Browse by title

You are looking at 1 - 10 of 62 items :

  • European Law x
  • Information and Media Law x
Clear All
You do not have access to this content

Andrej Savin

You do not have access to this content

Andrej Savin

Providing a comprehensive overview of the current European regulatory framework on telecommunications, this book analyses the 2016 proposal for a European Electronic Communications Code (EECC). The work takes as its basis the 2009 Regulatory Framework on electronic communications and analyses each of its five main directives, comparing them with the changes proposed in the EECC. Key chapters focus on issues surrounding choosing the right regulatory model in order to secure effective investment in next-generation networks and ensure their successful deployment.
This content is available to you

Andrej Savin

This content is available to you

Abbreviations/glossary

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

You do not have access to this content

Access and security

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

• Data protection laws’ objectives. • Control access to control use/disclosure/condition. Security: confidentiality, integrity, availability (CIA), intelligible access; Directive Arts.16–17, GDPR. • Backups, authentication/authorization, physical access. Cloud’s shared responsibility. • Logical/physical security for compliance: relevance, risks, mitigation. • Encryption (at rest, in transmission), key management. Intelligible access, legal obligations (processors/subprocessors). Tokenization. Cloud encryption/tokenization gateways. • Encryption: costs/performance, operations, ‘snake oil’ (security expertise), breakability, implementations, nation-states’ decryption/cracking, alternatives e.g. IFC. Integrity, availability. • Unauthorized intelligible access: co-tenants, hackers, insiders (controllers/processors). Mitigation through contract, structure e.g. ‘data trustee’. Processor obligations: use/disclosure, security (cf. ‘instructions’). • Deletion – degrees; contractual constraints, risk-based approach. Define ‘deletion’. • Providers’ compliance: physical datacentre inspections/audits: logical vs physical security, logs. • Authorities’ access. Effective jurisdiction to compel disclosures, cf. The Pirate Bay (cloud, encryption). Interception without providers’ knowledge/cooperation – communications links; data location. Mass/bulk data collection/surveillance by states/governments. Jurisdictional conflicts, GDPR’s ‘anti-FISA’ Art.48. International agreement on surveillance’s limits/oversight. Keywords: information security, confidentiality, integrity, availability, encryption, mass state surveillance

You do not have access to this content

Appendix: comparative table of key DPD and GDPR international transfers provisions

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

You do not have access to this content

Assumptions

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

• Unspoken assumptions underlying policies driving data export restrictions and the Directive’s approach to transfers, dating from the 1970s, leading to its lack of technology-neutrality, which the GDPR perpetuates. • Assumptions regarding how controllers use processors: ‘computer service bureaux’, cf. cloud’s direct self-service. • Assumptions behind the Restriction: • data location (mainframe model vs modern Internet/cloud realities), • access (physical possession vs intelligible access including encryption, remote access, simultaneous access; data location as only one factor among others), • countries’ jurisdiction (data location vs effective jurisdiction and modern supply chains’ multi-intermediation and multiple locations), • who can protect data (power/responsibility of countries to protect data adequately, and controllers’ risk assessments). Keywords: Internet, technology-neutrality, data location, cyberspace, jurisdiction, cloud computing

This content is available to you

Background

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

• Scope and aim: analysing the restriction under Arts.25–6, EU Data Protection Directive (Directive 95/46/EC) on ‘transfer’ of personal data ‘to’ ‘third countries’ outside the European Economic Area (Restriction), as a barrier to EEA controllers’ processing of digital personal data using public cloud computing. • Physical ‘data localization’ approach of EEA data protection authorities and others. • Basic concepts and terminology regarding cloud computing (service and deployment models, characteristics of infrastructure cloud and layered cloud services). Cloud use in the EU. • Overview of EU data protection laws under the Data Protection Directive, objectives, data controllers, processors, processing, exemptions, national law implementations, supervision, and fundamental data protection principles. • Key aspects of the Restriction. Mechanisms for allowing transfers: adequate protection, adequate safeguards. Derogations. • GDPR’s version of the Restriction. Keywords: cloud computing, Data Protection Directive, General Data Protection Regulation (GDPR), international transfers, third countries, data localization

You do not have access to this content

Compliance and enforcement

The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens

W. Kuan Hon

• Many non-compliant transfers must exist: total likely volumes of transfers must exceed (relatively few) volumes of compliant transfers. • Ubiquity of transfers: figures on trade with non-whitelisted countries, email traffic estimates. • Relatively low transfers under mechanisms, based on numbers of Safe Harbour subscribers and national/Commission statistics – few Member State authorizations notified, possible reasons: ignorance of Restriction, authorization unnecessary, deliberate breach (resources vs transfer volumes). • Enforcement of Restriction: dearth of data subject litigation, regulatory enforcement of data protection laws generally and Restriction specifically (illustrations from Sweden, the Netherlands, Spain, Poland, Italy, Slovenia, Norway); reasons why. Most address breaches of substantive principles, not location per se. Post-Schrems enforcement action particularly Germany, France. Enforcement under GDPR. • Enforcement of breaches of mechanisms: contracts, BCRs, Safe Harbour (EU Data Protection Panel, US FTC). • Focus should instead be on compliance with substantive principles, and increasing cross-border cooperation including under GDPR. Keywords: enforcement, penalties, fines, complaints, litigation, international regulatory cooperation