Saturday, January 29, 2011

Dealing with privacy in the cloud: the European Data Protective Directive

Yesterday, Friday 28 January 2011, it was Data Privacy Day, an international celebration of the dignity of the individual expressed through personal information.
What a coincidence, the day before I was invited by my dear friend Paolo Balboni to take part in "The Expert Panel on Cloud Computing and the Protection of Personal Data". Considering my critical attitude of a tester towards software and the knowledge of user-centric webprotocols like UMA and OpenID Paolo thought I should have my say here.
I had to be in Amsterdam for another meeting, so I gladly accepted the invitation.
What's it all about then?

The Istituto Italiano Privacy (IIP) together with the European Privacy Association (EPA) have organized "The Expert Panel on Cloud Computing and the Protection of Personal Data"
The IIP together with the EPA published a working paper titled ‘Cloud Computing and the Protection of Personal Data: Privacy and the Global Web, Risks and Resources for the Citizens of the Internet’.
IIP and EPA are aware of the on-going debate on privacy and cloud computing in the Netherlands. Therefore, they want to share their pan-European experience on the matter with the panel and learn about the Dutch experience.
Through presentations it became clear both IIP and IPO want to make a position paper, based on the input from the panel and their working paper to address the issues of all parties involved in Cloud Computing and Privacy in Europe.
This is a very hard nut to crack, because the European Community consists of many different countries with different laws and different privacy regulators.
However, there is the Data Protection Directive (off. Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data), a European Union directive which regulates the processing of personal data within the European Union. All members of the European Union must follow this Directive and implement it in their Privacy Policy.
But what happens when a non-European Community cloud provider is not following the Data Protection Directive? Can he be caught?
No, he can't be caught if the cloud provider, as a data controller, is not based in Europe and not using equipment in the EU.
Hm, data controller, what's that and are there other data parties?
A data controller, according to the Data Protection Directive, is the one who determines purposes and means of the processing of personal data (art. 2d) and there is also a Data processor, who processes personal data on behalf of the controller (art. 2e).
See where I'm going? In cloud computing it remains quite unclear who's the data controller and processor, and the Data Protection Directive is not clear in this yet.
Another privacy issue addressed in the panel discussion is the transfer of data outside the EU.
A EU-customer has no idea or control of where its data is located and fears its data subject rights are not guaranteed.

These are privacy issues to be dealt with.
Therefore the Directive 95/46/EC is under revision to address also the issues of Cloud Computing.
ENISA published a study recently, dealing with the legal and security issues of cloud computing and the CAMM project will deliver in 2011 a new business barometer for the quality of the security profiles of the Cloud Service Providers.

And then there will be the IIP/EPA Position Paper, aimed at addressing concrete data protection issues and suggestions of solutions for a sustainable privacy-friendly cloud framework.
Input from cloud vendors is very much appreciated here.


Interesting times ahead for who's interested in the protection of personal data in the EU.

This post was mainly about solutions for privacy in policies, my next post will be about the privacy solutions the cloud vendors apply at this time.

No comments: