Cloud Computing and EU Data Protection Regulation

Standards, Design Considerations, and Operations Recommendations for Privacy-friendly Cloud Computing
The workshop will bring together politicians, lawyers, and engineers for an interdisciplinary discussion on privacy and data protection. It aims at reaching mutual understanding of legal principles, as well as technical limits of implementing privacy and data protection into ICT systems. Special emphasis will thereby be placed on the issue of cloud computing.

Humboldt-Universität zu Berlin (HU)
Alexander von Humboldt Institute for Internet and Society (HIIG)

Cisco Systems, Inc.

Further Venue Information
Humboldt-Universität zu Berlin | Faculty of Law
Room E034
Kommode | Bebelplatz 2
D – 10099 Berlin

Arrival by public transportation
The Bus lines 100, 200 as well as TXL will take you to the bus stop »Staatsoper«.
Metro- and Train-Stations in direct vicinity:
Französische Straße (U6)
Hausvogteiplatz (U2)
S-Bahnhof Friedrichstraße (U6 / S1 / S2/ S3 / S5 / S7 / S75 and several regional trains)

Arriving at Hauptbahnhof take S3 / S5 / S7 / S75 to S-Bahnhof Friedrichstraße.
From Airport Schönefeld take S45 in direction of Südkreuz, where you step out in S+U-Bahnhof Tempelhof and change to U6 in direction Alt-Tegel as far as Französische Straße.
From Airport Tegel take the Bus line TXL to the bus stop »Staatsoper«.

12:30 – 13:00: Reception
13:00 – 13:15: Welcome Address, Introduction
13:15 – 14:45: Session 1
14:45 – 15:00: Coffee Break
15:00 – 16:30: Session 2
16:30 – 16:45: Coffee Break
16:45 – 18:15: Session 3
18:15 – 18:30: Closing
18:30 – 19:30: Stand-up Reception with pretzels

Against the backdrop of an immensly increased dimension of data processing including the international flow of data in the last decade virtually all the relevant actors in the field have had to come to terms with the importance of privacy and data protection issues.
While everyone is aware of the fact that something has to be done in order to safeguard the privacy of Internet users, the question of how this end could be achieved by using what means remains open as much as it remains contested. Engineers in this respect need to know the underlying values, societal goals, and legal operationalizations of privacy and data protection, and their manifestation in legislation of which the EU Draft General Data Protection Regulation is one example. Politicians/Practitioners on their part must understand the fundamental limits of any approach that intends to translate privacy and data protection goals into technical systems. Finally, lawyers need to understand the characteristics of technical standardization compared to traditional methods of law making.
The workshop aims at bringing together politicians, lawyers, and engineers for an interdisciplinary discussion in order to improve the mutual understanding of what is to be done, what principles apply, and what the technical limits of implementing privacy and data protection into ICT systems are. Special emphasis will thereby be placed on the issue of cloud computing.

Workshop Agenda and Expected Outcome

Session 1: Societal goals and forms of legal operationalization
Moderator: Ingolf Pernice
Speakers: Nicolas Dubois (EU Commission), Caspar Bowden
The goal of the first session is to gain a specific understanding of what is privacy and data protection, and what the expectations of politicians and lawyers to technology, designers, and standard-developing organizations entail.

  • What are the (individual and societal; philosophical, sociological, political) protection goals of privacy and data protection, which meta norms they are derived from(freedom, dignity, autonomy, control etc.)? Which conflict of norms can be observed? What are sub-goals? (confidentiality, integrity, availability, transparency, non-linkability, intervenability etc.) and how are they pursued?
  • What are the ends the Commission wants to achieve by its current draft GDPR? What are the underlying expectations lawmakers have towards ICT designers and manufacturers with respect to the technical implementation of privacy goals. What demands are lawmakers attaching to the processes of technical standard-setting?
  • How have privacy and data protection goals been legally operationalized so far? (PII as legal reference object, process orientation, whitelist approach, weighting of interests etc.)
  • What are the legal requirements for ICT systems? What are the legal demands put upon the process of formulating technical requirements? (openness, transparency, documentation, management etc.)
  • How are legal privacy and data protection rules enforced?

Session 2: Technical standardization
Moderator: Jeanette Hofmann
Speakers: Rainer Stentzel (BMI), Alissa Cooper (CDT)
This second session is supposed to contribute to a better understanding of the processes themselves as well as their underlying rationales. Attention will specifically be commanded to existing approaches of technical privacy and data protection requirements. The aim of this session is thereby to reconcile the politicians’ and lawyers’ expectations concerning technical solutions with what is technically feasible.

  • Who are the stakeholders? How is standardization organized? What are the processes? What is taken for granted in technical standards processes? How are these standards enforced?
  • What are similarities and differences between standards for (protocol) designers and operational recommendations issued by standard-developing organizations (SDO) respectively?
  • How came the IETF draft on Privacy Considerations for Internet Protocols into being? What are the characteristics of its approach? Are there further experiences with respect to standardization of technical privacy and data protection requirements?
  • What are the major obstacles for standardization bodies concerning legal regulations and legal requirements, especially with regard to the area of privacy and data protection? How can they be addressed?

Session 3: Bridging the gap
Moderator: Claus Schaale
Speakers: TBA (EU Commission), Gunter Van de Velde (IETF), Fred Baker (IETF), Jörg Pohle (HIIG)
In order to link the general aspects mentioned above with specific cases “on the ground” the workshop will deal with the issue of cloud computing.
The goal is thereby to discuss a set of recommendations concerning “operational privacy” or “privacy management” in this field.

  • What is the Commission demanding from cloud computing providers and other stakeholders in the area of cloud computing with respect to privacy and data protection?
  • What are the experiences with standardization in the area of cloud computing? (e.g. OpenStack Initiative)
  • What are technically correct, lay-person-useful, and lawyer-useful recommendations for “operational privacy” (comparable to Opsec)?
  • Is the “conventional approach” of ensuring compliance by certification (through third parties) still feasible in this field?

Workshop Style
Participants are requested to submit a position paper for the workshop. They are required to read all papers in preparation for the workshop.
The workshop will be structured as a series of working sessions. Each session will start with two or three short presentations by invited speakers. Presentations will provide relevant background information or controversial ideas worth discussing.
The workshop’s main focus will be on the discussions. Discussions will be results-oriented.

The workshop is not organised as a public event. If you would like to participate please contact:

Event date

26 Jul 2013 | 12 pm – 7 pm ical | gcal



Room E034, Faculty of Law / Kommode, Bebelplatz 2, 10099 Berlin,  Bebelplatz 2,  10099 Berlin


Jörg Pohle, Dr.

Co-Head of Research Programme: Actors, Data and Infrastructures