Cloud computing the use of contracts as a means of governing networked computer services.

Similar documents
Cloud Computing, SaaS and Outsourcing

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

GDPR compliance: some basics & practical to do list

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Motorola Mobility Binding Corporate Rules (BCRs)

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

How to Establish Security & Privacy Due Diligence in the Cloud

What is cloud computing? The enterprise is liable as data controller. Various forms of cloud computing. Data controller

Business Technology Briefing: Fear of Flying, And How You Can Overcome It

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Version 1/2018. GDPR Processor Security Controls

Data Security: Public Contracts and the Cloud

Building a Secure and Compliant Cloud Infrastructure. Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.

Cloud Computing. Presentation to AGA April 20, Mike Teller Steve Wilson

Building Trust in the Cloud Era - Protect, Respect Personal Data

Key Customer Issues to Consider Before Entering into a Cloud Services Arrangement

Privacy hacking & Data Theft

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

New Spanish Regulation Tightens Up Data Protection Requirements RAFI AZIM-KHAN, JOHN NICHOLSON, ALESSANDRO LIOTTA, AND DOMINIC HODGKINSON

Cloud Computing Legal Issues Practising Law institute 2015 San Francisco New York Chicago

Data Privacy in the Cloud E-Government Perspective

Minimum Requirements For The Operation of Management System Certification Bodies

Public vs private cloud for regulated entities

How the European Commission is supporting innovation in mobile health technologies Nordic Mobile Healthcare Technology Congress 2015

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Data Privacy for Multinationals: How to Build and Implement a Compliance Plan

Data Privacy for Multinationals: How to Build and Implement a Compliance Plan

Our agenda. The basics

HPE DATA PRIVACY AND SECURITY

Data Privacy and Cybersecurity

Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss

Data Processing Agreement

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

General Data Protection Regulation (GDPR) The impact of doing business in Asia

WHITE PAPER. Meeting GDPR Challenges with Delphix. KuppingerCole Report

Guidelines on the use of cloud computing services. by the European institutions and bodies

Data Processing Agreement for Oracle Cloud Services

PS Mailing Services Ltd Data Protection Policy May 2018

Cloud Computing: A European Perspective. Rolf von Roessing CISA, CGEIT, CISM International Vice President, ISACA

ICT Legal Consulting on GDPR: the possible value of certification in data protection compliance and accountability

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel

AWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services

COMPTIA CLO-001 EXAM QUESTIONS & ANSWERS

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Five Ways that Privacy Shield is Different from Safe Harbor and Five Simple Steps Companies Can Take to Prepare for Certification

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

ENFORCEMENT POWERS. The EU Perspective. Olivier Proust. Associate Hunton & Williams LLP

CLOUD QUALITY AND CLOUD CERTIFICATION

ECSA Assessment Report

VERSION 1.3 MAY 1, 2018 SNOWFLY PRIVACY POLICY SNOWFLY PERFORMANCE INC. P.O. BOX 95254, SOUTH JORDAN, UT

SANMINA CORPORATION PRIVACY POLICY. Effective date: May 25, 2018

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Google Cloud & the General Data Protection Regulation (GDPR)

TERMS AND CONDITIONS OF USE FOR THE WEBSITE This version is valid as from 1 October 2013.

ecare Vault, Inc. Privacy Policy

Data subject ( Customer or Data subject ): individual to whom personal data relates.

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

PRIVACY POLICY PRIVACY POLICY

8. AUTOMATED DECISION MAKING DURING DATA PROCESSING FURTHER INFORMATION FURTHER INFORMATION AND GUIDANCE CONTACT US...

U.S. Private-sector Privacy Certification

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Data Processing Clauses

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

DATA PROCESSING AGREEMENT

ADIENT VENDOR SECURITY STANDARD

DRAFTING A CLOUD COMPUTING CONTRACT

Accelerate GDPR compliance with the Microsoft Cloud

Data Processor Agreement

GDPR - What does this mean for you? Accelerate GDPR compliance with the Microsoft Services. Konstantin Sviridov Andrey Ivanov.

GDPR: A QUICK OVERVIEW

How to work your cloud around the UK ICO s Data Protection Act

Procuring Cloud Based Services Federal Policies

Privacy Shield Policy

Data Processing Agreement

INFS 214: Introduction to Computing

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

CERTIFIED MAIL LABELS TERMS OF USE and PRIVACY POLICY Agreement

SDL Privacy Policy Cloud Services

Data Management and Security in the GDPR Era

How to avoid storms in the cloud. The Australian experience and global trends

GROUPON.COM - PRIVACY POLICY

THE TERMS OF THIS PRIVACY & DATA USE POLICY ( POLICY ) ARE LEGALLY BINDING.

Virtual Machine Encryption Security & Compliance in the Cloud

Fundamental Concepts and Models

The Role of the Data Protection Officer

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

Smart Software Licensing tools and Smart Account Management Privacy DataSheet

Transcription:

Cloud computing the use of contracts as a means of governing networked computer services. Kevin McGillivray PhD Research Fellow, UiO kevin.mcgillivray@jus.uio.no

Agenda Introduction to cloud computing Legal issues Project focus and RQs COCO Clouds EU Project

Control over delivery models

Central issues in Cloud Computing Lack of control: availability, security, vendor lockin (data-hostage clauses etc), confidentiality, access by law enforcement Transparency: What is happening at the different layers of the service? Differences from outsourcing Shared Infrastructure: trust Compliance: data and consumer protection laws, government data, financial or health data, interception/communications regulations Legal: Contract law, IPR, tort, conflicts of laws etc.

Why is cloud interesting from a legal research perspective? Location of Data Relevance for the service vs. Relevance for national laws (DPL etc.) Application of national law? Access by national authorities What liabilities are taken up along the way? Contractual asymmetry Cloud consumer vs. CSP Complexity of services Allocation of responsibilities (layers and technology) Global data transfers Impact on national legal regimes

Jurisdiction Jurisdiction may be impacted by the type of legal issue (DPL, tort law, contract law, criminal law). At least 4 Possible legal systems applicable (1) Legal system where CSP is located (2) Legal system where cloud client is located (3) Legal system where data is stored (4) If personal data is collected and processed, location of the individual to whom the data concerns. Suzlon Energy Ltd v. Microsoft Corporation (9th Cir. Oct. 3, 2011)

Legal issues (contracts) One-size-fits-all contracting Negotiation is possible, but difficult Most services offered on a take-it-or-leave-it basis Attempts to solve all compliance challenges with one contract--not enough attention paid to national laws EU concerns: Difficult for users to exersize rights Limited liability Unilateral changes to terms Choice of law and choice of forum

As is service is the norm Disclaimer of all warranties and limitation of liability common Disclaimers often extend to all partners/subcontractors What is the warranty worth?

Direction of Contracts Outsourcing One-direction Traditional IT outsourcing purchaser had more bargaining power Long negotiation periods common in IT outsourcing Audits common in IT outsourcing Cloud More complex contracting structure Synchronizing terms in existing structure

Cloud Consumer K CSP Secondary Data Center No-K K K Servers (Amazon /Google etc.) K Third Party Apps./soft

Sub-contracting/ Partner concerns Services are often layered / complex How widely are data being shared (servers, software etc.)? How is the data being used by 3 rd parties or partners at each layer? Is personal data accessible? Difficult to perform audits (multiple copies, partners change, located globally) Deletion challenges In the view of the WP29, the processor can subcontract its activities only on the basis of the consent of the controller, which may be generally given at the beginning of the service. 3.3.2 Subcontractors.

Responsibilities in the Cloud Security Liability Insurance Cloud broker

Google and the City of LA CSC K City of LA K Google (sub-k) NDA

Common terms some considerations Limits on use of the data (behavioral advertising etc.) Level of security reasonable vs. a specific standard Does the contract require notice of a breach? Audits, third-party verification Who is responsible for security? Data location Confidentiality/Access Access by CSP employees Helpdesk employees? AUP Account suspension/termination events/deletion Ownership of data Indemnification (Cloud Consumer\ CSP) Variation of Contract terms Choice of law or forum

EU Data Protection in Cloud Computing Limits on processing of personal data Cloud consumer Controller Cloud Service Provider Processor (generally) Well suited for Cloud?

Article 17 of Directive 95/46/EC Security of processing 3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that: - the processor shall act only on instructions from the controller, - the obligations set out in paragraph 1 [appropriate technical and organizational measures] as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.

Data storage Once a file is added to your Dropbox, the file is then synced to Dropbox s secure online servers. All files stored online by Dropbox are encrypted and kept securely on Amazon s Simple Storage Service (S3) in multiple data centers located across the United States. You can find more information about Amazon S3 or learn about Amazon S3 s security measures on the Amazon website. (Dropbox.com) If you use the Service, you acknowledge that you may be sending electronic communications (including your personal account information and Content), through computer networks owned by Evernote and third parties located in California and other locations in the United States and other countries. (Evernote.com)

Consider the risks when placing personal data on the cloud Arrangement of the CSP Security Framework Location Determine the structure of the cloud service Identify the parties and the role they will play (Controller, processor, sub-processor etc.) Location, roles, access of sub-contractors and partners Type of Data (personal, sensitive etc.) and responsibilities Determine obligations that cannot be outsourced to the cloud Differences between delivery and deployment models (IaaS, PaaS, SaaS) (private, public, hybrid) Responsibility for security? Access? Where will the data be located? If outside the EU, are safeguards in place (SCC, BCR)? Is it possible to audit the activities of the CSP? What does the contract say?

Research Questions What role do contracts play as a means of governing, organizing, and enforcing the legal relationships created in cloud computing? Enforcement mechanism + Memorialization of cooperation and relationships Is the central role of contracts and selfregulation adequate or should states play a greater role? Private ordering vs. state regulation What changes by using cloud? Is cloud a good idea?

How ought the cloud be governed? Contracts more lawful role Modernize agreements Compliance with national laws National laws more active role Update rules Clearer compliance standards EU Change controller processor balance Balkanization of the cloud International treaty? Increased self and voluntary regulation? Future of private ordering

Architecture/Standards (Self-regulation) Role of industry and third-parties ISO/IEC 27017 Information Security management for cloud systems (in Development) ISO/IEC 27018 Data protection for cloud systems (in Development)

http://www.cococloud.eu/http://httcloud.eu/ CONFIDENTIAL AND COMPLIANT CLOUDS To facilitate the writing, understanding, analysis, management, enforcement and dissolution of data sharing agreements. "My data cannot be accessed outside of the EU" To consider the most appropriate enforcing mechanisms. To address key challenges for legally compliant data sharing in the cloud.

Compliance by Design Fair and Lawful Processing Proportionality Minimality Purpose Limitation Data Subject Influence Data Quality Data Security Sensitivity

Compliance Requirements may depend on the type of data ehealth Pilot- sharing highly sensitive medical data such as medical images and their corresponding reports; egovernement Pilot- sharing of civil data of citizens between and across different Italian Public Administrations; SAP Mobile Sharing Pilot- confidential business information shared over a mobile network.

Sources of compliance

DSA: making the distinction

Selected References EU European Commission, (2012), 'Unleashing the Potential of Cloud Computing in Europe', (529 Brussels). Hustinx, Peter (2012), 'Opinion of the European Data Protection Supervisor on the Commission's Communication on Unleashing the potential of Cloud Computing in Europe, (Brussels: European Data Protection Supervisor). WP29 Opinion 196 05/2012 on Cloud Computing, available at: http://ec.europa.eu/justice/dataprotection/ article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf. Articles Bradshaw, Simon, Millard, Christopher, and Walden, Ian (2011), 'Contracts for clouds: Comparison and analysis of the Terms and Conditions of cloud computing services', International Journal of Law and Information Technology, 19 (3), 187-223. Becker, Matthew B. (2012), 'Interoperability Case Study Cloud Computing', Harvard University - Berkman Center for Internet & Society Research Publication No. 2012-11, No. 2012-11, 25. Bender, Scott (2012), 'Privacy in The Cloud Frontier: Abandoning the Take it or leave it Approach', Drexel Law Review, 4, 27. Carmeli, Daniel (2013), 'Keep an I on the Sky: E-Discovery Risks Forecasted For Apple's icloud', BostonCollege Intellectual Property & Technology Forum, 2013 (1), 34. Grance, Peter Mell & Tim (2011), 'The NIST Definition of Cloud Computing', (Special Publication 800-145 edn.version 15), 7. Parker, Joshua S. (2012), 'Lost in the Cloud: Protecting End-User Privacy in Federal Cloud Computing Contracts', Public Contract Law Journal, 41 (385), 15. W. Kuan Hon, Christopher Millard & Ian Walden (2012), 'Negotiating Cloud Contracts: Looking at Clouds from Both Sides Now', STANFORD TECHNOLOGY LAW REVIEW, 16 (1), 50.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback