Embed Size (px)
Citation preview
Privacy, Personal Data and the Cloud
Billy HawkesData Protection Commissioner
Public Affairs Ireland ConferenceDublin, 30 June 2011
Back to the Future…….?
Key Messages• Data Protection is not a block on Cloud
Computing• Data Protection Law caters for outsourcing
to a Cloud Provider (CP) and for international transfers of personal data
• Challenge as for any outsourcing: Can you rely on the CP to process your data
safely? Is your data safe if it moves outside of the EU?
Using a CP: Law (1)• Data Controller must enter into a
written contract with the Data Processor (Cloud Provider) providing that: CP only carries out processing on
instructions of Data Controller CP must adopt appropriate security
measures against unauthorised access to, orunauthorised alteration, disclosure or destruction of, the data
Using a CP: Law (2)• Data Controller must:
ensure that the CP provides sufficient guarantees in respect of the technicalsecurity measures, and organisational measures, governing the processing
take reasonable steps to ensure compliance with those measures
Location of Personal Data?• OK if transferred within EU/EEA. Also
OK if: To Approved countries: Switzerland,
Canada, Argentina, Isle of Man, Guernsey, Jersey, Faroe Islands, Israel, USA [“Safe Harborites” & PNR data only] [soon New Zealand]
Covered by Model Contracts or Binding Corporate Rules (BCRs)
Data Security• “….the cloud’s economies of scale and
flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost-effective” European Network and Information Security Agency
(ENISA) Report on Cloud Computing, November 2009 http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
Data Protection Challenge• “Cloud computing poses several data protection
risks for cloud customers and providers. In some cases, it may be difficult for the cloud customer (in its role as data controller) to effectively check the data handling practices of the cloud provider and thus to be sure that the data is handled in a lawful way. This problem is exacerbated in cases of multiple transfers of data, e.g., between federated clouds. On the other hand, some cloud providers do provide information on their data handling practices. Some also offer certification summaries on their data processing and data security activities and the data controls they have in place, e.g., SAS70 certification” ENISA Report, November 2009
Challenges for Outsourcer• Are you satisfied your data will be secure in the
“cloud”? security certification: ISO 27001, SAS 70/SSAE16 Access controls, data recoverability, data breaches
• Does your contract with the CP give you sufficient control? Data Portability
• “Ultimately, you can outsource responsibility but you can't outsource accountability” (ENISA)
Challenges for Cloud Provider
• Are you willing to take on the separate data security obligations under EU Data Protection Law? Is this reflected in your contracts?
• Are you willing to accommodate EU restrictions on international data transfers? Clarity on location of data?
Future Prospects• Ireland well placed as cloud
computing centre Climate, legal environment Robust Data Protection Law
• Focus on accountability of data controllers rather than bureaucratic prescription – in line with likely shape of revised EU Law
Key Messages• Data Protection is not a block on Cloud
Computing• Data Protection Law caters for outsourcing
to a Cloud Provider (CP) and for international transfers of personal data
• Challenge as for any outsourcing: Can you rely on the CP to process your data
safely? Is your data safe if it moves outside of the EU?
Thank YouOffice of the Data Protection CommissionerCanal HouseStation RoadPortarlingtonCo LaoisPhone: LoCall 1890 252231
057 8684800Fax: 057 8684757Email: [email protected]: www.dataprotection.ie
