1 / 15

Keeping on top of the Cloud - Compliance from a Regulator’s Perspective

Up in the Cloud: Conference on Legal and Privacy Challenges in Cloud Computing. Keeping on top of the Cloud - Compliance from a Regulator’s Perspective . Henry Chang, IT Advisor Office of the Privacy Commissioner for Personal Data, Hong Kong 6 July 2013. Bottom lines.

conroy
Download Presentation

Keeping on top of the Cloud - Compliance from a Regulator’s Perspective

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Up in the Cloud: Conference on Legal and Privacy Challenges in Cloud Computing Keeping on top of the Cloud - Compliance from a Regulator’s Perspective Henry Chang, IT Advisor Office of the Privacy Commissioner for Personal Data, Hong Kong 6 July 2013

  2. Bottom lines • Data users are responsible for the protection of personal data entrusted to them; • Outsourcing of data processing does not mean outsourcing of legal liability.

  3. Guiding principles of data protection • Informed Consent • Protection • Transparency

  4. Retention/ Erasure Collection DPP 1 – Collection DPP 2 – Accuracy and retention DPP 3 – Use DPP 4 – Security Data flow and data protection principles (DPPs) Personal Data Flow Storage, Use or Processing IT System DPP 5 – Transparency DPP 6 – Rights of access and correction

  5. The heat map of cloud Enterprises Most vulnerable Types of Users SMEs Consumers Private Cloud (dedicated) Public Cloud (shared) Types of Cloud

  6. For Consumers

  7. Attractive/free consumer solutions… • Uncertainty on whether data protection laws apply • Terms often favour service providers • There is no free lunch – where is the hidden cost? • Ultimate victims of any data breach are consumers • Assess risks before using cloud services • Consider encrypting data before uploading

  8. For Businesses

  9. Important issues that are not specific to clouds • Technical safeguards - Identity management and authentication • Proper exit plan, data erasure and data portability • Use by contractors that does not match with original purposes • Formal data breach notification arrangement

  10. Cloud characteristics • Rapid transborder data flow • Loose outsourcing arrangements • Standard services and contracts

  11. Rapid transborder data flow • Does the law allow? • Comparable data protection laws • Who can tell where the data are? • How could data user obligations be fulfilled? • Can data flow be limited to a few ‘white list’ jurisdictions? • Potential access by foreign LEAs

  12. Loose outsourcing arrangement • Lack of controls/relationship • No guarantee of controls downstream • No contractual remedies • Uncertain privacy rules, culture and training • Are outsourcers subject to privacy law in their jurisdictions? • Are they accustomed to privacy laws? • Can they be sanctioned? • Where does the loyalty lie?

  13. Standard services and contracts • If standard services do not meet the data protection requirements, can cloud provider customise? • If customisation is offered, how can cloud customers be sure that the extra measures are in place?

  14. Views from data protection authorities 1. Hong Kong PCPD – http://www.pcpd.org.hk/english/publications/files/cloud_computing_e.pdf 2. The Article 29 Working Party – http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf 3. Office of the Privacy Commissioner, Canada – http://www.priv.gc.ca/information/pub/gd_cc_201206_e.asp 4. Dutch DPA – http://www.dutchdpa.nl/downloads_overig/dutch-dpa-written-opinion-cloud-computing-unofficial-translation.pdf 5. French DPA (CNIL) – http://www.cnil.fr/fileadmin/documents/en/Recommendations_for_companies_planning_to_use_Cloud_computing_services.pdf 6. Office of the Privacy Commissioner, New Zealand – http://www.privacy.org.nz/assets/Files/Brochures-and-pamphlets-and-pubs/OPC-Cloud-Computing-guidance-February-2013.pdf 7. UK Information Commissioner’s Office – http://www.ico.org.uk/news/latest_news/2012/~/media/documents/library/Data_Protection/Practical_application/cloud_computing_guidance_for_organisations.ashx 8. International working group on data protection in telecommunications – http://datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083

  15. Thank You

More Related