Who is responsible for 'personal data' in cloud computing?-The cloud of unknowing, Part 2

International Data Privacy Law

Volumn 2, Issue 1, 2012, Pages 3-18

  Kuan Hon, W ^a   Millard, Christopher ^b   Walden, Ian ^c  

^a CLP ^*

^b UNIVERSITY OF OXFORD   (United Kingdom)

^c QUEEN MARY UNIVERSITY OF LONDON   (United Kingdom)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 85070939651     PISSN: 20443994     EISSN: 20444001     Source Type: Journal    
DOI: 10.1093/idpl/ipr025     Document Type: Article

References (41)

1. W Kuan Hon, Christopher Millard and Ian Walden, 'The problem of “personal data” in cloud computing: what information is regulated?-the cloud of unknowing', (2011) 1(4) International Data Privacy Law 211-28. doi: 10.1093/idpl/ipr018
2. and W. Kuan Hon, Christopher Millard and Ian Walden, 'The Problem of 'Personal Data' in Cloud Computing-What Information is Regulated? The Cloud of Unknowing, Part 1' (2011) Queen Mary School of Law Legal Studies Research Paper No 75/2011,http://papers.ssrn.com/sol3/papers. cfm?abstract_id=1783577. (last accessed 8 September 2011) (CLP Personal Data Paper).
3. Eg Ponemon Institute, Flying Blind in the Cloud-The State of Information Governance (7 April 2010);
4. European Network and Information Security Agency, An SME perspective on Cloud Computing-Survey (ENISA, November 2009).
5. Other privacy law issues are not covered, eg confidentiality; use of private information or right to private life under European Convention of Human Rights or EU Charter of Fundamental Human Rights. On confidential information in the cloud, see Chris Reed's CLP paper, 'Information “Ownership” in the Cloud' (2010) Queen Mary School of Law Legal Studies Research Paper No. 45/2010,http://papers.ssrn.com/ sol3/papers.cfm?abstract_id=1562461. (last accessed 8 September 2011).
6. We will not discuss the DPD's applicability to an entity through its having the requisite EEA connection (on which see W Kuan Hon, Julia Hörnle and Christopher Millard, 'Data Protection Jurisdiction and Cloud Computing-When are Cloud Users and Providers Subject to EU Data Protection Law? The Cloud of Unknowing, Part 3' (2011) Queen Mary School of Law Legal Studies Research Paper No 84/2011,http:// papers.ssrn.com/sol3/papers.cfm?abstract_id=1924240. (last accessed October 2011), or transferring personal data outside the EEA-see
7. W Kuan Hon and Christopher Millard, 'Data Export in Cloud Computing-How Can Personal Data Be Transferred Outside the EEA? The Cloud of Unknowing, Part 4' (2011) Queen Mary School of Law Legal Studies Research Paper No 85/2011,http://papers.ssrn.com/sol3/papers. cfm?abstract_id=1925066. (last accessed October 2011).
8. C Kuner, European Data Protection Law: Corporate Compliance and Regulation (2nd edn, OUP, Oxford 2007), ch 1, pt G.
9. European Commission, A comprehensive approach on personal data protection in the European Union (Communication) COM (2010) 609 final (2010);
10. Neelie Kroes, 'Cloud computing and data protection' (Les Assises du Numérique conference, Université Paris-Dauphine, 25 November 2010) SPEECH/10/686.
11. S Bradshaw, C Millard and I Walden, 'Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services' (2010) Queen Mary School of Law Legal Studies Research Paper No 63/2010 (CLP Contracts Paper),http://papers.ssrn. com/sol3/papers.cfm?abstract_id=1662374. (last accessed 8 September 2011)
12. and Simon Bradshaw, Christopher Millard and Ian Walden, 'Contracts for clouds: comparison and analysis of the Terms and Conditions of cloud computing services', (2011) 19(3) Int J Law Info Tech, 187, doi:10.1093/ijlit/ear005.
13. Heroku, 'Can I connect to services outside of Heroku?',http:// devcenter.heroku.com/articles/external-services. (last accessed 8 September 2011).
14. Heroku's acquisition by SaaS (and, increasingly, PaaS) provider Salesforce.com was completed in January 2011. Salesforce.com, 'Salesforce.com Completes Acquisition of Heroku' (2011).
15. Eg, for Windows Azure users, Zuora's payments system. 'Real World Windows Azure: Interview with Jeff Yoshimura, Head of Product Marketing, Zuora' (Windows Azure Team Blog, 11 November 2010) ,http://blogs.msdn.com/b/windowsazure/archive/2010/11/11/real-world-windows-azure-interview-with-jeff-yoshimura-head-of-product-marketing-zuora.aspx. (last accessed 8 September 2011).
16. 'Google Apps Marketplace now launched' (Google Apps, 10 March 2010) ,http://googleappsupdates.blogspot.com/2010/03/google-apps-marketplace-now-launched.html. (last accessed 8 September 2011).
17. According to the UK Information Commissioner's Office (ICO) the written contract may be electronic. ICO, Personal information online code of practice (2010), 29.
18. WP169 (n 31) 27: 'one should avoid a chain of (sub-)processors that would dilute or even prevent effective control and clear responsibility for processing activities, unless the responsibilities of the various parties in the chain are clearly established.' The use of sub-processors further complicates the position, in practice. For example, The European Privacy Officers Forum, Comments on the Review of European Data Protection Framework (2009) (EPOF),http://ec.europa.eu/justice/news/ consulting_public/0003/contributions/organisations_not_registered/ epof_en.pdf. (last accessed 8 September 2011) pointed out the lack of harmonization in the approaches of different member states' data protection authorities to the use of sub-processors in outsourcing: some regulators require direct contracts between the controller and every sub- or sub-sub-processor, while the 'much more pragmatic approach' of other regulators (including in Spain and the UK) allows the first processor's obligations to be passed contractually to sub-processors provided the controller consents and can enforce its rights against any sub-processor.
19. A29WP, Opinion 1/2010 on the concepts of 'controller' and 'processor', WP169 (2010). For discussion and examples of practical problems, see ICC Task Force on Privacy and the Protection of Personal Data, Summary of the Workshop on the Distinction between Data Controllers and Data Processors (International Chamber of Commerce, Paris 25 October 2007).
20. A29WP and Working Party on Police and Justice, The Future of Privacy-Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data, WP168 (2009) [41].
21. PayPal, Privacy Policy for PayPal Services (7 September 2011),https:// cms.paypal.com/ie/cgi-bin/marketingweb?cmd=_render-content& content_ID=ua/Privacy_full. (last accessed 8 September 2011).
22. For example technology corporation Apple which offers SaaS services such as MobileMe-see,http://www.apple.com/privacy/. under 'International Users' (last accessed 8 September 2011)-and the
23. forthcoming iCloud; and enterprise SaaS provider Salesforce-Privacy Statement,http://www.salesforce.com/company/updated_privacy.jsp. (last accessed 8 September 2011). The Safe Harbor is one way of allowing transfer of personal data from the EEA to the USA. Commission Decision 2000/520/EC OJ L215/7, 25.8.2000-see further Hon, Hörnle and Millard (n 8).
24. Some of the TOS do recognize that data processed by users using their services may include personal data, perhaps even that of third parties. Examples include IaaS provider GoGrid's Privacy Policy (2008),http:// www.gogrid.com/legal/privacy-policy.php. (last accessed 8 September 2011) which states under 'Hosted Data'
25. 'With regard to data protection laws, you are the data controller for all data stored in your account or transmitted by your virtual servers', ElasticHosts, Terms of Service (2011),http://www.elastichosts.com/ cloud-hosting/terms-of-service. (last accessed 8 September 2011).
26. Microsoft, Terms of Use (The Database Manager for SQL Azure) Section 8 'Your Privacy Practices',http://msdn.microsoft.com/en-us/library/ gg442310.aspx. (last accessed 8 September 2011)
27. security breaches or other alleged faults in the Service, including without limitation faults listed in the SLA and faults leading to the release or exposure of personally identifiable information or other private data (whether such data belongs to Customer, to one of Customer's customers, or to other third parties); . . .,http://www.gogrid.com/legal/terms-service.php. (last accessed 8 September 2011).
28. Akamai's processing of data is determined by our business customers. When processing data on behalf of business customers as an intermediary service provider, Akamai does not collect, use, or disclose personally identifiable consumer information, except as directed by Akamai's business customers . . .,http://www.akamai.com/html/policies/privacy_statement.html. (last accessed 8 September 2011). Akamai's service, which mirrors its clients' websites on its own infrastructure to improve the availability of those websites, is a good example of a cloud service providing a relatively 'passive' service which may be difficult to classify as IaaS, PaaS, or SaaS.
29. 49,http://www.ironmountain.com/legal/client-software-license-agreement. html. (last accessed 8 September 2011)-referring to European Commission Decision 2002/16/EC of 27 December 2001 on standard contractual clauses for the transfer of personal data to processors established in third countries, under Directive 95/46/EC OJ L6/52, 10.01.2002, since superseded by the Decision mentioned in n 26.
30. Sections 1.4 and 1.5,http://www.google.com/apps/intl/en/terms/ premier_terms_ie.html. (last accessed 8 September 2011).
31. Rackspace General Terms,http://www.rackspace.co.uk/rackspace-home/ legal/general-terms/. (last accessed 8 September 2011), Clause 19
32. IaaS provider Rackspace made this point in its contribution to the 2009 Consultation. Rackspace US, Inc., International transfer of personal data (Consultation Paper on the Legal Framework for the Fundamental Right to Protection of Personal Data), 4 (2009),http://ec.europa.eu/justice/news/ consulting_public/0003/contributions/organisations_not_registered/ rackspace_us_inc_en.pdf. (last accessed 8 September 2011): There is a need for a clear distinction of requirements for processors that have access to data and are processing such data on the instruction of the data controller and who determine the means of processing (eg payroll companies, accountants, call centers, market research companies); as opposed to IT hosting providers that only provide technical infrastructure and technical support to a processor who uses such equipment to perform its data processing. The IT hosting provider in this case provides processing equipment, hosting infrastructure, and technical support for the use of the processor to store and transmit the data. Such processing is controlled by the data processor who is renting the hosting equipment from the IT hosting provider who has no right to access data stored on the data processor's server.
33. For example, data stored using Amazon's Elastic Block Store (EBS), which to the Amazon user appears as an emulation of a physical hard drive, is, at least before a snapshot of an EBS is stored on Amazon's S3 storage service, first broken into chunks, whose size depends on Amazon's optimizations. Amazon, Amazon Elastic Block Store (EBS) (2011),http://aws.amazon.com/ebs/. (last accessed 8 September 2011).
34. A cloud provider's acceptable use policy may entitle it to ban or remove certain kinds of data, but it cannot realistically control what data its users store with it, unless and until it has knowledge or perhaps notice that a user has stored unacceptable data. Certain material may now, upon upload to video sharing sites such as YouTube, be vetted for copyright breaches through automated checking against reference files-YouTube LLC, 'Audio ID and Video ID',http://www.youtube.com/t/ contentid. (last accessed 8 September 2011). However, it is not
35. viewed by Facebook users-'NHS.uk allowing Google, Facebook, and others to track you' (Garlik blog, 23 November 2010),http://www. garlik.com/blog/?p=405. (last accessed 8 September 2011). A study unmasked the secret collection of personal data, including the 'ushering in' of fourth- or fifth-party data collectors, by certain advertising network scripts, unbeknownst to the websites inserting the script-Krux Digital, Krux Cross-Industry Study (2010).
36. Increasingly, services are being offered to assist users to use cloud services, including encryption and key management, such as by Nasuni. Rob Mason, 'Data Security and the Nasuni Filer-Just the Facts' (Nasuni blog, 15 March 2010) ,http://www.nasuni.com/news/nasuni-blog/data-security-and-the-nasuni-filer-just-the-facts/. (last accessed 8 September 2011).
37. For example, the submission to the 2009 consultation by International Pharmaceutical Privacy Consortium, Comments in Response to the Consultation on the Legal Framework for the Fundamental Right to Protection of Personal Data (2009),http://ec.europa.eu/justice/news/ consulting_public/0003/contributions/organisations_not_registered/ international_pharmaceutical_privacy_consortium_en.pdf. (last accessed 8 September 2011) notes
38. See also the submissions to the 2009 Consultation by International Chamber of Commerce, ICC Response to the European Commission Consultation on the Legal Framework for the Fundamental Right to Protection of Personal Data (2009), 4,http://ec.europa.eu/justice/news/ consulting_public/0003/contributions/organisations_not_registered/ international_chamber_of_commerce_icc_en.pdf. (last accessed 8 September 2011);
39. and Vodafone, The future direction of EU Data Protection and privacy regulation (2009),http://ec.europa.eu/justice/ news/consulting_public/0003/contributions/ organisations_not_registered/vodafone_en.pdf. (last accessed 8 September 2011).
40. For example see Alcatel-Lucent, The European Commission's Consultation on the Legal Framework for the Fundamental Right to Protection of Personal Data: Alcatel-Lucent contribution (2009), 5,http://ec.europa. eu/justice/news/consulting_public/0003/contributions/ organisations_not_registered/alcatel_lucent_en.pdf. (last accessed 8 September 2011): 'having a responsible party who will guarantee end-to-end protection for users, and who has sufficient financially backing (eg insurance) to meet its responsibilities'.
41. European Commission, Public consultation on the future of electronic commerce in the internal market and the implementation of the Directive on electronic commerce (2000/31/EC) (2010).