Legal Risks of Cloud Computing and Open Data
•
0 gefällt mir•682 views
Kuan Hon, an independant consultant (Kuan0.com) presents 'New technologies & paradigms, old laws', at the Eduserv Symposium 2013: In with the new.
![19/05/2013
2
@kuan∅
Introduction
• Self
[2 hats 4 clouds 3 weasels]
• Attendees?
@kuan∅
Legal risks of new tech
Risk pyramid
Legal
Reputational
[Public trust] etc etc](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Ähnlich wie Legal Risks of Cloud Computing and Open Data
Ähnlich wie Legal Risks of Cloud Computing and Open Data (20)
Mehr von Eduserv
Mehr von Eduserv (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Legal Risks of Cloud Computing and Open Data
- 1. 19/05/2013 1 New Technologies & Paradigms, Old Laws Kuan Hon Independent Consultant PhD Candidate, QMUL Eduserv Symposium 2013, London 16 May 2013 @kuan∅ Outline • Introduction • Cloud • Open data, big data
- 2. 19/05/2013 2 @kuan∅ Introduction • Self [2 hats 4 clouds 3 weasels] • Attendees? @kuan∅ Legal risks of new tech Risk pyramid Legal Reputational [Public trust] etc etc
- 4. 19/05/2013 4 @kuan∅ LawyersLawyers (Image reproduced by kind permission of Firebox.com) Certainty? Hah! ‘It depends…’ Interpretation Context Probabilities
- 5. 19/05/2013 5 @kuan∅ Skills For legal (& many other) issues: Know WHO to ask, & WHEN, & WHAT to tell ‘em! @kuan∅ WHO Lawyers
- 8. 19/05/2013 8 @kuan∅ Laws & the internet @kuan∅ Cloud computing & law Risk pyramid Laws Reputational [Public trust] etc etc
- 9. 19/05/2013 9 @kuan∅ Let your lawyer do the worrying… @kuan∅ Cloud computing • Legal risks - brief lawyers on: – what’s cloud? •recap •NB layers •12 Cs; cf traditional outsourcing – what do you want to use it for? •requirements, risk tolerance User ---- DropBox ---- Amazon SaaS IaaS
- 10. 19/05/2013 10 @kuan∅ Cloud legal issues • Lots! – IP, competition – no time… – see cloudlegalproject.org + book • Pre-contract checks + contract • For public sector: – government policy – CloudStore @kuan∅ Location
- 11. 19/05/2013 11 @kuan∅ Data location, me & you • Public sector – Gov ICT Offshoring (International Sourcing) Guidance - data location unrestricted, unless: – national security – data protection laws • Data protection – cloud guidance – Article 29 WP opinion – UK ICO guidance @kuan∅ Law vs IT “Technical & organisational measures” IT security & IT “data protection” “Data protection” (law)
- 12. 19/05/2013 12 @kuan∅ Data protection laws: “Personal data” (cf anonymous data) @kuan∅ EU Data Protection Directive Data export restriction NO transfer of PD outside European Economic Area
- 13. 19/05/2013 13 @kuan∅ Unless… • Exception • “Adequate protection” / “adequate safeguards” • But problems… @kuan∅ So, in practice… • Regional clouds - easy, safe
- 14. 19/05/2013 14 @kuan∅ EEA, EU, Europe… http://bit.ly /eu-venn for large version & table @kuan∅ ‘Transfer’ – physical location • Gear: storage / processing; caches • People: remote access
- 15. 19/05/2013 15 @kuan∅ • + Names of all “sub-contractors” • Follow this… + other DP regulators’ recommendations (eg liability chain) public cloud! Gimme gimme gimme your data locations… Image from Beeld en Geluidwiki @kuan∅ Traditional outsourcing Cloud Cook food yourself Hire caterers to cook for you on your instructions Rent kitchen, cook food yourself Get take-out or ready meal, cook it yourself
- 16. 19/05/2013 16 @kuan∅ Key tensions • “Guaranteed” security / liability – should be possible – but will cost! – cheap / free public cloud model • Control of supply / contract chain – will big players be the winners? @kuan∅ “It’s unworkable, so just ignore it?” @kuan∅
- 17. 19/05/2013 17 @kuan∅ Draft Data Protection Regulation Up to 2% annual global turnover @kuan∅ @kuan∅ Good intentions… Flames of hell…?
- 18. 19/05/2013 18 @kuan∅ Cloud contracts @kuan∅ Cloud contracts • 3 aspects: – pre-contract due diligence – contract terms – post-contract – monitoring etc • See negotiated contracts article – “no names” interviews, FOI etc – Forbes report
- 19. 19/05/2013 19 @kuan∅ Standard terms • Providers’ standard terms – weighted; customer-appropriate? • Negotiable? – customer / deal size • Gov / banks - trad. IT outsourcing – cloud-appropriate? • Customer process issue – bypass IT, legal! @kuan∅ Pre-contract due diligence • If personal data – all sub-providers’ names; locations; security • Lock-in and exit – practical: test data portability in advance (NB fake data!) • Security – pen testing, certifications? • NB backups • + Post-contract - security audits etc • ENISA papers (hunt!)
- 20. 19/05/2013 20 @kuan∅ Contract terms • If personal data: – choice of provider (security), contract requirements: “instructions”, security • More generally, some key issues: – provider liability (vs price) – lock-in – term, termination; exit terms – security – confidentiality; audit rights? – right to change terms? (cf G-Cloud…) @kuan∅ G-Cloud: CloudStore • Process - no mini-competition, no negotiation! (though fill in blanks…) - Price / MEAT • Info - G-Cloud site, @G_Cloud_UK, BuyCamp events (Friday; 7 June) • NB overlay approach & supplier terms: – get advice on own specific data type/use – see G-Cloud paper
- 21. 19/05/2013 21 @kuan∅ Cloud Open data Big data @kuan∅ Protection of Freedoms Act • s 102 amends FOIA – datasets – electronic, reusable form – open licensing – allow reuse (fees?) • In force May/June…? – Draft Code of Practice – consultation – ICO publication scheme, guidance • What datasets, how to handle?
- 22. 19/05/2013 22 @kuan∅ Open data vs personal data • Anonymise any PD before release • Tricky! eg Sweeney etc research • Big, eg EE / Ipsos Mori! But worthwhile • ICO Code of Practice (full disclosure..) – limited controlled release, vs fully public • UK Anonymisation Network (2 years) – anonymisation clinics – 28 June @kuan∅ STOP PRESS • Shakespeare review of PSI, 15 May 2013 – Deloitte market assessment – His summary in the Guardian • Same ol’ same ol’, words vs action? (eg jail for unlawfully obtaining personal data…) – Following 'best practice' guidelines should be enough, so long as we are willing to prosecute those who misuse personal data… In considering further legislation we should institute increased penalties – not only loss of accreditation and much heavier fines, but also imprisonment in cases of deliberate and harmful misuses of data.
- 23. 19/05/2013 23 @kuan∅ Cloud Open data Big data @kuan∅ Big data vs personal data • Data protection compliance (eg security) & anonymisation, again… • Less data good? • Other issues? eg IP
- 24. 19/05/2013 24 @kuan∅ New technologies and paradigms, old laws @kuan∅ Old laws • Outdated assumptions • Appropriate to new paradigms?? • But - the law is the law! • Until laws are updated properly… • Same ol’ strategy still sensible: – RRRR + EEEE
- 25. 19/05/2013 25 @kuan∅ Key takeaways 1 • RRRR: – requirements evaluation, for – real life intended use – review & understand tech / model – risk assessment – technological, legal, reputational, public trust etc (for intended data type/use case) @kuan∅ Key takeaways 2 • EEEE – get: – expert input / advice – legal, IT, risk, security, stats etc – based on exact data type, use case – explain the tech / model properly – early, not last minute or after!
- 26. 19/05/2013 26 @kuan∅ Thank you! Kuan Hon Twitter: @kuan∅ Email: k @ domain below kuan∅.com/publications.html blog.kuan∅.com Half lawyer | half geek | mostly harmless