Keeping on top of the Cloud- Compliance from a Regulator’s Perspective

Henry Chang, IT AdvisorOffice of the Privacy Commissioner for Personal Data, Hong Kong

6 July 2013

Up in the Cloud:Conference on Legal and Privacy Challenges in Cloud Computing

2

Bottom lines

1. Data users are responsible for the protection of personal data entrusted to them;

2. Outsourcing of data processing does not mean outsourcing of legal liability.

3

Guiding principles of data protection

1. Informed Consent

2. Protection

3. Transparency

4

Data flow and data protection principles (DPPs)

Personal Data Flow

CollectionRetention/

Erasure

DPP 6 – Rights of access and correctionDPP 5 – Transparency

DPP 1 – Collection

DPP 3 – UseDPP 2 – Accuracy

and retention

DPP 4 – Security

Storage, Use or Processing

IT System

5

The heat map of cloud

Private Cloud(dedicated)

Public Cloud(shared)

Consumers

Enterprises

Types of Cloud

Types of Users

SMEs

Most vulnerable

6

For Consumers

7

Attractive/free consumer solutions…

1. Uncertainty on whether data protection laws apply

2. Terms often favour service providers

3. There is no free lunch – where is the hidden cost?

4. Ultimate victims of any data breach are consumers

5. Assess risks before using cloud services

6. Consider encrypting data before uploading

8

For Businesses

9

Important issues that are not specific to clouds

1. Technical safeguards - Identity management and authentication

2. Proper exit plan, data erasure and data portability

3. Use by contractors that does not match with original purposes

4. Formal data breach notification arrangement

10

Cloud characteristics

1. Rapid transborder data flow

2. Loose outsourcing arrangements

3. Standard services and contracts

11

Rapid transborder data flow

1. Does the law allow?

2. Comparable data protection laws– Who can tell where the data are?– How could data user obligations be fulfilled?– Can data flow be limited to a few ‘white list’

jurisdictions?

3. Potential access by foreign LEAs

1. Lack of controls/relationship– No guarantee of controls downstream– No contractual remedies

2. Uncertain privacy rules, culture and training– Are outsourcers subject to privacy law in their

jurisdictions?– Are they accustomed to privacy laws?– Can they be sanctioned?

3. Where does the loyalty lie?12

Loose outsourcing arrangement

13

Standard services and contracts

1. If standard services do not meet the data protection requirements, can cloud provider customise?

2. If customisation is offered, how can cloud customers be sure that the extra measures are in place?

14

Views from data protection authorities

1. Hong Kong PCPD – http://www.pcpd.org.hk/english/publications/files/cloud_computing_e.pdf

2. The Article 29 Working Party –http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf

3. Office of the Privacy Commissioner, Canada –http://www.priv.gc.ca/information/pub/gd_cc_201206_e.asp

4. Dutch DPA – http://www.dutchdpa.nl/downloads_overig/dutch-dpa-written-opinion-cloud-computing-unofficial-translation.pdf

5. French DPA (CNIL) – http://www.cnil.fr/fileadmin/documents/en/Recommendations_for_companies_planning_to_use_Cloud_computing_services.pdf

6. Office of the Privacy Commissioner, New Zealand – http://www.privacy.org.nz/assets/Files/Brochures-and-pamphlets-and-pubs/OPC-Cloud-Computing-guidance-February-2013.pdf

7. UK Information Commissioner’s Office – http://www.ico.org.uk/news/latest_news/2012/~/media/documents/library/Data_Protection/Practical_application/cloud_computing_guidance_for_organisations.ashx

8. International working group on data protection in telecommunications –

http://datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083

Thank You