Transatlantic data protection in practice

eds, Governance of Global Networks in the Light of Differing Local Values, Baden-Baden Compli-Cloud Security Alliance, Top Ten Big Data Security and Privacy lenges, 2012 Chal-Council of

Transatlantic Data Protection in Practice

Rolf H Weber • Dominic Staiger

Transatlantic

Data Protection

in Practice

ISBN 978-3-662-55429-6 ISBN 978-3-662-55430-2 (eBook)

DOI 10.1007/978-3-662-55430-2

Library of Congress Control Number: 2017947497

© Schulthess Juristische Medien AG, Zurich - Basel - Geneva 2017

This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part

of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission

or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed

The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use

The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations

Printed on acid-free paper

Co-Publication with Schulthess Juristische Medien AG ISBN 978-3-7255-7715-6

Published by Springer-Verlag GmbH Berlin Heidelberg 2017.

www.schulthess.com

Foreword

Information technology and communication tools have fundamentally changed the way in which humans as well as businesses operate and in-teract The caused challenges include automated data processing between machines as well as artificial and swarm intelligence being able to draw conclusions from a wide range of data

The global data flows are exposed to many different legal frameworks of sovereign nation states The lack of legal interoperability leading to a frag-mentation of the normative environment jeopardizes the success of the technologically possible information exchanges This assessment is partic-ularly relevant in the field of data protection law The different levels of data privacy rules in the European Union and in the United States of America have already provoked many political and legal debates

This publication analyses the potential conflicts in the light of their risks to enterprises and the way in which US-based cloud providers react to the uncertainties of the applicable data protection rules Furthermore, the study provides recommendations on how to navigate the practical chal-lenges and limitations in this field based on a lack of awareness related to the precise consequences of the processing operations within an enterprise

in view of the given data protection framework

The legal considerations are relying on an empirical investigation done with US cloud providers The qualitative interviews conducted during July and August 2016 in California were set up in an open format with an introductory phase and a subsequent focus an data protection and data security issues based on the experience of the interview partner This (oth-erwise not chosen) combination of empirical and normative work allows the development of new insights into the difficult application of data pri-vacy laws

The authors would like to thank Dr Bonny Ling, PostDoc Research tant at the Center for Information Technology, Society, and Law of the Law Faculty of Zurich University for the linguistic review of the manuscript and the Foundation for Academic Research of the University of Zurich (Stiftung für wissenschaftliche Forschung an der Universität Zürich) for the financial support which made this research possible

Assis-Zurich, in February 2017 Rolf H Weber / Dominic N Staiger

Table of Contents

Foreword V Table of Contents VII List of Abbreviations XIII Bibliography XVII

I Books, Journals and Website Materials XVII

Part 1: Introduction 1

A Trans-Atlantic Privacy Challenges 1

B Characteristics of the Cloud Environment 3

II Flexible Laws and Regulations 13

Part 2: Legal and Regulatory Framework 16

A Regulatory Concepts for Data Privacy 16

I Overview of Influencing Factors 16

II Technology-Based Model 17

B Data Privacy as Policy and Regulatory Topic in the EU 20

I Tensions between Fundamental Rights and Regulatory

Frameworks 20

II EU Digital Market Strategy 22III Data Protection Law Reform 24

Table of Contents

C Principles of Data Protection and Privacy in the US 26

I Evolution of Data Protection in the US 26 II Current Data Protection Framework 27 D EU Data Protection Framework 30

I Processing Authorization 31 II Processor v Controller 32 III Data Transfers Outside the EU 35 IV Information Requirements 37 V Fines and Penalties 38 E US Data Protection Framework 39

I Introduction 39 II Privacy Act and Wiretap Act 41 1 Privacy Act 41

2 Wiretap Act 41

III US Surveillance Framework 42 1 Patriot Act 42

2 Foreign Intelligence Surveillance Act 43

3 Cybersecurity Information Sharing Act (CISA) 46

4 US Freedom Act 47

5 Use of Metadata 51

6 Use of Big Data 52

IV Sarbanes-Oxley Act 53 V Selected State Statutes 54 F International Trade Law and Privacy 55

I EU Data Protection Law and GATS 55 1 General WTO Law Principles 55

2 Grounds for Justification of Trade-Restricting Measures 57

II Privacy-Related Plurilateral and Regional Trade Agreements 59

Table of Contents

Part 3: Practical Implementation of Data Protection Environment 62

A Industry Feedback on Data Protection and Security Challenges 62

I Interview Set-up 62 II Cloud Trends and Challenges 63 1 Introduction to Cloud Services 64

2 Costs in the Cloud 64

3 Latency in the Cloud 65

4 Identifying Personal Data 66

5 Security Risks 66

III Unique Challenges of Start-Ups 67 1 Key Challenge for Start-Ups 67

2 Entering the EU Market 68

IV Processing of Sector-Specific Health Data 69 B Business to Business in the Cloud 71

I Current Developments 71 1 New Technology 71

2 Contractual Innovation 72

3 Challenges for Cloud Vendors 73

4 Business Consultation Trends 73

5 Transatlantic Cloud Data Centers 74

II Ancillary Business Services 74 1 SaaS Human Resource Tools 75

2 SaaS Application Monitoring 77

3 Customer Success in the Cloud 79

4 SaaS Legal Services and Discovery 80

4.1SaaS Attorney Tools 81

4.2Discovery in the Cloud 83

4.3Trends Identified by Law Firms 85

5 SaaS Communication Tools 86

6 Extension: Public Services in the Cloud 88

Table of Contents

C Business to Consumer in the Cloud 88

I Data Protection Implications 89 II Consumer Protection 90 D Big Data Analytics Challenges 91

I Research Issues 92 1 University and Business Cooperation 92

2 Big Data Research 92

3 Anonymization and Big Data 93

II Regulatory Gap 95 III Behavioral Targeting 95 IV Government Data Release 97 1 United States 97

1.1Government Data Collection 97

1.2Freedom of Information 98

1.3Open Access 99

2 European Union 100

E Discrimination Based on Data 101

I Big Data 101 1 Key Elements 101

2 Credit Scoring 103

3 Employment 103

4 Higher Education 104

5 Criminal Justice 105

II Use of Personal Data in Big Data Processing 106 F Compliance and Risk Mitigating Measures 109

I Privacy Management Programs 110 1 Achieving Data Protection Compliance 110

2 Privacy Operational Life Cycle 112

3 Communication and Training 113

4 Response to Data Protection Issues 114

5 Compliance Toolbox 115

6 Contractual Measures 116

II Non-disclosure Agreements and Internal Protocols 118

Table of Contents

G Ensuring Data Security 120

I General Measures 121 II Security and the Internet of Things 125 III Labor Law Challenges of IT Sourcing 131 Part 4: Outlook on Future Developments 134

A Shaping Global Privacy 134

B Regulatory Efforts 136

Part 5: Annexes 138

A Comparative Table Ȯ Government Access 138

B Interview Summaries 140

II Interview 2 (Consulting) 143 III Interview 3 (IT Security) 144

V Interview 5 (Consulting) 148

IX Interview 9 (IT Security) 159

XI Interview 11 (Consulting & SaaS Development) 161

List of Abbreviations

Law and Policy

Arbeitnehmerüberlas-sung

BAG Bundesarbeitsgericht

Euro-pean Union

Colo Tech L.J Colorado Technology Law Journal

Infor-mation Security

List of Abbreviations

Eur J Hum Gen European Journal of Human Genetics

Act

Rights

Man-ual

OTT Over-the-Top

List of Abbreviations

Wash & Lee L Rev Washington and Lee Law Review

Kommunikations-recht an der Universität Zürich ZSR Zeitschrift für schweizerisches Recht

Bibliography

I Books, Journals and Web Materials

All weblinks have been checked on February 28, 2017 Additional references to specific topics are cited in the footnotes

Altman Micah and Rogerson Kenneth, Open Research Questions on formation and Technology in Global and Domestic Politics Ȯ Ž¢˜—ȱȃȃǰȱPolitical Science and Policy 41 (2008) 835

In-Amazon Inc., In-Amazon EC2 Ȯ Preise, <

Founda-Baldwin Robert and Cave Martin E., Understanding Regulation: Theory, Strategy, and Practice, Oxford 1999

Balebako Rebecca, Leon Pedro G., Almuhimedi Hazim, Kelly Patrick Gage, Mugan Jonathan, Acquisti Alessandro, Cranor Lorrie Faith, Sadeh Norman, Nudging Users Towards Privacy on Mobile Devices, 2011,

<http://ceur-ws.org/vol-722/paper6.pdf>

Bibliography

Barroso Luiz André, Clidaras Jimmy, Hölzle Urs, The Datacenter as a Computer, in: Hill Mark D (ed.), Synthesis Lectures on Computer Archi-tecture, San Rafael 2013, 1

Beardwood John and Bowman Mark, Cybersecurity Evolves? standing what Constitutes Reasonable and Appropriate Privacy Safe-guards Post-Ashley Madison, CRi 6/2016, 171

Under-Belser Eva Maria, Zur rechtlichen Tragweite des Grundrechts auf schutz: Missbrauchsschutz oder Schutz der informationellen Selbstbe-stimmung?, in: Epiney Astrid, Fasnacht Tobias, Blaser Gaetan (eds.), In-strumente zur Umsetzung des Rechts auf informationelle

Govern-Blume Peter, An Alternative Model for Data Protection Law: Changing the Roles of Controller and Processor, International Data Privacy Law 5 (2015) 292

Bolliger Christian, Feraud Marius, Epiney Astrid, Hänni Julia, Evaluation des Bundesgesetzes über den Datenschutz, Schlussbericht, 10 März 2011,

29, <datenschutzeval-d.pdf>

https://www.bj.admin.ch/dam/data/bj/staat/evaluation/schlussber-Borgesius Frederik J Zuiderveen, Singling Out People Without Knowing Their Names Ȯ Behavioural Targeting, Pseudonymous data, and the new Data Protection Regulation, Computer Law & Security Review (CLSR) 32 (2016), 256

Bibliography

Borking John J and Raab Charles D., Laws, PETs and Other Technologies for Privacy Protection, 1 The Journal of Information, Law and Technol-ogy (JILT) 2001, 1

Burkert Herbert, Privacy - Data Protection A German/European tive, in: Engel Christoph and Keller Kenneth H (eds), Governance of Global Networks in the Light of Differing Local Values, Baden-Baden

Compli-Cloud Security Alliance, Top Ten Big Data Security and Privacy lenges, 2012

Chal-Council of Europe, Cloud Computing and Its Implications on Data tection 2010, <https://rm.coe.int/CoERMPublicCom-

Pro-

monSearchServices/DisplayDCTMContent?documen-tId=09000016802fa3de>

Danezis George, Domingo-Ferrer Josep, Hansen Marit, Hoepman Henk, Le Métayer Daniel, Tirtea Rodica, Schiffne Stefan, Privacy and Data Protection by Design Ȯ from Policy to Engineering, ENISA (Euro-pean Union Agency for Network and Information Security) (2014)

Jaap-De Hert Paul and Papakonstantinou Vagelis, Three Scenarios for tional Governance of Data Privacy: Towards an International Data Pri-vacy Organization, Preferably a UN Agency? Journal of Law and Policy 9:2 (2013), 271

Interna-Bibliography

De Montjoye Yves-Alexandre, Radaelli Laura, Singh Vivek Kumar,

Pent-•Š—ȱ•Ž¡ȱȃŠ—¢Ȅǰȱ—’šžŽȱ’—ȱ‘Žȱ‘˜™™’—ȱŠ••DZȱ—ȱ‘ŽȱŽ’Ž—’’Š‹’•Ȭity of Credit Card Metadata, Science 347 (2015), 536

Drake William J and Kalypso Nicolạdis, Global Electronic Commerce

Š—ȱ DZȱ‘Žȱȃ’••Ž——’ž–ȱ˜ŠȱŠ—ȱŽ¢˜—Ȅǰȱ’—DZȱ ȱŘŖŖŖDZȱŽ ȱ’Ȭrections in Service Trade Liberalization, Sauvé Pierre and Stern Robert M (eds.) The Brookings Institute Press Washington DC 2000, 399

Durden Tyler, CISA Is Now The Law: How Congress Quietly Passed The Second Patriot Act, Zero Hedge 2015, <https://goo.gl/1u0J73>

Ernst & Young, Report on Cybersecurity and the Internet of Things (2015), <http://www.ey.com/Publication/vwLUAssets/EY-cybersecurity-and-the-internet-of-things/$FILE/EY-cybersecurity-and-the-internet-of-things.pdf>

European Cloud Partnership Steering Board, European Cloud ship (2014), < https://ec.europa.eu/digital-single-market/en/european-cloud-partnership>

Partner-European Commission, Why We Need a Digital Single Market, Factsheet (2015)

European Union Agency for Network and Information Security (ENISA), Privacy and Data Protection by Design (January 2015),

<by-design/at_download/fullReport>

https://www.enisa.europa.eu/publications/privacy-and-data-protection-European Union Agency for Network and Information Security 2014,

Bibliography

Executive Office of the President, Big Data: Seizing Opportunities, serving Values (2014), <https://obamawhitehouse.archives.gov/sites/de-fault/files/docs/20150204_Big_Data_Seizing_Opportunities_Preserv-ing_Values_Memo.pdf>

Pre-Federal Chief Information Officers Council, Chief Acquisition Officers Council & Fed Cloud Compliance Comm., Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Ac-quiring it as a Service (2012), <https://cio.gov/wp-content/uploaA/ down-loads/2012/09/cloudbestpractices.pdf>

Federal Trade Commission, Building Security in the Internet of Things (2015), <https://www.ftc.gov/system/files/documents/plain-language/ pdf0199-carefulconnections-buildingsecurityinternetofthings.pdf>

Fife Elizabeth and Orjuela Juan, The Privacy Calculus: Mobile Apps and User Perceptions of Privacy and Security, International Journal of Engi-neering Business Management 4 (2012), 1

Financial Markets Law Committee, Discussion of Legal Uncertainties Arising in the Area of EU Data Protection Reforms (2014)

Galetta Antonella and Kloza Dariusz, Cooperation Among Data Privacy Supervisory Authorities: Lessons from Parallel European Mechanisms, Jusletter IT of February 25, 2016

Gartner Press Release, Gartner Says 6.4 Billion connected Things will be

in Use in 2016, Up 30 Percent from 2015 (November 2015),

la Vie Privée Challenges of Privacy and Data Protection Law, Bruylant,

2008, 570

Gwarzo Zahraddeen, Security and Privacy Issues in Internet of Things, in: Jusletter IT of February 25, 2016

Härting Niko, Datenschutz-Grund-Verordnung, Köln 2016

Heywood Debbie, Obligations on Data Processors under the GDPR

<data-processors-under-gdpr.html>

https://www.taylorwessing.com/globaldatahub/article-obligations-on-Hon W Kuan, Millard Christopher, Walden Ian, Negotiating Cloud tracts: Looking at Clouds from both Sides Now, Stanford Technology Law Review (STLR) 16 (2012), 79

Con-Hon W Kuan, Millard Christopher, Walden Ian, Who is Responsible for Personal Data in Clouds? in Millard Christopher (ed), Cloud Computing Law, Oxford 2013, 208

Hoover Nicholas, Compliance in the Ether: Cloud Computing, Data rity and Business Regulation, Journal of Business & Technology Law 8 (2013), 255

Secu-Huawei White Paper, Connectivity Index 2016,

<dex_2016_whitepaper.pdf>

http://www.huawei.com/minisite/gci/pdfs/Global_Connectivity_In-Bibliography

Internet Society, Internet Society, The Internet of Things: an Overview (2015), <https://www.internetsociety.org/sites/default/files/ISOC-IoT-Overview-20151014_0.pdf>

Irion Kristina, Yakovleva Svetlana, Bartl Marija, Trade and Privacy: plicated Bedfellows?, Independent Study Commissioned by BEUC et al., published July 13, 2016, Amsterdam, Institute for Information Law Kaye Jane, Whitley Edgar A, Lund David, Morrison Michael, Teare Har-riet, Melham Karen, Dynamic Consent: A Patient Interface for Twenty-First Century Research Networks, Eur J Hum Gen 23 (2014), 141 Khoo Benjamin, RFID as an Enabler of the Internet of Things: Issues of Security and Privacy, 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Compu-ting 2011, 709, <http://ieeexplore.ieee.org/stamp/stamp.jsp?ar-

http://www.sr.ithaka.org/publications/building-a-pathway-to-student-Landau Susan, Surveillance or Security?, Cambridge MA 2011

Manadhata Pratyusa K and Wing Jeannette M., An Attack Surface ric, in: IEEE Transactions on Software Engineering (2010), 371-386

Met-Manyika James, Chui Michael, Brown Brad, Bughin Jacques, Dobbs ard, Roxburgh Charles, Byers Angela Hung, Big Data: The Next Frontier for Innovation, Competition, and Productivity (2011),

Rich-<https://goo.gl/TqzVNA>

Marcus Jon, Colleges Use Data to Predict Grades and Graduation, The Hechinger Report December 10, 2014 <http://hechingerreport.org/like-re-tailers-tracking-trends-colleges-use-data-predict-grades-graduations/>

Bibliography

Mayer-Schönberger Viktor, The Shape of Governance: Analyzing the World of Internet Regulation, Virginia Journal of International Law 4 (2002), 612

McAdams James G., Foreign Intelligence Surveillance Act: An Overview, Federal Law Enforcement Training Centers (2009),

<https://goo.gl/aqcWo7>

McAfee Labs, 2016 Threat Predictions, 2015

Microsoft Inc., Law Enforcement Request Report, Microsoft 2016,

<https://goo.gl/XWa7mh>

National Institute of Standards and Technology, The NIST Definition of Cloud Computing, NIST Special Publication 800-145, 5

<https://goo.gl/uWJhJU>

Nissenbaum Helen, Privacy in Context, Stanford 2009

Office of the Australian Information Commissioner, Data Breach cation ȯ A Guide to Handling Personal Information Security Breaches,

Notifi-<breach-notification-a-guide-to-handling-personal-information-security-breaches>

https://www.oaic.gov.au/agencies-and-organisations/guides/data-Ohm Paul, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization, UCLA Law Review 57 (2010) 1701

Peng Shin-yi, Digitalization of Services, the GATS and the Protection of Personal Data, in: Sethe Rolf et al (Hrsg.), Kommunikation, Festschrift für Rolf H Weber, Bern 2011, 753

›Žœ’Ž—Ȃœȱ˜ž—Œ’•ȱ˜ȱŸ’œ˜›œȱ˜—ȱŒ’Ž—ŒŽȱŠ—ȱŽŒ‘—˜•˜¢ǰȱ¡ŽŒž’ŸŽȱOffice of the President, Big Data and Privacy: A Technological Perspec-tive (2014), <https://www.whitehouse.gov/sites/default/files/micro-sites/ostp/PCAST/pcast_big_data_and_privacy_-_may_2014.pdf>

Bibliography

Research Group on the Law of Digital Services, 'Research Group on the Law of Digital Services: Discussion Draft of a Directive on Online Inter-mediary Platforms, Journal of European Consumer and Market Law

Vol-Ruiz Rebecca R and Lohr Steve, F.C.C Approves Net Neutrality Rules, Classifying Broadband Internet Service as a Utility, New York Times (26 February 2015), <http://www.nytimes.com/2015/02/27/technology/net-neutrality-fcc-vote-Internet-utility.html?_r=0>

Russell Brad, Data Security Threats to the Internet of Things (2015),

<the-internet-of-things>

https://www.parksassociates.com/blog/article/data-security-threats-to-Savage Charlie, Reagan-Era Order on Surveillance Violates Rights, Says Departing Aide, New York Times (2014), <https://goo.gl/22ErTL>

Schwartz Paul M., Privacy and Participation: Personal Information and Public Sector Regulation in the United States, Iowa Law Review 80 (1995)

553

Schwartz Paul M., Data Processing and Government Administration: The Failure of the American Legal Response to the Computer, Hastings Law Journal 43 (1992) 1321

Schwartz Paul M and Solove Daniel, The PII Problem: Privacy and a New Concept of Personally Identifiable Information, NYU Law Review

86 (2011) 1814

Bibliography

Shackelford Scott, Raymond Anjanette, Balakrishnan Rakshana, Dixit Prakhar, Gjonaj Julianna, Kavi Rachith, When Toasters Attack: A Poly-centric Approach to Enhancing the Security of Things, Kelley School of Business Research Paper No 16-6, January 2016

Shaffer Gregory, Globalization and Social Protection: The Impact of EU and International Rules in the Ratcheting Up of US Privacy Standards, 25 Yale Journal of International Law (2000), 1

Siddiqui Sabrina, Congress Passes NSA Surveillance Reform in tion for Snowden, The Guardian (June 3, 2015), <https://goo.gl/IzXga1>

Vindica-Smith Megan, Patil DJ and Muñoz Cecilia, Big Risks, Big Opportunities: the Intersection of Big Data and Civil Rights, White House (2016),

<ties-intersection-big-data-and-civil-rights>

https://www.whitehouse.gov/blog/2016/05/04/big-risks-big-opportuni-Staiger Dominic N., Die Zukunft des Datenschutzes in einer ten Welt, in Grosz, Mirina und Grünewald, Seraina (eds.), Recht und Wandel, Festschrift für Rolf H Weber, Zürich 2016, 147

globalisier-Staiger Dominic N., Data Protection Compliance in the Cloud, Zürich

Symantec White Paper, Insecurity in the Internet of Things (March 2015),

<pers/insecurity-in-the-internet-of-things.pdf>

chives.gov/the-press-office/2013/05/09/executive-order-making-open-Thierer Adam D., A Framework for Benefit-Cost Analysis in Digital vacy Debates, George Mason Law Review 20/4 (2013), 1055

Pri-Thierer Adam D., The Pursuit of Privacy in a World Where Information Control is Failing, Harvard Journal of Law and Public Policy 36/2 (2013),

U.S White House, Administration Discussion Draft: Consumer Privacy Bill of Rights Act of 2015, Sec 104(a),

<ters/cpbr-act-of-2015-discussion-draft.pdf>

https://www.whitehouse.gov/sites/default/files/omb/legislative/let-United Nations Conference on Trade and Development, Data Protection Frameworks must be Compatible with International Data Flows for De-veloping Countries to Benefit from the Global Digital Economy, 2016

Bibliography

Verizon Report, 2015 Data Investigations Report, <zonenterprise.com/DBIR/2015/>

http://www.veri-Walters Chris, Facebook´s New Terms of Service: "We can do Anything

we Want with Your Data Forever", Consumerist 2009,

2017, 55

Weber Rolf H., Internationale Trends bei men, in: Weber Rolf H und Thouvenin Florent (Hrsg.), Datenschutz-Ma-nagementsysteme im Aufwind?, Zürich 2016, 31

Datenschutz-Managementsyste-Weber Rolf H., Competitiveness and Innovation in the Digital Single Market, European Cybersecurity Journal 2/1 (2016), 72

Weber Rolf H., Internet of things: Privacy issues revisited, Computer Law and Security Review 31 (2015), 618

Weber Rolf H., Legal Interoperability as a Tool for Combatting tation, Centre for International Governance Innovation and the Royal In-stitute of International Affairs, 2014

Fragmen-Weber Rolf H., Big Data: Sprengkörper des Datenschutzrechts? Weblaw Jusletter IT of December 11, 2013

Weber Rolf H., How does Privacy Change in the Age of the Internet?, in: Fuchs Christian, Boersma Kees, Albrechtslund Anders, Sandoval Marisol

Weber Rolf H and Staiger Dominic N., Datenüberwachung in der

Schweiz und den USA, Jusletter of November 25, 2013

Weber Rolf H and Staiger Dominic N., Legal Challenges of Trans-border Data Flow in the Cloud, Jusletter-IT of May 15, 2013

Weber Rolf H and Staiger Dominic N., teme in der der Cloud, in Weber Rolf H und Thouvenin Florent (Hrsg.) Datenschutz-Managementsysteme im Aufwind?, Zürich 2016, 169-190 Weber Rolf H and Studer Evelyne, Cybersecurity in the Internet of Things: Legal Aspects, Computer Law & Security Review 32/5 (2016), 715 Werkmeister Christoph and Brandt Elena, Datenschutzrechtliche Heraus-forderungen für Big Data, Computer und Recht 2016, 233

Datenschutz-Managementsys-Wespi Andreas, Big Data: Technische Perspektive, in: Weber Rolf H und Thouvenin Florent (Hrsg.) Big Data und Datenschutz Ȯ Gegenseitige Her-ausforderungen, Zürich 2014, 3

White House Office of the Press Secretary, Remarks by the President on Review of Signals Intelligence 2014, <https://goo.gl/1oOShX>

Wicker Magda, Vertragstypologische Einordnung von Cloud ting-Verträgen, Multimedia und Recht 2012, 783

Yakovleva Svetlana and Irion Kristina, The Best of Both Worlds? Free Trade in Service, and EU Law on Privacy and Data Protection, Amster-dam Law School Legal Studies Paper No 2016-65

Yuhas Alan, NSA Reform: USA Freedom Act Passes First Surveillance Reform in Decade Ȯ as It Happened, The Guardian (June 2nd 2015),

<https://goo.gl/KKWlL7>

Bibliography

II Statutes

Americans with Disabilities Act, Pub.L 101-336, 42 U.S.C § 12101

California Online Privacy Protection Act of 2003, Cal Bus & Prof Code

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the Processing of Personal Data and the Protection

of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications) OJ L 201, 31.7.2002, p 37Ȯ47

Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on Consumer Rights, amending Council Directive

93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council Text with EEA Relevance, OJ L 304, 22.11.2011, p 64Ȯ88

Electronic Communications Privacy Act, Pub.L 99Ȯ508, 18 U.S.C § 2510 Foreign Intelligence Surveillance Act, Pub.L 114-38, 50 U.S.C § 36 Freedom of Information Act (FOIA), Pub.L 89-487, 5 U.S.C § 552

Gramm-Leach-Bliley Act, Pub.L No 106-102, 113 Stat 338

Health Insurance Portability and Accountability Act of 1996, Pub.L 104Ȯ

191, 110 Stat 1936

Bibliography

Pen Register Act, Pub.L 114-38, 18 U.S.C §§ 1321Ȯ1327

Privacy Act, Pub.L 93-579, 5 U.S.C § 552a

Proposal for a Regulation of the European Parliament and of the Council concerning the Respect for Private Life and Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Privacy and Elec-tronic Communications Regulation)

Regulation on the Protection of Natural Persons with regard to the cessing of Personal Data and on the Free Movement of such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation) Regu-lation (EU) 2016/679, OJ L 119, 27.04.2016, p 1Ȯ88

Pro-Sarbanes Oxley Act, Pub.L No 107-204, 116 Stat 745

Stored Communications Act, Pub.L 114-38, 18 U.S.C § 2701

Uniting and Strengthening America by Providing Appropriate Tools quired to Intercept and Obstruct Terrorism (USA Patriot Act) Act of 2001, Pub.L 107-56

Re-USA Freedom Act of 2015, H.R 2048

Wiretap Act , Pub.L 114-38, U.S.C §§ 2510Ȯ2522

Part 1: Introduction

A Trans-Atlantic Privacy Challenges

Information technology and communication tools have fundamentally changed the way in which humans operate and interact over the last dec-ade Information that was regarded as private in the past is openly shared today on social websites, and the most insignificant things are tweeted to the world In light of these changes, regulators around the world must take

a step back and assess whether their current legal frameworks with regard

to data and privacy protection, as well as the rights of individuals, are able to deal with the new challenges taking shape These challenges in-clude automated processing and communication between machines (so-called IoT devices), as well as artificial and swarm intelligence that is able

suit-to draw conclusions from a wide range of data suit-touching upon the core of human individualism.1

In particular, the rise of Big Data technologies running on cloud-based tems has created a significant shift in the ability of technology to under-mine data protection and the privacy of an individual Big Data is under-stood as the processing of large amounts of data which are often unstructured.2 Its core ability lies in identifying patters and correlations that previously were impossible to identify, for the reasons that the data was either unavailable or too costly to process Today, with the ability to use cloud computing and other cost reduction measures, such calculations are possible at a fraction of their previous costs

sys-The velocity of data growth has made Big Data a necessity in order to deal with the sheer volume of the unstructured data created on a daily basis and to derive value from it Unstructured data also allows for a wide range

of data combinations, thus enabling large corporations to further improve their service offerings and efficiency.3 New software technologies are ȮȮȮȮȮȮȮȮȮȮȮȮȮȮ

1 See for example the current Stanford University publication of Peter Stone and others, Artificial Intelligence and Life in 2030

2 Wespi, 4

3 See e.g Manyika and others, An Attack Surface Metric

A Trans-Atlantic Privacy Challenges

equipped to deal with the so-ŒŠ••Žȱȃ—˜’œ¢ȱŠŠ,Ȅȱ ‘’Œ‘ȱ’œȱ—˜ȱŠ‹œ˜•žŽ•¢ȱaccurate data but still can be used to refine the results from the huge amount of available data

Another difference concerns the agreement on how data is analyzed and applied This can occur either with data in rest, meaning already stored, or ȃ˜—ȱ‘Žȱ•¢Ȅȱ ‘Ž—ȱit is transferred from the source to the storage medium and interpreted during this transfer process in real-time The power of Big Data lies in its ability to split a specific task into smaller tasks that can be carried out independently Results from these smaller tasks are subse-quently put together in order to reach the final result

With regard to data protection, the key question concerns the problem that the data which has been processed results in the identifiability of a data subject.4 This situation can occur for an individual task or when all the task results are compiled together Sometimes the final conclusion will be too general to result in identifiability as it only allows to identify an individual

in combination with other data Thus, the circumstances in which data tection laws will apply can vary significantly depending on the precise na-ture of the processing operation

pro-This publication will introduce the EU and US data protection frameworks and current regulatory trends In doing so, issues that arise out of the con-flicting views on privacy can be identified These conflicts are then ana-lyzed in light of their risks to enterprises and the way in which US-based cloud providers react to the uncertainty they create Furthermore, this study will provide recommendations on how to navigate the murky wa-ters of conflicting practical challenges and limitations Most of these chal-lenges are based on a lack of awareness and understanding of the legal frameworks of data protection and the precise nature of the processing op-erations within an enterprise Thus, one of the first measures that should

be realized is a basic awareness training that takes into account the vidual business characteristics

indi-In particular, US-based enterprises face a wide array of challenges relating

to EU data protection laws These differ depending on the size and type of ȮȮȮȮȮȮȮȮȮȮȮȮȮȮ

4 General Data Protection Regulation, Article 4

‘Žȱ‹Šœ’ŒȱŒ•˜žȱŽŒ‘—˜•˜¢ȱž—Ž›•¢’—ȱ–˜œȱ˜ȱ˜Š¢Ȃœȱ™›˜ŒŽœœ’—ȱ˜™Ž›ŠȬtions also increases the complexity of data protection, since the data is of-ten processed in various locations by several processors.6 Furthermore, all mobile applications run on cloud-based systems that communicate a num-ber of meta- and identifying data in addition to the data processed in order

to provide the service This often includes direct personal data The sion of cloud technology started to gain momentum in the early 2000s when Amazon began to offer the first cloud services as a way of finding new uses for its overcapacity outside the requisite peak periods of Christ-mas and other special holidays

expan-B Characteristics of the Cloud Environment

Multi-layered environments, such as the cloud, present a unique set of challenges from a technical as well as a legal viewpoint Furthermore, the cloud is used for many new technologies, including Big Data or artificial intelligence processing

I Overview

Generally the cloud can be grouped into three main service provisioning models, which consist of an Infrastructure as a Service (IaaS), Platform as ȮȮȮȮȮȮȮȮȮȮȮȮȮȮ

5 On the role of controllers and processors under EU data protection law see e.g Blume, 293 et seq

6 For an introduction to the cloud challenges see Weber and Staiger, Legal

Challenges of Trans-border Data Flow in the Cloud, N 1 et seq

B Characteristics of the Cloud Environment

a Service (PaaS), and Software as a Service (SaaS) IaaS provides the ware resources for the processing and storage of the data PaaS supplies a basic software infrastructure on the IaaS, which allows SaaS providers to install and run their software solutions

hard-These characteristics include:7

a) On-demand self-service: A consumer can unilaterally provision

compu-ting capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider

b) Broad network access: Capabilities are available over the network and

accessed through standard mechanisms that promote use by neous thin or thick client platforms (e.g., mobile phones, tablets, lap-tops, and workstations)

heteroge-c) Resource poolingDZȱ ‘Žȱ ™›˜Ÿ’Ž›Ȃœȱ Œ˜–™ž’—ȱ ›Žœ˜ž›ŒŽœȱ Š›Žȱ ™˜˜•Žȱ to

serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand There is a sense of location independ-ence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or data cen-ter) Examples of resources include storage, processing, memory, and network bandwidth

d) Rapid elasticity: Capabilities can be elastically provisioned and released

automatically, to scale rapidly with demand To the consumer, the pabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time

ca-e) Measured service: Cloud systems automatically control and optimize

re-source use by leveraging a metering capability at some level of tion appropriate to the type of service (e.g., storage, processing, band-width, and active user accounts) Resource usage can be monitored, ȮȮȮȮȮȮȮȮȮȮȮȮȮȮ

abstrac-7 National Institute of Standards and Technology, 5

US, electricity prices are a major factor in the decision-making process of cloud providers In some states, prices can differ by over 50% Cloud pro-vider pricing reflects these differences as a consequence.9 In Europe, the lower electricity prices in the Netherlands, Norway and Sweden are a strong factor incentivizing IaaS providers to set up their EU services in these countries having also become the locations in which Amazon has set

up its server centers or is planning to expand its operations

For most enterprises, moving data into the cloud presents technical lenges such as the transfer of data from a mostly proprietary format used

chal-on internal IT systems to an open format in the cloud Technical support from the cloud provider is essential in enabling a broader acceptance of the technology

Cloud computing continues to be a diverse business area, as the required services of various cloud customers are substantially different from one another For example, the rise of video channels such as YouTube presents challenges for cloud systems, which must cope with the huge amount of video data that has to be transmitted worldwide With these develop-ments, the software underlying the hardware systems is constantly chang-ing in order to enhance efficiency and reduce costs.10

ȮȮȮȮȮȮȮȮȮȮȮȮȮȮ

8 Barroso, Clidaras and Hölzle, 12

9 For example, Amazon´s cloud services are much cheaper in Virgina and Oregon than in California See Amazon Web Services Inc., 'Amazon EC2 Pricing' (2016)

< https://goo.gl/mIACqH > Additionally, there may be other factors that warrant the use of a data centre further away (see e.g Tim Caulfield)

10 Barroso, Clidaras and Hölzle, 16

B Characteristics of the Cloud Environment

Before assessing legal compliance in any cloud scenario, an in-depth derstanding of cloud services and any ancillary services is essential As a first step, one must determine who is the end user of the service and for what purpose the service will ultimately be used In a multi-layered sce-nario, such a judgement will be impossible for the IaaS provider to make The SaaS provider is, however, generally in a position to make such dis-tinctions because it is the last cloud service provider before the service reaches the end user Thus, the burden of compliance on a cloud provider should increase the closer the service gets towards the end user and the more sophisticated it becomes

un-The risks inherent in cloud computing can be grouped into outsourcing, centralization, internationalization, and systemic complexity risks.11 In or-der to mitigate these risks, targeted solutions both on the regulatory and technical side are necessary The modes of such solutions consist of:

 direct intervention through regulations, such as the EU General Data Protection Regulation;

 co-regulations, including governmental actors, industry tives and other stakeholders acting in concert to resolve challenges pre-sented by new technologies;

representa- a self-regulatory approach that enables the industry to set its own framework, such as standard contract terms; this approach is informal and can adjust very fast to changes in the market; it, however, is also subject to stronger market forces

All strategies have their own benefits; some excel in market uncertainties, while others provide a strong foundation for development.12

II Cloud Governance Approaches

From a governance perspective, the following four characteristics affect the regulation of cloud computing:

ȮȮȮȮȮȮȮȮȮȮȮȮȮȮ

11 Gasser, Cloud Innovation and the Law: Issues, Approaches, and Interplay, 15

12 See e.g Baldwin and Cave, 25 et seq

Cloud Governance Approaches

 Variety in norms: A plurality of state actors, ranging from national

gov-ernment agencies to supranational institutions with formal ing capacity, have engaged in enacting a diverse set of (partly overlap-ping or otherwise interacting) norms aimed at regulating certain aspects of the cloud computing phenomenon This has been particu-larly the case in the US, which lacks uniform laws and competence in this regard

rule-mak- Variety in control mechanisms: In addition to traditional, hierarchical

mechanism of control, legal and regulatory approaches to cloud puting include alternative modes of control, such as market regulation, the shaping of social norms, and design requirements

com- Variety in controllers: While traditional state regulatory bodiesȯsuch as

government agencies or courtsȯcontinue to play a key role in the text of cloud regulation, important control functions have also been at-tributed to alternative governance institutions, including standard-set-ting bodies and trade associations

con- Variety in controllees: In the cloud computing governance ecosystem,

businesses that provide cloud services are the key regulatees However,

a broader range of actors is also relevant to the outcomes of governance efforts, including the government itself, especially where it plays the role of a cloud user.13

Various factors, interests and market forces influence the broader ance framework of cloud computing Data protection laws and security rules are important aspects of this environment Broad interest group par-ticipation plays a relevant role in the developments in these areas The con-text in which these laws operate in is also central to their success For ex-ample, some areas embrace higher security and data protection standards, whereas others are reluctant to adopt these standards and lobby heavily against them

govern-The regulators have generally two choices when it comes to regulating new technologies: either they are able to subsume the technology under ȮȮȮȮȮȮȮȮȮȮȮȮȮȮ

13 Gasser, Cloud Innovation and the Law: Issues, Approaches, and Interplay, 13

B Characteristics of the Cloud Environment

existing laws or they have to create new legislations The subsumption proach is difficult to implement because it must be applied to all laws per-taining to the specific technology, as well as the contracts that are in place Contracts are one of the most innovative tools that can be adjusted to new technologies and can then account for new risks and obligations necessary

ap-in changap-ing contexts They evolve ap-in lap-ine with the demands and ments of the market.14 Laws, however, are much slower to adjust This cre-ates novel cases, particularly in areas involving rights associated with data Examples include copyright laws as well as discovery laws, which have determined the boundaries of discovery in the cloud where data is stored

develop-on various servers and potentially in various jurisdictidevelop-ons Adaptidevelop-on cedures on the international level also play an important role, despite not being so present in the public eye

pro-The US Congress proposed the Cloud Computing Act in 201215 that would have addressed a few issues relating to criminal activities in the context of cloud computing and the associated damages For instance, each access to

a cloud account would have been viewed as a separate offence ally, the minimum compensation for each unauthorized access should be

Addition-500 USD This was deemed necessary, since the loss is often hard to prove when the intended use of the information obtained is not known.16 This direct intervention into the market by legislators through the law-making process such as the Cloud Computing Act is generally not consid-ered to be the most efficient solution Nevertheless, such an approach is required in a limited number of circumstances when incentive-based ap-proaches would not be successful This is certainly the case in the area of criminal sanctions, penalties and damages Furthermore, the risk of the processing operation must be transferred onto the enterprise that is in con-trol of the data and not rest with the data subject, who has little or no ȮȮȮȮȮȮȮȮȮȮȮȮȮȮ

14 Hon, Millard, Walden, Negotiating Cloud Contracts: Looking At Clouds From Both Sides Now, 79 et seq

15 A Bill to Improve the Enforcement of Criminal and Civil Law with Respect to Cloud Computing and for Other Purposes, S 3569, 112th Congress (2011-2012)

16 However, the Act has so far failed to pass Congress

Political Context of Regulating the Cloud

power over the actual processing of his or her personal data.17 A positive approach would be to influence the market by imposing positive or nega-tive externalities on certain conducts through, for instance, subsidies or taxes

III Political Context of Regulating the Cloud

In the course of analyzing various forms of regulations and their bility, the huge influence the political setting has on this development is often not sufficiently taken into account The regulation of such a complex area as cloud computing regularly creates tensions resulting in trade-offs between different policy objectives For example, governments seek to en-sure that consumers can trust any new technology Otherwise, the service will not prevail, and potentially macroeconomic gains cannot be realized

applica-At the same time, regulations should ensure that the service offering is safe for consumers to use, thus this requires minimum enforcement and control mechanisms.18

The roles of governments are also multifaceted On the one side, they are the regulator of a service On the other side, they are a user and customer Additionally, various conflicts between competing interests may particu-larly influence data protection regulations, as governments at the same time seek to expand their surveillance capabilities to the cloud Addition-ally, the fluidity of technology and the definitions used to qualify it ulti-mately shape the manner in which it is regulated Often, legislators refer

to technical standard-setting bodies when they seek definitions, which then grant these organizations some degree of influence over the regula-tory process

Measuring the success of the many regulations and practices applicable to the cloud is hard to achieve This is due to the fact that general agreement

on the important measuring factors must first be reached, followed by ȮȮȮȮȮȮȮȮȮȮȮȮȮȮ

17 Hoover, 255 et seq

18 Such control mechanisms can take the form of data protection management tems see Staiger and Weber, Datenschutz-Managementsysteme in der Cloud, 171

sys-et seq

C Functions of Technology and Law in the Context of Privacy

agreement on the selected assessment method Feedback loops can be plemented as a first step to improve the pool of available information The

im-EU, so far, has been successful in receiving much feedback on its laws and proposals However, the long duration of the revision cycle of existing laws is ill-œž’Žȱ˜ȱ˜Š¢Ȃœȱ–˜Ž›—ȱŽŒ‘—˜•˜’Žœǯȱ˜›ȱŽ¡Š–™•Ž, revisions for the EU Data Protection Directive has begun some 17 years after its adoption in 1995

C Functions of Technology and Law in the Context of Privacy

I Technical Solutions

The users of services and products must be given the tools to firstly stand what processing is carried out and under what circumstances their data is at risk This can be achieved through school education and general awareness-raising campaigns with regard to selected issues that pose a common threat to individual privacy In particular, the risk must be high-lighted that the nudging behavior, which aims at influencing the decision-making process of individuals without significantly changing their eco-nomic incentives is not always unfolding.19 This technique can be used to increase the privacy of individuals in the context of online media, while also encouraging them to reveal more information about themselves and their environment.20 The respective tensions need to be taken into account

under-in the implementation of technical solutions

Behavioral economics has become a core research area and has found its first legislative influence in the field of data protection regulation in the GDPR of the EU This new EU data protection law allows for standardized icons, which enable users to quickly determine the nature of the processing operation and the risk to their personal information.21 Interactions with the customer, particularly when data is being generated by devices (IoT data), ȮȮȮȮȮȮȮȮȮȮȮȮȮȮ

19 Thaler and Sunstein, 5

20 Balebako, Leon, Almuhimedi, Kelly, Mugan, Acquisti, Cranor, Sadeh, 2

21 General Data Protection Regulation, Article 12(7)