by Attila Kertesz and Szilvia Varadi
Cloud Computing offers flexible resource provision for businesses, enabling them to respond effectively to new demands from customers. This new technology moves local data management to a third-party provided service, a phenomenon that raises legal issues such as data protection and privacy. We have evaluated Cloud use cases against the applicable law set out by the Data Protection Directive of the EU to pinpoint where legal problems may arise.
Cloud Computing offers on-demand access to infrastructure resources operated from a remote source. Recently, this form of service provision has become hugely popular, with many businesses migrating their IT applications and data to the Cloud to take advantage of the flexible resource provision that can benefit businesses by responding quickly to new demands from customers. Cloud Computing also moves functions and responsibilities away from local ownership and data management to a third-party provided service, and brings with it a set of associated legal issues such as data protection and privacy, and the need to comply with certain regulations. Owing to the pace of technical and economic progress in this field it is important to determine the compliance of commonly-observed Cloud Computing patterns-of-use to legal constraints and requirements.
Current European legislation
To clarify legal compliance in this field, we investigated commonly-observed Cloud use cases in collaboration with colleagues from the Tilburg University within the framework of the S-Cube project [2]. We considered the Data Protection Directive (DPD, 95/46/EC) of the European Union [1] – a commonly accepted and influential directive in the field of data processing legislation. This legislation is fundamental to Clouds as the consumer loses a degree of control over personal artefacts when they are submitted to the provider for storage and possible processing. To protect the consumer against misuse of their data by the provider, data processing legislation has been developed to ensure that the fundamental right to privacy is maintained. However, the distributed nature of Cloud Computing makes is difficult to analyse the data protection law of each country for common Cloud architecture evaluation criteria. The European DPD was designed to protect the privacy and all personal data collected for or about citizens of the EU, especially as it relates to processing, using or exchanging such data. The requirements of the DPD are expressed as two technology-neutral actors or roles that have certain responsibilities that must be carried out in order to fulfil the directive. These roles are naturally equivalent to service consumer and service provider roles found in distributed computing. The data controller is the natural or legal person which determines the means of processing of personal data, whilst a data processor is a natural or legal person which processes data on behalf of the controller. However, if the processing entity plays a role in determining the purposes or the means of processing, it is a controller rather than a processor.
Figure 1: Data distribution regulations related to EU Member States with different infrastructure providers.
Legal issues in Cloud use cases
We consider a generalized view of a Cloud Federation [3] that incorporates private, public, multi- and hybrid Cloud architectures derived from related Cloud standardization groups and European Cloud projects (NIST, ENISA, OPTIMIS). In this vision, interoperability is achieved by high-level brokering instead of bilateral resource renting, operated by a Service Provider (SP). In this situation different Infrastructure Providers (IP) may share or rent resources to provide a scalable infrastructure for SPs, which may be done transparently to the SPs. We have identified a series of use cases in federated Cloud architectures, in which legal issues may arise and necessary action should be taken in order to prevent violations. We found that the SP is mainly responsible for complying with data protection regulation. When personal data are transferred to multiple jurisdictions it is crucial to properly identify the controller since this role may change dynamically in specific actions. Information on the exact location of the processing establishments is also of great importance in these cases. Even if only one datacentre of a federation resides in the EU, the law of the appropriate Member State (MS) of this datacentre must be applied by the SP. Figure 1 depicts a use case in which an SP provides a federated Cloud management in an MS. In this case different IPs are utilized, one of which is located in a non-MS. Since SP is the data controller and IPs are processors, the law of the SP's MS has to be applied, and the IP outside the EU has to provide at least the same level of protection as required by the national law of an MS. Otherwise, if a non-MS IP cannot ensure an adequate level of protection, the decision making process of SP should rule out this IP from provider selection.
Outlook
In summary, the currently effective European DPD is appropriate for determining the law applicable for data management in Cloud services when the data controller and processor roles are well identified. More problematic for companies, however, is process of applying the relevant law at a European scale, because the Member States have implemented the DPD in different ways. This issue has been recognized by the European Commission. They have proposed a reform of the European data protection rules in a regulation that will replace the current directive, the main goal being to strengthen the users' influence on their personal data.
Links:
http://www.lpds.sztaki.hu/CloudResearch
http://www.s-cube-network.eu/
References:
[1] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281, pp. 31-50, Nov. 1995.
[2] Sz. Varadi, A. Kertesz, M. Parkin, The Necessity of Legally Compliant Data Management in European Cloud Architectures, Computer law and security review (CLSR), Elsevier
(2012), doi:10.1016/j.clsr.2012.05.006
[3] A. Kertesz, A. Marosi, P. Kacsuk, Interoperable Resource Management for establishing Federated Clouds, In book: Achieving Federated and Self-Manageable Cloud Infrastructures: Theory and Practice, IGI Global (USA), pp. 18-35, 2012.
Please contact:
Attila Kertesz
SZTAKI, Hungary
E-mail:
Szilvia Varadi
University of Szeged, Hungary
E-mail: