Presentation is loading. Please wait.

Presentation is loading. Please wait.

Keeping on top of the Cloud - Compliance from a Regulator’s Perspective Henry Chang, IT Advisor Office of the Privacy Commissioner for Personal Data, Hong.

Published byJeffry Gilmore Modified over 8 years ago

Similar presentations

Presentation on theme: "Keeping on top of the Cloud - Compliance from a Regulator’s Perspective Henry Chang, IT Advisor Office of the Privacy Commissioner for Personal Data, Hong."— Presentation transcript:

1 Keeping on top of the Cloud - Compliance from a Regulator’s Perspective Henry Chang, IT Advisor Office of the Privacy Commissioner for Personal Data, Hong Kong 6 July 2013 Up in the Cloud: Conference on Legal and Privacy Challenges in Cloud Computing

2 2 Bottom lines 1.Data users are responsible for the protection of personal data entrusted to them; 2.Outsourcing of data processing does not mean outsourcing of legal liability.

3 3 Guiding principles of data protection 1.Informed Consent 2.Protection 3.Transparency

4 4 Data flow and data protection principles (DPPs) Personal Data Flow Collection Retention/ Erasure DPP 6 – Rights of access and correction DPP 5 – Transparency DPP 1 – Collection DPP 3 – Use DPP 2 – Accuracy and retention DPP 4 – Security Storage, Use or Processing IT System

5 5 The heat map of cloud Private Cloud (dedicated) Public Cloud (shared) Consumers Enterprises Types of Cloud Types of Users SMEs Most vulnerable

6 6 For Consumers

7 7 Attractive/free consumer solutions… 1.Uncertainty on whether data protection laws apply 2.Terms often favour service providers 3.There is no free lunch – where is the hidden cost? 4.Ultimate victims of any data breach are consumers 5.Assess risks before using cloud services 6.Consider encrypting data before uploading

8 8 For Businesses

9 9 Important issues that are not specific to clouds 1.Technical safeguards - Identity management and authentication 2.Proper exit plan, data erasure and data portability 3.Use by contractors that does not match with original purposes 4.Formal data breach notification arrangement

10 10 Cloud characteristics 1.Rapid transborder data flow 2.Loose outsourcing arrangements 3.Standard services and contracts

11 11 Rapid transborder data flow 1.Does the law allow? 2.Comparable data protection laws –Who can tell where the data are? –How could data user obligations be fulfilled? –Can data flow be limited to a few ‘white list’ jurisdictions? 3.Potential access by foreign LEAs

12 1.Lack of controls/relationship –No guarantee of controls downstream –No contractual remedies 2.Uncertain privacy rules, culture and training –Are outsourcers subject to privacy law in their jurisdictions? –Are they accustomed to privacy laws? –Can they be sanctioned? 3.Where does the loyalty lie? 12 Loose outsourcing arrangement

13 13 Standard services and contracts 1.If standard services do not meet the data protection requirements, can cloud provider customise? 2.If customisation is offered, how can cloud customers be sure that the extra measures are in place?

14 14 Views from data protection authorities 1.Hong Kong PCPD – http://www.pcpd.org.hk/english/publications/files/cloud_computing_e.pdf 2.The Article 29 Working Party – http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf 3.Office of the Privacy Commissioner, Canada – http://www.priv.gc.ca/information/pub/gd_cc_201206_e.asp 4.Dutch DPA – http://www.dutchdpa.nl/downloads_overig/dutch-dpa-written-opinion-cloud-computing-unofficial-translation.pdf 5.French DPA (CNIL) – http://www.cnil.fr/fileadmin/documents/en/Recommendations_for_companies_planning_to_use_Cloud_computing_ser vices.pdf 6.Office of the Privacy Commissioner, New Zealand – http://www.privacy.org.nz/assets/Files/Brochures-and-pamphlets-and-pubs/OPC-Cloud-Computing-guidance-February- 2013.pdf 7.UK Information Commissioner’s Office – http://www.ico.org.uk/news/latest_news/2012/~/media/documents/library/Data_Protection/Practical_application/cloud _computing_guidance_for_organisations.ashx 8.International working group on data protection in telecommunications – http://datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083

15 Thank You

Download ppt "Keeping on top of the Cloud - Compliance from a Regulator’s Perspective Henry Chang, IT Advisor Office of the Privacy Commissioner for Personal Data, Hong."

Similar presentations

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Could mandatory Privacy Impact Assessment be a solution to enhance Personal Privacy and Data Protection? Chester Soong.

Could mandatory Privacy Impact Assessment be a solution to enhance Personal Privacy and Data Protection? Chester Soong.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Sarah Branam Mehmet MunurDino Tsibouris

Sarah Branam Mehmet MunurDino Tsibouris
Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.

Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
The University of Hong Kong Personal Data Protection

The University of Hong Kong Personal Data Protection
Personal Data Privacy and The Internet by Stephen Lau Privacy Commissioner for Personal Data, Hong Kong SAR at the Joint Conference of the OECD, HCOPIL,

Personal Data Privacy and The Internet by Stephen Lau Privacy Commissioner for Personal Data, Hong Kong SAR at the Joint Conference of the OECD, HCOPIL,
Personal Data (Privacy) Ordinance Hong Kong Personal Data (Privacy) Ordinance Hong Kong by Stephen Lau Privacy Commissioner for Personal Data Hong Kong.

Personal Data (Privacy) Ordinance Hong Kong Personal Data (Privacy) Ordinance Hong Kong by Stephen Lau Privacy Commissioner for Personal Data Hong Kong.
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices.

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices.
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
CLOUD AND SECURITY: A LEGISLATOR'S PERSPECTIVE 6/7/2013.

CLOUD AND SECURITY: A LEGISLATOR'S PERSPECTIVE 6/7/2013.
1 Office of the Privacy Commissioner for Personal Data Hong Kong SAR Tony LAM Deputy Privacy Commissioner for Personal Data Asian Personal Data Privacy.

1 Office of the Privacy Commissioner for Personal Data Hong Kong SAR Tony LAM Deputy Privacy Commissioner for Personal Data Asian Personal Data Privacy.
Processing on behalf of the controller Joint control under Regulation 45/2001.

Processing on behalf of the controller Joint control under Regulation 45/2001.
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.

The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
Privacy, Personal Data and the Cloud Billy Hawkes Data Protection Commissioner Public Affairs Ireland Conference Dublin, 30 June 2011.

Privacy, Personal Data and the Cloud Billy Hawkes Data Protection Commissioner Public Affairs Ireland Conference Dublin, 30 June 2011.
Federal Trade Commission U.S. Rules on Privacy and Data Security Organization for International Investment General Counsel Conference October 16, 2009.

Federal Trade Commission U.S. Rules on Privacy and Data Security Organization for International Investment General Counsel Conference October 16, 2009.

Similar presentations

Ads by Google