Exploring the Future Potential of AI-Enabled Smartphone Processors
Legal Risks of Cloud Computing and Open Data
1. 19/05/2013
1
New Technologies
& Paradigms,
Old Laws
Kuan Hon
Independent Consultant
PhD Candidate, QMUL
Eduserv Symposium 2013, London 16 May 2013
@kuan∅
Outline
• Introduction
• Cloud
• Open data, big data
8. 19/05/2013
8
@kuan∅
Laws & the internet
@kuan∅
Cloud computing & law
Risk pyramid
Laws
Reputational
[Public trust] etc etc
9. 19/05/2013
9
@kuan∅
Let your lawyer do the
worrying…
@kuan∅
Cloud computing
• Legal risks - brief lawyers on:
– what’s cloud?
•recap
•NB layers
•12 Cs; cf traditional outsourcing
– what do you want to use it for?
•requirements, risk tolerance
User ---- DropBox ---- Amazon
SaaS IaaS
10. 19/05/2013
10
@kuan∅
Cloud legal issues
• Lots! – IP, competition – no time…
– see cloudlegalproject.org + book
• Pre-contract checks + contract
• For public sector:
– government policy
– CloudStore
@kuan∅
Location
11. 19/05/2013
11
@kuan∅
Data location, me & you
• Public sector – Gov ICT Offshoring
(International Sourcing) Guidance -
data location unrestricted, unless:
– national security
– data protection laws
• Data protection – cloud guidance
– Article 29 WP opinion
– UK ICO guidance
@kuan∅
Law vs IT
“Technical &
organisational
measures”
IT security
& IT
“data
protection”
“Data
protection”
(law)
15. 19/05/2013
15
@kuan∅
• + Names of all
“sub-contractors”
• Follow this… + other
DP regulators’
recommendations
(eg liability chain)
public cloud!
Gimme gimme gimme
your data locations…
Image from Beeld en Geluidwiki
@kuan∅
Traditional
outsourcing
Cloud
Cook food yourself
Hire caterers to cook
for you on your
instructions
Rent kitchen, cook
food yourself
Get take-out or ready
meal, cook it yourself
16. 19/05/2013
16
@kuan∅
Key tensions
• “Guaranteed” security / liability
– should be possible – but will cost!
– cheap / free public cloud model
• Control of supply / contract chain
– will big players be the winners?
@kuan∅
“It’s unworkable, so just ignore it?”
@kuan∅
19. 19/05/2013
19
@kuan∅
Standard terms
• Providers’ standard terms
– weighted; customer-appropriate?
• Negotiable? – customer / deal size
• Gov / banks - trad. IT outsourcing
– cloud-appropriate?
• Customer process issue – bypass IT,
legal!
@kuan∅
Pre-contract due diligence
• If personal data – all sub-providers’
names; locations; security
• Lock-in and exit – practical: test data
portability in advance (NB fake data!)
• Security – pen testing, certifications?
• NB backups
• + Post-contract - security audits etc
• ENISA papers (hunt!)
20. 19/05/2013
20
@kuan∅
Contract terms
• If personal data:
– choice of provider (security), contract
requirements: “instructions”, security
• More generally, some key issues:
– provider liability (vs price)
– lock-in – term, termination; exit terms
– security – confidentiality; audit rights?
– right to change terms? (cf G-Cloud…)
@kuan∅
G-Cloud: CloudStore
• Process - no mini-competition,
no negotiation! (though fill in blanks…)
- Price / MEAT
• Info - G-Cloud site, @G_Cloud_UK,
BuyCamp events (Friday; 7 June)
• NB overlay approach & supplier terms:
– get advice on own specific data type/use
– see G-Cloud paper
21. 19/05/2013
21
@kuan∅
Cloud
Open data
Big data
@kuan∅
Protection of Freedoms Act
• s 102 amends FOIA
– datasets – electronic, reusable form
– open licensing – allow reuse (fees?)
• In force May/June…?
– Draft Code of Practice – consultation
– ICO publication scheme, guidance
• What datasets, how to handle?
22. 19/05/2013
22
@kuan∅
Open data vs personal data
• Anonymise any PD before release
• Tricky! eg Sweeney etc research
• Big, eg EE / Ipsos Mori! But worthwhile
• ICO Code of Practice (full disclosure..)
– limited controlled release, vs fully public
• UK Anonymisation Network (2 years)
– anonymisation clinics – 28 June
@kuan∅
STOP PRESS
• Shakespeare review of PSI, 15 May 2013
– Deloitte market assessment
– His summary in the Guardian
• Same ol’ same ol’, words vs action? (eg jail for
unlawfully obtaining personal data…)
– Following 'best practice' guidelines should be enough, so
long as we are willing to prosecute those who misuse
personal data… In considering further legislation we should
institute increased penalties – not only loss of
accreditation and much heavier fines, but also
imprisonment in cases of deliberate and harmful misuses
of data.
24. 19/05/2013
24
@kuan∅
New technologies
and paradigms,
old laws
@kuan∅
Old laws
• Outdated assumptions
• Appropriate to new paradigms??
• But - the law is the law!
• Until laws are updated properly…
• Same ol’ strategy still sensible:
– RRRR + EEEE
25. 19/05/2013
25
@kuan∅
Key takeaways 1
• RRRR:
– requirements evaluation, for
– real life intended use
– review & understand tech / model
– risk assessment – technological,
legal, reputational, public trust etc
(for intended data type/use case)
@kuan∅
Key takeaways 2
• EEEE – get:
– expert input / advice – legal, IT,
risk, security, stats etc
– based on exact data type, use case
– explain the tech / model properly
– early, not last minute or after!