Legal Aspects of Cloud Computing
An interview with Paolo Balboni, Scientific Director of the European Privacy Association and Founding Partner at ICT Legal Consulting in Milan
On September 24 – 25, 2012 cloud computing experts and end-users from around the world will gather at the ISC Cloud’12 Conference at the Dorint Hotel in Mannheim, Germany. The conference will focus on compute and data intensive applications, their resources needs in the cloud, and strategies on implementing and deploying cloud infrastructures.
ISC Cloud Conference Chairman Wolfgang Gentzsch spoke with Paolo Balboni, the Scientific Director of the European Privacy Association and a Founding Partner at ICT Legal Consulting in Milan, who will be a speaker at the conference’s HPC Cloud Challenges panel discussing legal aspects of cloud computing.
HPC in the Cloud: Paolo, thank you for joining us at this year’s ISC Cloud conference. You are providing legal advice to multinational companies and public administrations in highly actual ICT areas like personal data protection, cloud computing, big data, Web 2.0 service providers’ liability, intellectual property rights, and many more. These areas seem to be dangerous minefields for all those who have to deal with ICT in a global world, either as consumers or as providers. To start with, what are currently the biggest concerns about moving to the cloud?
Paolo Balboni: Clearly the biggest concerns are data protection and data security.
HPC in the Cloud: Can we make a practical example around this? Say Company A migrates its Customer Relationship Management to the cloud, using Infrastructure-as-a-Service offered by a cloud service provider. In case of a data security breach, who will then be liable towards Company A’s customers?
Paolo Balboni: Company A will be liable for it. In fact, Company A (in its quality of Data Controller) is responsible for what the cloud service provider does (in his quality of Data Processor). More precisely, Company A is required by law to choose a cloud service provider that provides sufficient guarantees on technical security measures and organizational measures governing the processing to be carried out. And Company A must ensure compliance with such measures.
HPC in the Cloud: So how can Company A effectively control the cloud service provider’s data processing and prevent unlawful activities?
Paolo Balboni: Prior to migrating to the cloud, companies should carefully verify the data privacy and data security policy of cloud service providers and choose the one that offers a high level of data protection. Moreover, companies should also regularly monitor the data protection compliance of the selected cloud service provider and look into limitations and exclusions of liability clauses. Cloud service providers that do not provide transparency and have unreasonable limitations and exclusions of liability clauses in their conditions of service should be avoided.
HPC in the Cloud: In mainstream cloud computing the application – like the one we just mentioned – resides as a Web service persistently in the cloud; it does not move back and forth over the Internet each time a service is requested, except a few data for requesting and obtaining the service. Are we facing similar legal issues if we move a whole engineering application like for example a CAE simulation code and the related geometry data of an automobile to an HPC Cloud like Amazon EC2 or Penguin on Demand?
Paolo Balboni: I think that this example does not bring about privacy issues because geometry data (e.g., of an automobile) are not considered personal data. Personal data are defined in Art.2.a of the Directive 95/46/EC as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
HPC in the Cloud: There has been a lot of discussion and concern about a generally inadequate legal framework for cloud computing. What can companies do in such a situation to migrate to the cloud, yet minimizing the legal risks?
Paolo Balboni: Companies should work on the cloud service agreement. In this respect, the Article 29 Working Party has recently published an opinion addressing appropriate contractual safeguards. In the opinion it is stated that “security, transparency and legal certainty for clients should be key drivers behind the offer of cloud computing services”. I could not agree more. And companies can achieve such objectives by accurately negotiating the right controls on the cloud service providers and relevant warranties.
HPC in the Cloud: Big data is really the catch phrase of the moment. Proliferation of data and increasing demand for computational resources from cloud infrastructure providers, for example, represent a great business opportunity for companies. What about privacy and data protection?
Paolo Balboni: Rigorous data protection compliance management throughout the whole data lifecycle is key. Companies will be advised on how to store, protect, and analyze large amount of data and turn it into valuable information to improve their businesses. However, data – unless anonymized – can only be processed for the purposes they were collected for. So it is important to have a strategic and accurate approach to data protection compliance in order to collect personal data already in a way to enable further lawful processing activities. The difference for a company between dying buried under personal data and harnessing their value is directly related to privacy compliance management. Big data will prove that a strategic and accurate approach to data protection can really generate a return of investment.