Review of the Workshop: »Cloud Computing and the EU Draft General Data Protection Regulation«
About 30 legal practitioners, computer scientists and social scientists came together to attend the interdisciplinary workshop »Cloud Computing and the EU Draft General Data Protection Regulation. Standards, Design Considerations, and Operations Recommendations for Privacy-friendly Cloud Computing« held on the premises of Humboldt University, Berlin (HU) on 26 July 2013 ahead of the 87th Meeting of the Internet Engineering Task Force (IETF) which is currently in progress. Jointly organised by the Alexander von Humboldt Institute for Internet and Society (HIIG), the HU, and Cisco as part of the »Global Privacy Governance« project, the aim was to gain a common, interdisciplinary understanding of privacy and data protection, particularly from the point of view of balancing legal requirements with the means of technical implementation. The purpose of the workshop was to draw up a number of specific »Operational Privacy« requirements pertaining to Cloud Computing.
Session 1: Nicolas Dubois and Caspar Bowden
During the first workshop session, Nicolas Dubois from the EU Commission presented the latter’s proposals for reforming the European Data Protection regulations: data protection is to be updated in line with the Charter of Fundamental rights in order to meet the challenges of technical development. Apart from introducing Privacy by Design and Privacy by Default into the General Data Protection Regulation, the focus will be on such other measures as revising the obligations of data processors with regard to risk management and the need to include standard contractual clauses on data security and support for binding corporate rules (BCR). Backed up with sound evidence, Caspar Bowden, the former privacy consultant at Microsoft‘s European branch, not only criticised the past ignorance displayed by European institutions in matters relating to undercover surveillance measures conducted by intelligence services, whose existence has been an open secret for a long time, but also showed that European citizens and organisations are entirely at the mercy of these measures according to the provisions of the US Foreign Intelligence Surveillance Act (FISA), for instance. Instead of protecting their citizens, European countries and the EU Commission were biased towards the interests of industrial companies, particularly those of US American cloud-computing providers. The least that Europe could do under the circumstances is to develop a cloud infrastructure of its own.
The discussion that followed on from this talk dealt mainly with the possibilities and limitations of legal restrictions as well as certain time aspects: How long would it take to build our own cloud infrastructure? For how long are encoded data safe? For what period of time are data retained?
Session 2: Alexander Dix and Alissa Cooper
Dr. Alexander Dix, Berlin’s Commissioner for Data Protection and Freedom of Information, opened the second session with a talk on the legal demands made on technical standardisation, which has hitherto focused on data processors being able to set their own standards. This practice lowers the level of security and has to be overturned, he said. Dix also called for an international convention to regulate what secret services are allowed to do on the Internet, and what not. To wind up his talk, he drew attention to the Resolution of the Conference of Federal and State Data Protection Commissioners dated 24 July 2013, according to which the authorities will not issue any new licence for the transfer of data to the USA under the terms of the Safe Harbour Agreement. Alissa Cooper from the Center of Democracy and Technology subsequently presented the RFC 6973 »Privacy Considerations for Internet Protocols« that were completed shortly before the workshop commenced. Based on the IETF‘s goals for devising technical protocols for Internet communication, she kicked off with the very limited extent to which privacy supervision could be deployed within the framework of the IETF, explaining that data security is primarily a political problem, whereas the IETF is only concerned with technical matters.
The subsequent discussion revolved primarily around the question of who should standardise what in terms of privacy and data protection, and how they should go about it. The general consensus was that technicians have since turned their attention to this topic instead of just discussing the safety aspects.
Session 3: Fred Baker, Gunter Van de Velde and Jörg Pohle
Fred Baker, a Cisco fellow and former Chairman of the IETF, opened the third session with a preview of proposed Internet requirements for »Operational Privacy«. Of the two threats to privacy. as identified by Baker – what people disseminate about themselves and what can be gleaned from their conduct and their relationship to other people – the latter poses the greater risk. So technological advancement should aim at providing those affected with different options that are both comprehensible and designed to facilitate the choice between spreading or withholding particulars. In his capacity as Chairman of the IETF’s »Operational Security Working Group«, Gunter Van de Velde proceeded to outline the working group’s mission, pointing out that the draft that had been put forward for an RFC was not so much a documentation of best current practices, in his opinion, but constituted more of a problem analysis – a »taxonomy and problem statement«. The draft itself was then introduced by the person who wrote this review, Jörg Pohle from the HIIG, who made special mention of the data security protection targets, by way of a guideline.
This was followed by a discussion about the inter-relationship between the law and technology in implementing privacy and data protection requirements and about particularly vital individual demands, such as the call for an independent supervisory structure.
Operational Privacy Outlook
Although the workshop failed to achieve its ambitious aim to define clear »Operational Privacy« requirements specifically for Cloud Computing activities, it can still be considered a success: firstly because it established a common understanding of the problem and secondly because this preliminary work, coupled with the outcome of the discussions at the workshop, forms a good basis for drawing up a »taxonomy and problem statement« on »operational privacy«, which can then be passed on the IETF’s »Operational Security Working Group« level, possibly with a view to producing a document on best current practices in the longer term.