SlideShare uma empresa Scribd logo
1 de 16
Baixar para ler offline
Cloudy with a Chance of
                                 Privacy Compliance
                                 Cross Border Data Flows; Multi National Cloud
                                 Environments



PRESENTATION   OCTOBER 5, 2012       3rd Annual Privacy, Access and Security Congress




                                 David Elder
                                 Stikeman Elliott LLP



                                                           STIKEMAN ELLIOTT LLP   www.stikeman.com
Transborder Data Flows
  A key element to privacy policy approaches and
   guidelines since the early days of “the information
   society”
  Should ensure protection, security of data
  Should avoid using privacy laws as trade barriers
  Where laws in two or more countries offer comparable
   privacy safeguards, information should be able to flow
   freely between them
  Where no reciprocal safeguards, limits on transfers
   should go only so far as required to protect privacy

SLIDE 1                                             STIKEMAN ELLIOTT LLP
European Data Protection Directive
  Allows transfer between Member States
  Data can be transferred outside the EU only where
   continued protection guaranteed or certain exemptions
   apply
  “Adequacy” assessed based on range of factors, can be
   at country level or company level (based on “Safe
   Harbour” commitment)
  Can also transfer to companies in “inadequate”
   countries, where transfer governed by EC standard
   contractual clauses

SLIDE 2                                          STIKEMAN ELLIOTT LLP
The Dark Side of the Cloud
  Out of your control
  Insufficient information about cloud operations
  Dispersed, complex, multiple players
  Co-mingling with others’ data may raise issues:
   segregation; auditability; exposure to other’s
   vulnerabilities; notification delays where breaches
  Potential access by foreign states
  Focus on low cost, efficiency may mean
      – One-size fits all service, reluctance to customize
      – Security as a secondary focus?

SLIDE 3                                                      STIKEMAN ELLIOTT LLP
Nothing New Under the Sun



                                Control

          Company   Outsource       Offshore   Cloud




                            Risk


SLIDE 4                                            STIKEMAN ELLIOTT LLP
Private Sector Privacy

                                                                            PIPEDA
                                                                            PIPA (B.C.)
                                                                            PIPA (Alberta)

                                    NUNAVUT
                                                                            Quebec Privacy Act
          YUKON
                      NORTHWEST
                      TERRITORIES

                                                                             NEWFOUNDLAND



            BRITISH                                         QUEBEC
           COLUMBIA                    MANITOBA
                       ALBERTA
                                                                           PEI
                                                  ONTARIO

                             SASKATCHEWAN                                        NOVA SCOTIA

                                                                     NEW BRUNSWICK




SLIDE 5                                                                                 STIKEMAN ELLIOTT LLP
Key Privacy Obligations & Challenges
 Obligations                          Cloud Challenges:
 Accountability                        How to maintain control,
                                        visibility?
  Organization responsible for
   personal info it collects, even     Difficult to audit if widely
   when transferred to 3rd parties      dispersed, co-mingled


 Consent                               Can be need for explicit
                                        consent to storage/processing
  Knowledge and consent                outside Canada, due to foreign
   required for the collection, use     legal jurisdictions
   and disclosure of personal
   information                         Consent to cloud itself?


SLIDE 6                                                       STIKEMAN ELLIOTT LLP
Key Privacy Obligations & Challenges
 Obligations                          Cloud Challenges:
 Limiting Use, Disclosure,             Uncertainty won’t be
   Retention                            mined/used for other purposes
  To be used solely for identified    Uncertainty of retention
   purpose                              periods, foreign requirements?
  To be retained only as long as      Right to destroy, delete, have
   necessary to fulfil purposes,        returned
   then returned or destroyed
 Access & Accuracy
                                       Ensure individual will have
  Right of access                      access
  Right to correct                    Ensure can quickly correct
                                        incomplete or inaccurate data


SLIDE 7                                                      STIKEMAN ELLIOTT LLP
Key Privacy Obligations & Challenges
 Obligations                         Cloud Challenges
 Security                             Tendency to one-size-fits all
  Security safeguards appropriate    Cloud makes security decisions -
   to sensitivity of personal info     not you
                                      Cloud unaware of sensitivity of
                                       info

 Breach Notification
                                      Need to be advised of cloud
  Advise Privacy Commissioner(s),     breach
   individuals/customers
                                      How to define what notifiable
                                      Need cooperation, up-to-minute
                                       details
                                      Could be many cloud users
                                       affected
SLIDE 8                                                     STIKEMAN ELLIOTT LLP
Other Legal Obligations
  OSFI Guidelines on Outsourcing of Business Activities,
   Functions and Processes
  In accordance with federal legislation, certain records
   should be maintained in Canada, OSFI access ensured
  Tendency to overly conservative approach?
  Requires audit and access rights over service provider
   (for institution and OSFI)
  Requires detailing physical data storage locations



SLIDE 9                                            STIKEMAN ELLIOTT LLP
Guidelines for Processing Personal Data Across Borders
  Apply to private sector only
  Accountability principle is key
  Be transparent
  Actual safeguards can vary, based on inherent sensitivity
   of data, potential risk of unauthorized disclosure or
   access (and cost?)
  Third party should have clear and reliable security
   policies, consistent training program for staff
  Audit rights help, but difficult to execute – likely more a
   deterrent
SLIDE 10                                             STIKEMAN ELLIOTT LLP
Guidelines for Processing Personal Data Across Borders
  Most fundamentally, organizations should be selective in
   choosing foreign service providers, cloud providers
  Should pay particular attention to legal/political regimes
   in which third party operates
  Economic and social conditions may also be relevant
  Clarity, transparency, security, careful location selection
   can be a competitive advantage for organizations and
   third party service providers – and particularly for cloud
   providers



SLIDE 11                                            STIKEMAN ELLIOTT LLP
EC Standard Contractual Clauses
 Data importer agrees and warrants:
  Will process only for purposes directed by exporter
  Applicable laws no barrier to fulfilling obligations
  Has implemented specified technical & operational security
   measures
  Will respond to exporter inquiries and submit to audit
  Will promptly notify re:
      – LEA demand for disclosure (unless prohibited)
      – Breach
      – Access request by subject
      – Sub-contracting (& get consent, bind to safeguards)

SLIDE 12                                                      STIKEMAN ELLIOTT LLP
Standards & Certifications
  Independent certification by reputable 3rd pary
  Audit against recognized standard: ISO, PCI, etc.
  Some regulators have recognized as legitimate approach
  Some process/governance related; some about
   physical/technical measures
  Registries also useful, but less so – good initial step, will
   facilitate comparisons, drive privacy/security as a
   competitive attribute



SLIDE 13                                               STIKEMAN ELLIOTT LLP
“Accountability, rather than geographical limits, is the
 basic model for Canadian data protection. This model
 brings the advantages of flexibility and low compliance
 overhead for corporations whose profits derive from
 innovation. But accountability also means that use of
 Canadian’s personal information must meet Canadian legal
 standards, wherever in the cloud this may be happening.”
                                  Jennifer Stoddart, 2009



SLIDE 14                                        STIKEMAN ELLIOTT LLP
I Can See Clearly Now
  Not for everyone
  Choose your provider very carefully
  Look for standards, certifications
  Bake key terms, levels, guarantees into contract:
      – Security practices and requirements
      – Breach/investigation response
      – Audit
      – Liability, indemnity
      – Subcontracting control



SLIDE 15                                               STIKEMAN ELLIOTT LLP

Mais conteúdo relacionado

Semelhante a Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012

We Really Don\'t Know Clouds at All: Challenges to Privacy Compliance
We Really Don\'t Know Clouds at All: Challenges to Privacy ComplianceWe Really Don\'t Know Clouds at All: Challenges to Privacy Compliance
We Really Don\'t Know Clouds at All: Challenges to Privacy Complianceeldercomlaw
 
The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...
The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...
The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...Doug Newdick
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk
 
Cloud Computing Webinar: Legal & Regulatory Update for 2012
Cloud Computing Webinar: Legal & Regulatory Update for 2012Cloud Computing Webinar: Legal & Regulatory Update for 2012
Cloud Computing Webinar: Legal & Regulatory Update for 2012itandlaw
 
Ict Compliance @ Gartner (August 2005)
Ict Compliance @ Gartner (August 2005)Ict Compliance @ Gartner (August 2005)
Ict Compliance @ Gartner (August 2005)Lance Michalson
 
Contracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy BortzContracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy Bortzitnewsafrica
 
16-the Reliability and Legal Issued.pptx
16-the Reliability and Legal Issued.pptx16-the Reliability and Legal Issued.pptx
16-the Reliability and Legal Issued.pptxjamkhan10
 
Legal & Commercial, Issues of a Cloud Service
Legal & Commercial, Issues of a Cloud ServiceLegal & Commercial, Issues of a Cloud Service
Legal & Commercial, Issues of a Cloud Servicesubtitle
 
Sookman law society_6_min_business_law
Sookman law society_6_min_business_lawSookman law society_6_min_business_law
Sookman law society_6_min_business_lawbsookman
 
Security And Legal In The Cloud Ats V2
Security And Legal In The Cloud Ats V2Security And Legal In The Cloud Ats V2
Security And Legal In The Cloud Ats V2dbarton944
 
Identity privacy and data protection in the cloud – what is being done is it ...
Identity privacy and data protection in the cloud – what is being done is it ...Identity privacy and data protection in the cloud – what is being done is it ...
Identity privacy and data protection in the cloud – what is being done is it ...Mark Skilton
 
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...Symantec
 
India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008ValueMentor Consulting
 
Understanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: WebinarUnderstanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: WebinarCipherCloud
 
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009 Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009 EuroCloud
 

Semelhante a Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012 (20)

We Really Don\'t Know Clouds at All: Challenges to Privacy Compliance
We Really Don\'t Know Clouds at All: Challenges to Privacy ComplianceWe Really Don\'t Know Clouds at All: Challenges to Privacy Compliance
We Really Don\'t Know Clouds at All: Challenges to Privacy Compliance
 
Infosec lecture-final
Infosec lecture-finalInfosec lecture-final
Infosec lecture-final
 
The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...
The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...
The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
 
Cloud security - Publication
Cloud security - Publication Cloud security - Publication
Cloud security - Publication
 
Cloud Computing Webinar: Legal & Regulatory Update for 2012
Cloud Computing Webinar: Legal & Regulatory Update for 2012Cloud Computing Webinar: Legal & Regulatory Update for 2012
Cloud Computing Webinar: Legal & Regulatory Update for 2012
 
Ict Compliance @ Gartner (August 2005)
Ict Compliance @ Gartner (August 2005)Ict Compliance @ Gartner (August 2005)
Ict Compliance @ Gartner (August 2005)
 
Contracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy BortzContracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy Bortz
 
16-the Reliability and Legal Issued.pptx
16-the Reliability and Legal Issued.pptx16-the Reliability and Legal Issued.pptx
16-the Reliability and Legal Issued.pptx
 
Legal & Commercial, Issues of a Cloud Service
Legal & Commercial, Issues of a Cloud ServiceLegal & Commercial, Issues of a Cloud Service
Legal & Commercial, Issues of a Cloud Service
 
Sookman law society_6_min_business_law
Sookman law society_6_min_business_lawSookman law society_6_min_business_law
Sookman law society_6_min_business_law
 
Security And Legal In The Cloud Ats V2
Security And Legal In The Cloud Ats V2Security And Legal In The Cloud Ats V2
Security And Legal In The Cloud Ats V2
 
Wax Switch
Wax SwitchWax Switch
Wax Switch
 
Identity privacy and data protection in the cloud – what is being done is it ...
Identity privacy and data protection in the cloud – what is being done is it ...Identity privacy and data protection in the cloud – what is being done is it ...
Identity privacy and data protection in the cloud – what is being done is it ...
 
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
 
India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008
 
Cloud risk management
Cloud risk managementCloud risk management
Cloud risk management
 
Understanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: WebinarUnderstanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: Webinar
 
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009 Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
 
Cloud Security by CK
Cloud Security by CKCloud Security by CK
Cloud Security by CK
 

Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012

  • 1. Cloudy with a Chance of Privacy Compliance Cross Border Data Flows; Multi National Cloud Environments PRESENTATION OCTOBER 5, 2012 3rd Annual Privacy, Access and Security Congress David Elder Stikeman Elliott LLP STIKEMAN ELLIOTT LLP www.stikeman.com
  • 2. Transborder Data Flows  A key element to privacy policy approaches and guidelines since the early days of “the information society”  Should ensure protection, security of data  Should avoid using privacy laws as trade barriers  Where laws in two or more countries offer comparable privacy safeguards, information should be able to flow freely between them  Where no reciprocal safeguards, limits on transfers should go only so far as required to protect privacy SLIDE 1 STIKEMAN ELLIOTT LLP
  • 3. European Data Protection Directive  Allows transfer between Member States  Data can be transferred outside the EU only where continued protection guaranteed or certain exemptions apply  “Adequacy” assessed based on range of factors, can be at country level or company level (based on “Safe Harbour” commitment)  Can also transfer to companies in “inadequate” countries, where transfer governed by EC standard contractual clauses SLIDE 2 STIKEMAN ELLIOTT LLP
  • 4. The Dark Side of the Cloud  Out of your control  Insufficient information about cloud operations  Dispersed, complex, multiple players  Co-mingling with others’ data may raise issues: segregation; auditability; exposure to other’s vulnerabilities; notification delays where breaches  Potential access by foreign states  Focus on low cost, efficiency may mean – One-size fits all service, reluctance to customize – Security as a secondary focus? SLIDE 3 STIKEMAN ELLIOTT LLP
  • 5. Nothing New Under the Sun Control Company Outsource Offshore Cloud Risk SLIDE 4 STIKEMAN ELLIOTT LLP
  • 6. Private Sector Privacy PIPEDA PIPA (B.C.) PIPA (Alberta) NUNAVUT Quebec Privacy Act YUKON NORTHWEST TERRITORIES NEWFOUNDLAND BRITISH QUEBEC COLUMBIA MANITOBA ALBERTA PEI ONTARIO SASKATCHEWAN NOVA SCOTIA NEW BRUNSWICK SLIDE 5 STIKEMAN ELLIOTT LLP
  • 7. Key Privacy Obligations & Challenges Obligations Cloud Challenges: Accountability  How to maintain control, visibility?  Organization responsible for personal info it collects, even  Difficult to audit if widely when transferred to 3rd parties dispersed, co-mingled Consent  Can be need for explicit consent to storage/processing  Knowledge and consent outside Canada, due to foreign required for the collection, use legal jurisdictions and disclosure of personal information  Consent to cloud itself? SLIDE 6 STIKEMAN ELLIOTT LLP
  • 8. Key Privacy Obligations & Challenges Obligations Cloud Challenges: Limiting Use, Disclosure,  Uncertainty won’t be Retention mined/used for other purposes  To be used solely for identified  Uncertainty of retention purpose periods, foreign requirements?  To be retained only as long as  Right to destroy, delete, have necessary to fulfil purposes, returned then returned or destroyed Access & Accuracy  Ensure individual will have  Right of access access  Right to correct  Ensure can quickly correct incomplete or inaccurate data SLIDE 7 STIKEMAN ELLIOTT LLP
  • 9. Key Privacy Obligations & Challenges Obligations Cloud Challenges Security  Tendency to one-size-fits all  Security safeguards appropriate  Cloud makes security decisions - to sensitivity of personal info not you  Cloud unaware of sensitivity of info Breach Notification  Need to be advised of cloud  Advise Privacy Commissioner(s), breach individuals/customers  How to define what notifiable  Need cooperation, up-to-minute details  Could be many cloud users affected SLIDE 8 STIKEMAN ELLIOTT LLP
  • 10. Other Legal Obligations  OSFI Guidelines on Outsourcing of Business Activities, Functions and Processes  In accordance with federal legislation, certain records should be maintained in Canada, OSFI access ensured  Tendency to overly conservative approach?  Requires audit and access rights over service provider (for institution and OSFI)  Requires detailing physical data storage locations SLIDE 9 STIKEMAN ELLIOTT LLP
  • 11. Guidelines for Processing Personal Data Across Borders  Apply to private sector only  Accountability principle is key  Be transparent  Actual safeguards can vary, based on inherent sensitivity of data, potential risk of unauthorized disclosure or access (and cost?)  Third party should have clear and reliable security policies, consistent training program for staff  Audit rights help, but difficult to execute – likely more a deterrent SLIDE 10 STIKEMAN ELLIOTT LLP
  • 12. Guidelines for Processing Personal Data Across Borders  Most fundamentally, organizations should be selective in choosing foreign service providers, cloud providers  Should pay particular attention to legal/political regimes in which third party operates  Economic and social conditions may also be relevant  Clarity, transparency, security, careful location selection can be a competitive advantage for organizations and third party service providers – and particularly for cloud providers SLIDE 11 STIKEMAN ELLIOTT LLP
  • 13. EC Standard Contractual Clauses Data importer agrees and warrants:  Will process only for purposes directed by exporter  Applicable laws no barrier to fulfilling obligations  Has implemented specified technical & operational security measures  Will respond to exporter inquiries and submit to audit  Will promptly notify re: – LEA demand for disclosure (unless prohibited) – Breach – Access request by subject – Sub-contracting (& get consent, bind to safeguards) SLIDE 12 STIKEMAN ELLIOTT LLP
  • 14. Standards & Certifications  Independent certification by reputable 3rd pary  Audit against recognized standard: ISO, PCI, etc.  Some regulators have recognized as legitimate approach  Some process/governance related; some about physical/technical measures  Registries also useful, but less so – good initial step, will facilitate comparisons, drive privacy/security as a competitive attribute SLIDE 13 STIKEMAN ELLIOTT LLP
  • 15. “Accountability, rather than geographical limits, is the basic model for Canadian data protection. This model brings the advantages of flexibility and low compliance overhead for corporations whose profits derive from innovation. But accountability also means that use of Canadian’s personal information must meet Canadian legal standards, wherever in the cloud this may be happening.” Jennifer Stoddart, 2009 SLIDE 14 STIKEMAN ELLIOTT LLP
  • 16. I Can See Clearly Now  Not for everyone  Choose your provider very carefully  Look for standards, certifications  Bake key terms, levels, guarantees into contract: – Security practices and requirements – Breach/investigation response – Audit – Liability, indemnity – Subcontracting control SLIDE 15 STIKEMAN ELLIOTT LLP