Privacy & compliance issues with cloud computing (Infosecurity 2011)


Citation preview

Privacy & Compliance Issues with Cloud Computing (in Theory and Practice)

Johan Vandendriessche

24 March 2011

Some key concepts

Cloud Computing (by layer)


• Google Docs

• GmailSaaS

• Google App Engine

• Microsoft Azure Platform

• Oracle/AWSPaaS

• Amazon Web Services

• FlexiScaleIaaS

Some key concepts

Cloud Computing (by type)

Some key concepts

Cloud Computing (by type)

Managed by Ownership of infrastructure

Dedicated hardware

Public Cloud Service Provider

Cloud Service Provider


Private, external Cloud Service Provider

Cloud Service Provider


Private, internal Internal Organization Internal Organization Yes

Hybrid Mixed Mixed Depends on the contract with the CSP

Source: J. Ruiter and M. Warnier, Privacy Regulations for Cloud Computing – Compliance and Implementation in Theory and Practice.

Compliance Strict sense: “conforming to a rule, such as a specification,

policy, standard or law”

Tendency to include operational risks in regulations, thereby extending the notion ‘compliance’ to certain operational risk assessments MiFiD

CBFA Circular Letter PPB 2004/5 on good practices in relation to outsourcing by financial institutions and investment companies

Privacy (Data Protection) Set of limitations in relation to the processing of ‘personal


Essential compliance obligation!

Some key concepts

UK Fine of 2.275.000 £ imposed by FSA on Zurich Insurance Company

due to data loss by service provider (outsourced data processing) Data loss related to 46.000 clients due to an unencrypted backup tape

No evidence that the data had been misused or compromised, but it was clear that Zurich had no effective data protection systems in place or systems to manage the risks to the security of customer data resulting from the outsourcing arrangement

Germany Fine of 1.100.000 EUR imposed by Berlin DPA on Deutsche Bahn

Screening of employee and supplier data to combat corruption

Monitoring communication sent via external e-mail accounts by employees

France Regular fines by CNIL

Importance of data protection compliance

Limitations in relation to the processing of personal data

Personal data: “any information in relation to an identified or identifiable physical person […]”

Very large legal interpretation to the concept of personal data

Not necessarily sensitive information (although stricter rules apply to special categories of personal data)

Processing: “any operation or set of operations which is performed upon personal data […]”

Purpose: impose strict (civil and criminal) liability to the entity that is processing the personal data

Data controller

Data processor (“service provider”)

Scope of Data Protection Law

Principles Processing of personal data is prohibited, unless allowed by

the Data Protection Law

The data processing must comply with specific principles Proportionality

Purpose limitation

Limited in time

(Individual and collective) Transparency

Data quality

Data security

(Individual and collective) Enforcement measures

No export of personal data to non-EEA countries, unless adequate protection is offered

Principles of Data Protection Law

Security obligation

General obligation

Specific obligations

Obligations in relation to the use of data processors

Belgian Data Protection Commission has issued a list of security measures that can be implemented

‘Reference Measures’

Description of 10 information security measures

Based on ISO 27000 series

Security Obligations

General obligation to implement security measures Technical measures

User access management

IT security (anti-virus, firewall, …)

Fire prevention measures

Organizational measures Data categorization (confidentiality level)

Employee policies

Protection against any unauthorized processing

Adequate level of protection taking into account: Available technology and costs;

Nature of concerned personal data and the potential risks

Both types of measures are interchangeable

Security Obligations

Data processing operations are often carried out by service providers (“data processors)

Security measures in case of data processors

Choice of data processor (quality requirement)

Security measures must be contractually imposed & verified

Determine the extent of liability of the data processor

Data controller is subject to strict liability

Data controller can be held liable for the acts of the data processor

Limit the mission of the data processor

Conclude a written data processing agreement

Paper document

Electronic document

Data Processing by Service Providers

Cloud Service Provider (CSP) is generally a ‘data processor’ Cloud Computing agreements Standard ‘click-wrap’-agreements

Generally considered valid under Belgian law in a B2B context Meets the requirements of ‘electronic medium’ in data protection


Security measures must be imposed and audited Issue: how to audit security measures in a Cloud setting?

Potentially multinational Locations may change Auditing CSPs may become very expensive

Solution: certification of the CSP (check the scope of the certificates!) SAS 70 Type II ISO 9000 series ISO 27000 series

Cloud Service Providers (CSP)

Issues relating to international dataflows

Data Import

CSP inside EEA

Data Export

Data Controller

outside EEA

Data Export

CSP outside EEA

Data Import

Data Controller inside EEA

Data Transfer

CSP inside EEA (but other EEA Member State)

Data Transfer

Data Controller inside EEA

Internal Market for Personal Data = European Economic Area (EEA)




Dataflow within the EEA (1)

Law of the country of establishment of data controller applies to data processing operation

Subsequent transfers to sub-processors located within the EEA are possible within the scope of the data processing agreement

Subsequent transfers to subprocessors located outside the EEA are in principle not possible within the scope of the data processing agreement

There is no P2P Model Contract

New Model Contract leaves the door partially open

Multiparty C2P Model Contract offers a solution

Issues relating to international dataflows

Dataflow from a data controller outside the EEA to a CSP inside the EEA (2) National data protection law applies if ‘means’ are applied by

the data controller on the territory of a member state

Cumulation of applicable laws if ‘means’ are applied on the territory of several member states

‘Worst case situation’ as the data controller is subjected to data protection law due to the location of the CSP (or its subcontractors)

Art. 29 WP Opinion 8/2010 on applicable law this criterion has shown to have undesirable consequences,

such as a possible universal application of EU law

Under review for the future data protection framework

Issues relating to international dataflows

Dataflow from a data controller inside the EEA to a CSP outside the EEA (3)

Law of the country of establishment of data controller applies to data processing operation

No export to countries outside EEA, except if they offer adequate protection

White-listed countries (e.g. Switzerland, USA if Safe Harbor, ...)

BCR / Model Contracts

Latest C2P Model Contract accepts ‘onward transfer’ to subprocessors, thereby facilitating Cloud Computing

Issues relating to international dataflows

Review the security mechanisms in place Security arrangements to mitigate the risks must be in place

Review the certification of the CSP Which certificates?

Scope of the certificates?

Back-ground on the certification process

Perform a due diligence in relation to the CSPs terms & conditions Performance levels

Contractual limitations

Exit Plan / Retransition Is there an obligation to hand over the client’s data in a readily

exploitable manner to the client or any subsequent service provider?

Belgian law is not very helpful on this issue

Practical approach to Cloud Computing

Cloud Computing is possible in a compliant manner in most cases Data security is a key issue

International dataflows are facilitated with the latest Model Contract

Choose the right type of Cloud Computing Service in function of compliance requirements

Security measures must be implemented and audited, especially where personal data are involved Potentially expensive (for client and CSP alike)

Certification offers a valid solutions if some precautions are taken (scope!)


Thank you for your attention! Questions?
