I. Description of VUB/LSTS
The interdisciplinary Research Group on Law Science Technology & Society at the Vrije Universiteit Brussel (LSTS) is devoted to analytical, theoretical and prospective research into the relationships between law, science, technology and society. Even if LSTS’s core expertise is legal, it also has a strong experience and track record in legal theory, philosophy of sciences and bioethics, and engages in criminological and STS research too.
LSTS has a well‐established reputation in research concerning privacy and data protection, profiling technologies, ambient intelligence and cloud computing. Next to this LSTS research deals with the regulation of technology; with issues at the crossroads of intellectual property law and science and technology and others.
II. Key persons to the project
Paul De Hert is an international human rights expert. The bulk of his work is devoted, but not limited, to criminal law and technology & privacy law. At VUB, Paul De Hert holds the chair of ‘Criminal Law’, ‘International and European Criminal Law’ and ‘Historical introduction to eight major constitutional systems’. He is Director of the VUB Research group on Fundamental Rights and Constitutionalism (FRC), Director of the Department of Interdisciplinary Studies of Law (Metajuridica) and core member of LSTS. He is an Associate Professor at Institute of Law and Technology at the Tilburg University (TILT).
Hans Lammerant holds a MA in law and in philosophy. Previously, he has worked for NGOs in the field of peace and human rights and is currently conducting research on surveillance and the impact of data mining.
Irene Kamara is a researcher and a qualified attorney experienced in protection of personal data, liability, intellectual property rights and standardisation. She holds a Bachelor in Laws, a Master Degree in International and European Studies and a Master in Law and Technology. Her previous work experience includes the European Standardisation organisations and the European Data Protection Supervisor on the broader topics of contractual liability, protection of personal data in cloud computing and mobile devices.
III. Contributions to the project
The EU Data Protection Law perspective of SeCloud or EU Data Protection Law in the Cloud
Cloud Computing raises various concerns related to privacy and personal data protection. Most of these concerns are common in all Cloud service (IaaS, PaaS, SaaS) and deployment (public, private, hybrid) models and, according to Article 29 Working Party, fall under two categories:
1) the lack of control over the cloud client’s personal data: the cloud clients entrust their personal data to cloud service providers and cannot apply by themselves the necessary technical and organizational measures for data protection and data security.
2) the absence of transparency regarding personal data processing operations on behalf of the cloud service providers: insufficient (or no) information may hide potential risks from the cloud clients and therefore prevent them from taking appropriate measures.
The following structure represents the steps taken during the research conducted in the context of SeCloud WP3 on Process. Part of this Work Package dealt with the examination of EU Data Protection Law dimension of SeCloud and the relevant legal issues.
1. Overview of the applicable legal framework and general legal requirements.
The main challenge posed is to properly address the privacy and data protection-related concerns not only during the service deployment, but also at an earlier stage, during the service and software development. As the EDPS states, privacy and personal data protection in the context of Cloud Computing must not, in any case, be inferior to the level of protection required in any other conventional personal data processing operations. The Cloud Computing models can only be developed and applied legally if certain data protection standards are maintained.
In Deliverable 3.0 “Overview of the applicable legal framework and general legal requirements” we provided an introductory insight on the applicable legal framework on Cloud Computing relating to personal data protection and personal data security (mostly the Data Protection Directive 95/46/EC and the general Data Protection Regulation) and the resulting requirements and key principles.
2. Legal responsibilities and liabilities in the cloud-based applications environment
Having presented the broader picture (the general legal framework and requirements), as a next step we narrowed down our scope, in order to be limited on SaaS applications and SaaS application providers. Deliverable 3.2 “Legal responsibilities in the cloud-based applications environment” maps the division of roles and legal relations implicated in cloud-based applications and the resulting responsibilities and liabilities, under the prism of the EU General Data Protection Regulation. Our starting point was the presentation of the roles of the various cloud actors, with a focus on SaaS providers. Then, we discussed the legal “role” and “status” of these actors, in terms of EU Data Protection Law. Finally, we described the main responsibilities imposed on these cloud actors by EU Data Protection Law, through the “translation” of the legal requirements presented in D.0 “Overview of the applicable legal framework and general legal requirements” into more specific requirements, tailor-made for SaaS application providers. This analysis leads us to the next level, a series of more concrete SaaS related use-cases, where some scenarios are presented and explained, putting the initial analysis conducted in practice (Deliverable 3.1 “Requirements engineering for cloud-based applications: Translating the legal obligations to technical requirements”). The use cases intend to provide some food for thought and some considerations to be taken into account in similar scenarios.
3. Contractual framework for cloud-based applications
Based on the division of roles and legal relations and the resulting responsibilities’ mapping, an overview of the identified contractual needs and framework in order to maintain GDPR compliance has been presented (Deliverable 3.4 “Contractual framework for cloud-based applications”). The identified contractual needs are translated into contractual recommendations and criteria that will help assessing the data protection related concerns during the use of cloud-based applications with an aim to achieve a GDPR compliant contractual framework. These factors can also be considered while identifying, assessing and choosing cloud computing services or in case a SaaS provider wants to assess its own compliance in terms of personal data protection.
Last but not least, in the context of Deliverable 3.3 “Legal assessment tool”, two detailed tables were created, summarising the EU Data Protection Law requirements and obligations for the cloud client and cloud service provider (CSP), in our case the SaaS provider. First, the relevant legal issues and GDPR provisions were presented. Next to them, these issues are translated into requirements for a SaaS cloud scenario. Furthermore, action points a cloud client and CSP should take in order to abide by those requirements are presented.