Cloud computing facilitates and accelerates the collection and processing of (personal) data and the development of new services and applications. When data collection involves personal data, specific risks and challenges for privacy and data protection of the individuals arise. The interference with privacy and data protection necessitates the implementation of appropriate safeguards. Therefore, new impacts and risks need to be analysed and assessed. In the cloud computing context, privacy and data protection should not be inferior to the level of protection required in any other data processing context. Looking at the European legal framework, the EU has thorough legislation for the protection of personal data. The new General Data Protection Regulation introduces detailed provisions establishing obligations and new instruments, such as certification. In addition, the EU data protection legislation has what is often called an extra-territorial effect, which entails that under conditions is applicable to natural or legal persons not established in the EU jurisdiction. The extra-territorial effect of the EU data protection legislation makes the EU legislation relevant for service providers who are not established in the EU but are processing personal data of EU citizens. This chapter aims to provide an overview of the legal requirements applicable to cloud-based applications and data processing, drawing examples primarily from the EU legal framework. This overview can serve as an index of key obligations and responsibilities for cloud service providers and cloud clients, but also for further research purposes (i.e. comparative analysis with other legal frameworks).

Chapter Contents:

• Abstract
• Keywords
• 10.1 Introduction: the emergence of cloud and the significance of a secure cloud
• 10.2 Cloud computing and the extra-territorial effect of EU data protection law
• 10.3 The EU legal framework on data protection
• 10.3.1 The Data Protection Directive 95/46/EC
• 10.3.2 The new General Data Protection Regulation
• 10.4 Data controller, data processor and cloud computing actors: assigning roles and responsibilities
• 10.4.1 Cloud client and cloud service provider
• 10.4.2 Sub-contractors
• 10.5 Duties and responsibilities of the cloud computing actors
• 10.5.1 Compliance with the general personal data processing principles
• 10.5.1.1 Transparency
• 10.5.1.2 Purpose specification and limitation
• 10.5.1.3 Storage limitation
• 10.5.1.4 Responsibility and accountability in the cloud
• 10.5.2 Technical and organisational measures of data protection and data security
• 10.5.2.1 Availability
• 10.5.2.2 Integrity
• 10.5.2.3 Confidentiality
• 10.5.2.4 Isolation
• 10.5.2.5 Intervenability
• 10.5.2.6 Portability
• 10.5.2.7 IT accountability
• 10.5.3 Data protection impact assessments in cloud computing
• 10.5.4 Audits and certifications
• 10.6 Data flows and appropriate safeguards
• 10.6.1 Adequacy decisions
• 10.6.2 Alternative ways for data transfers by means of 'appropriate safeguards'
• 10.7 Conclusions
• References

Inspec keywords: law; sorting; cloud computing; data protection

Other keywords: EU data protection legislation; cloud computing; privacy protection; sorting-out legal requirements; European legal framework; data collection; personal data processing

Subjects: Legal aspects of computing; Information networks; Internet software; Data security