Lots of clouds: a stormy weather for information privacy?
Michel Jaccard
Sylvain Métille
Web idest.pro Twitter @idestavocats
Introduction
• Purpose: know what you do, why you do it, the risks and the best practices
• Assumption: you all know what cloud computing means from a technical / organisational point of view. What about legal pitfalls ?
• Scope: Analysis limited to privacy issues, and to major legal concepts
Wo
rksh
op
id e
st a
voca
ts @
Lif
t12
2
Cloud computing – Specific Risks
• Loss of control over data ?
• Not entirely specific, but reinforced
• Non compliance with the law ?
• Not entirely specific, but reinforced
• Vendor lock in ?
• Not entirely specific, but reinforced
• Access requests by law enforcement authorities ?
• Not entirely specific, but reinforced
Wo
rksh
op
id e
st a
voca
ts @
Lif
t12
3
Information privacy (legal)
Data Protection Act
ok
Directive/regulation apply to data
treated in EU or related to
residents…
One statute state laws +
sectorial
Wo
rksh
op
id e
st a
voca
ts @
Lif
t12
4
Information privacy (global)
Data
• all information
• relating to an identified or identifiable
• natural (or legal) person
Consent • Voluntarily given
• Based on adequate information
Wo
rksh
op
id e
st a
voca
ts @
Lif
t12
5
Cloud based locally
Wo
rksh
op
id e
st a
voca
ts @
Lif
t12
6
Cloud = data transmitted to a third party
Cloud based locally
10a DPA Data processing by third parties
• Processing assigned by agreement or by law
•Data is processed in the manner permitted to the instructing party itself
•Not prohibited by law or duty of confidentiality
• Third party guarantees data security
Informed consent
Wo
rksh
op
id e
st a
voca
ts @
Lif
t12
7
Cloud based far away
Wo
rksh
op
id e
st a
voca
ts @
Lif
t12
8
Cloud = data transmitted abroad (adequate protection)
Cloud based far away
6 DPA Cross-border disclosure
• Requires legislation that guarantees an adequate protection
•Ok for the contracting parties to Convention 108 (OECD minus Russia, Turkey, Armenia and San Marino)
•Only data related to private persons
Wo
rksh
op
id e
st a
voca
ts @
Lif
t12
9
Cloud based far far away
Wo
rksh
op
id e
st a
voca
ts @
Lif
t12
10
Cloud = data transmitted abroad (no adequate protection)
Cloud based far far away
Instead of a legislation that guarantees an adequate protection
•Safeguards can be granted in a contract (models)
•Safe Harbor Framework (USA) only data of private persons
•Consent in the specific case
Wo
rksh
op
id e
st a
voca
ts @
Lif
t12
11
Risks depending on the local law
• USA: third-party doctrine
• the one who knowingly reveals information to a third party relinquishes the Fourth Amendment protection in that information.
Wo
rksh
op
id e
st a
voca
ts @
Lif
t12
12
Sample provisions
• We may disclose your information to members of our company group for the purposes listed above.
• We will not disclose your information to any third party outside of our company group except under the following limited circumstances.
• We may disclose your personal information to carefully selected service providers and agents who operate elements of our web site service and process data on our behalf. These may include businesses who provide technology services such as hosting for our servers and email distribution and business partners who provide delivery fulfilment services.
• From time to time we may also provide your information to carefully selected customer service agencies for research and analysis purposes, on our behalf, so that we can monitor and improve the services we provide. If you consent, we or our agents, acting on our behalf, may contact you by post, email or telephone to ask you for your feedback and comments on our services.
• …
Wo
rksh
op
id e
st a
voca
ts @
Lif
t12
13
Sample provisions
• Where such disclosures are made, this will be under contractual arrangements with us and carried out in accordance with the requirements of the Act.
• We may also use aggregate information and statistics for the purposes of monitoring website usage in order to help us develop the website and our services and may provide such aggregate information to third parties. These statistics will not include information that can be used to identify any individual.
• In assessing your request for goods or services, we may use your information for the purposes of the prevention and detection of fraud.
• We may also disclose your personal information to our subsidiaries and affiliated companies and any successors in title to our business.
• …
Wo
rksh
op
id e
st a
voca
ts @
Lif
t12
14
Best practices
• …
Wo
rksh
op
id e
st a
voca
ts @
Lif
t12
15
Conclusions
• Anything new under the sun ?
• Legal analysis (compliance) PLUS risk assessment (best practices) are REQUIRED to develop a comprehensive strategy (in other words: do not let the lawyers alone / among them !)
• The cheaper pricing not (always) the best solution.
• Internal due diligence frequently a prerequisite.
• Always have a plan B.
Wo
rksh
op
id e
st a
voca
ts @
Lif
t12
16
Any questions or comments?
Wo
rksh
op
id e
st a
voca
ts @
Lif
t12
17
Michel Jaccard [email protected] Sylvain Métille [email protected]
Web idest.pro Twitter @idestavocats