Skip to main content

Data Protection in the Clouds

Abstract

Cloud computing appears as the last step of the evolution of information systems since the technology is using all the possibilities of the virtual world. Before the cloud, the Internet was a set of connections between computers and networks, now it is becoming (it already became?) a place where data can be stored. The phenomenon concerns social networks and other Web 2.0 platforms as well as companies that partly of wholly delocalize their computing resources. This chapter evokes the main privacy issues raised by this evolution. We pinpoint problems related to the protection of legal persons, to security, to transborder data flows, which are inherent to cloud computing and, finally, to the problems met by the law enforcement authorities. This contribution highlights some of the main issues raised by the cloud computing from the perspective of the Council of Europe’s Convention 108 (of January 28, 1981) for the protection of individuals with regard to automatic processing of personal data Council and it considers its possible modification.

Keywords

  • Cloud Computing
  • Personal Data
  • Cloud Provider
  • Data Subject
  • Data Controller

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This chapter is based on the report written by the CRID in the context of the OCTOPUS Conference organised by the Council of Europe in order to strengthen the cooperation between Law Enforcement agencies under the Cybercrime Convention. The text of the report is available on the Council of Europe website. Even if the text of the article does represent a version deeply modified of the report, we have decided to limit the number of footnotes in order to keep the format of the report and to make reference not only but mainly to the text of the C.o.E Convention 108.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-94-007-0641-5_18
  • Chapter length: 33 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   149.00
Price excludes VAT (USA)
  • ISBN: 978-94-007-0641-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   199.99
Price excludes VAT (USA)
Hardcover Book
USD   279.99
Price excludes VAT (USA)

Notes

  1. 1.

    Meil, P., and T. Grance. The NIST Definition of Cloud Computing, Version 15, 10-07-09, available on NIST (National Institute of Standards and Technology) web site.

  2. 2.

    Meil, P., and T. Grance. The NIST Definition of Cloud Computing, Version 15, 10-07-09, available on NIST (National Institute of Standards and Technology) web site.

  3. 3.

    Meil, P., and T. Grance. The NIST Definition of Cloud Computing, Version 15, 10-07-09, available on NIST (National Institute of Standards and Technology) web site.

  4. 4.

    See http://https://www.dropbox.com/ for a simple example of a cloud storage facility or http://msdn.microsoft.com/en-us/azure/default.aspx for a more complex example of a platform provider.

  5. 5.

    See for example http://aws.amazon.com/ec2/.

  6. 6.

    IaaS services are typically used by multiple tenants at the same time, and hence multiple virtual machines will run simultaneously on the physical server.

  7. 7.

    Segmentation is also an important requirement for the other types of CSS because they share vulnerabilities.

  8. 8.

    As regards these services, see Article 29 Data Protection Working Party, Opinion 5/2009 on online social networking (WP163), adopted on 12 June 2009; Moiny, J.-P. “Facebook au regard des règles européennes concernant la protection des données”, 2 E.C.J.L., 2010, pp. 235 and ff.

  9. 9.

    See Sec. 1303, (b), 1, (a), ii of the Children’s Online Privacy Protection Act of 1998, available on http://www.ftc.gov/ogc/coppa1.htm. Sec. 1303 (b), 2 however specifies some exceptions to the requirement of parental consent.

  10. 10.

    Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioural advertising (WP171), adopted on 22 June 2010, p. 17.

  11. 11.

    Available on http://https://www.cms.gov/HIPAAGenInfo/Downloads/HIPAALaw.pdf. About this example and others, see B. Gellman, Privacy in the clouds: Risks to Privacy and confidentiality from Cloud Computing, Report prepared for the World Privacy Forum, Feb. 23, 2009.

  12. 12.

    However, we can take the concept of data processor out of the article 7 of ETS 108.

  13. 13.

    As regards the concepts of data controller and data processor of Directive 95/46/EC, see Article 29 Data Protection Working Party, Opinion 1/2010 on the concepts of “controller” and “processor” (WP169), adopted on 16 February 2010.

  14. 14.

    WP169, Op. cit.

  15. 15.

    In the same sense, we do not follow the Article 29 opinion referring to the SWIFT case, where the WP considers, a bit too rapidly and without appropriate nuances, that a furnisher of security services of data transmission become data controllers when they decide to answer to law enforcement agencies (LEA) requests. This would mean that a CCS providers would qualify as data controller each time they decide to answer positively to a lawful request issued by LEA.

  16. 16.

    See the Lindqvist case which appeared before the European Court of Justice C 101/01 (2003).

  17. 17.

    Article 2a.

  18. 18.

    On that issue, see particularly, Bygrave, L. Data Protection Law: Approaching Its Rationale, Logic and Limits, The Hague/London/New York: Kluwer Law International, 2002, 448 pages.

  19. 19.

    About the history of the privacy concept and the need to take fully into account the informational asymmetry between data subjects and data controllers, read notably Solove, D.J. “Conceptualizing Privacy”, 90 California Law Review, 2002, 1085 et s.; Blok, P. Het recht op privacy, Boom Juridische uitgevers, 2003.

  20. 20.

    See for example J.-P. Moiny, Op. cit., pp. 249–250.

  21. 21.

    However, we can take the concept of data processor out of the article 7.

  22. 22.

    The idea to come back notwithstanding the global character of the Internet to a certain “zoning” of the Net in order to ensure the sovereignty of the countries and national values, has been developed by Joel Reidenberg (Reidenberg, J. “Technology and Internet Jurisdiction”, 153 UNIV. OF PENN. L. REV. 1951 (2005)).

  23. 23.

    Except in cases where onion routing is used by cloud computing service. Onion routing is a technique allowing anonymous transactions within a computer network. The messages are encrypted repeatedly and sent through multiple networks nodes called onion routers. Each node decrypts the message in order to get the routing instruction and so encrypts and sends the message to the next onion router till the final destination. Intermediary nodes do not know the origin and the final destination of the message. In that case the national law enforcement agencies are unable to get access to the information if it is transmitted through onion router to a destination outside the national borders. On onion router example, see EFF’sTor: http://www.torproject.org.

  24. 24.

    Explanatory Report of the ETS 108, § 67.

  25. 25.

    Article 3.2 of Directive 95/46/EC. These matters are outside the scope of Directive 95/46.

  26. 26.

    As regards this rule, see notably Article 29 Data Protection Working Party, Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites (WP56, adopted on 30 May 2002; Article 29 Data Protection Working Party, Opinion 1/2008 on data protection issues related to search engines (WP148), adopted on 4 April 2008, pp. 9–12; Article 29 Data Protection Working Party, Working document on Privacy on the Internet – An integrated EU Approach to On-line Data Protection – (WP37), adopted on 21st November 2000, p. 28; J.-P. Moiny, Op. cit., pp. 255–270. As regards data protection and jurisdiction, see in general C. Kuner, “Data Protection Law and International Jurisdiction on the Internet”, Parts 1 and 2, 18 (2 and 3). International Journal of Law and Information Technology, 2010: 176–193, the second part will be published in a forthcoming number of the same review.

  27. 27.

    Regarding the potential influence of the ECHR on conflict of laws, see notably Gannagé, L.“A propos de l’ “absolutisme” des droits fondamentaux”, in Vers de nouveaux équilibres entre ordres juridiques – Liber amicorum Hélène Gaudemet-Tallon. Paris: Dalloz, 2008, pp. 265–284.

  28. 28.

    See European Court of Human Right, 20 July 2001, Pellegrini v. Italy.

  29. 29.

    Mayer, P. “La Convention européenne des droits de l’homme et l’application des normes étrangères”, Revue Critique de droit international privé, (1991): 664.

  30. 30.

    Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks.

  31. 31.

    See the Council of Europe Cybercrime Convention, article 17.

  32. 32.

    The Council’s 2009 Framework Decision on the European Evidence Warrant (“EEW”) applies the mutual recognition principle to judicial decisions for the purpose of obtaining evidence for use in proceedings in criminal matters. The EEW provides that Member States’ law enforcement authorities should give immediate effect to judicial search and seizure orders emanating from other Member States. The EEW also provides standard forms for issuing orders, and fixed deadlines for executing orders.

  33. 33.

    We underline that he MLAC only binds those States that choose to ratify it. To date, the MLAC has been ratified by 23 of the 27 EU Member States.

  34. 34.

    About all these texts and for a detailed commentary, Spencer, J.R. “The Problems of Trans-Border Evidence and European Initiatives to Resolve Them” (2007) 9 Cambridge Yearbook of European Legal Studies 477, at 478.

  35. 35.

    See the principles adopted in 2008 “Protecting and Advancing Freedom of Expression and Privacy in Information and Communications Technologies, available at the GNI website: http://www.globalnetworkinitiative.org.

    These Principles on Freedom of Expression and Privacy (“the Principles”) have been developed by companies, investors, civil society organizations and academics. “They are based on internationally recognized laws and standards for human rights, including the Universal Declaration of Human Rights (“UDHR”), the International Covenant on Civil and Political Rights (“ICCPR”) and the International Covenant on Economic, Social and Cultural Rights (“ICESCR”)”.

  36. 36.

    http://register.consilium.europa.eu/pdf/en/10/st11/st11222-re01.en10.pdf

References

  • Article 29 Data Protection Working Party, Working document on Privacy on the Internet – An integrated EU Approach to On-line Data Protection – (WP37), adopted on 21st November 2000

    Google Scholar 

  • Article 29 Data Protection Working Party, Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites (WP56), adopted on 30 May 2002.

    Google Scholar 

  • Article 29 Data Protection Working Party, Opinion 1/2008 on data protection issues related to search engines (WP148), adopted on 4 April 2008.

    Google Scholar 

  • Article 29 Data Protection Working Party, Opinion 1/2010 on the concepts of “controller” and “processor” (WP169), adopted on 16 February 2010.

    Google Scholar 

  • Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioural advertising (WP171), adopted on 22 June 2010, p. 17.

    Google Scholar 

  • Blok, P. Het recht op privacy, Boom Juridische uitgevers, 2003.

    Google Scholar 

  • Bygrave, L. Data Protection Law: Approaching Its Rationale, Logic and Limits, The Hague/London/New York: Kluwer Law International, 2002.

    Google Scholar 

  • Gannagé, L. “A propos de l’ “absolutisme” des droits fondamentaux”, in Vers de nouveaux équilibres entre ordres juridiques – Liber amicorum Hélène Gaudemet-Tallon. Paris: Dalloz, 2008.

    Google Scholar 

  • Gellman, B. Privacy in the clouds: Risks to Privacy and confidentiality from Cloud Computing, Report prepared for the World Privacy Forum, Feb. 23, 2009.

    Google Scholar 

  • Kuner, C. “Data Protection Law and International Jurisdiction on the Internet”, Parts 1 & 2, 18 (2 & 3). International Journal of Law and Information Technology, (2010).

    Google Scholar 

  • Mayer, P. “La Convention européenne des droits de l’homme et l’application des normes étrangères”, Revue Critique de droit international privé, (1991): 651–665.

    Google Scholar 

  • Meil, P., and T. Grance. The NIST Definition of Cloud Computing, Version 15, 10-07-09, available on NIST (National Institute of Standards and Technology) web site.

    Google Scholar 

  • Moiny, J.-P. “Facebook au regard des règles européennes concernant la protection des données”, 2 E.C.J.L., 2010, pp. 235 and ff.

    Google Scholar 

  • Reidenberg, J. “Technology and Internet Jurisdiction”, 153 UNIV. OF PENN. L. REV. 1951 (2005).

    Google Scholar 

  • Solove D.J. “Conceptualizing Privacy”, 90 California Law Review, 2002, 1085-.

    Google Scholar 

  • Spencer, J.R. “The Problems of Trans-Border Evidence and European Initiatives to Resolve Them” (2007) 9 Cambridge Yearbook of European Legal Studies 477.

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Yves Poullet .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2011 Springer Science+Business Media B.V.

About this chapter

Cite this chapter

Poullet, Y., Van Gyseghem, JM., Moiny, JP., Gérard, J., Gayrel, C. (2011). Data Protection in the Clouds. In: Gutwirth, S., Poullet, Y., De Hert, P., Leenes, R. (eds) Computers, Privacy and Data Protection: an Element of Choice. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-0641-5_18

Download citation