cannot outsource accountability

Questions?

• Rob.Corbet@arthurcox.com• T: + 353 1 618 0566

• http://ie.linkedin.com/in/robcorbet