In the context of IT outsourcing to the cloud, the corporate customer transfers data to the cloud originating from multiple sources and designated for different processing purposes. For example, data may contain customer information, economic data, and intellectual property belonging to third parties. Whether data processing is lawful and which requirements apply is defined by legal norms corresponding to the processed data.
Generally, data can be classified by the following four categories: personal data, business data, property right protected data, and unprotected data. Each category is introduced below, and the corresponding legal norms are identified. Further, these categories are not necessarily disjunct. For example, customer data may be considered personal data since they reference real persons, and at the same time they are business data since they are associated with a specific corporate customer and are of importance for that customer’s operational business. If data belong to multiple categories then multiple norms and the requirements of each category involved may apply. Generally, such data are denoted mixed data.
Personal data (also personally identifiable information1) are data that are (or can be) as-
sociated (i.e., personally identifiable) with a real person (a.k.a. the data subject) in general).2 Within the cloud, the personal data of corporate customers’ private clients or employees can be processed. In the European Union, protection of personal data is a basic right (Art. 8 Charter of Fundamental Rights of the European Union)3and protected by the Data Protection Directive(Directive 95/46/EC). In future, the Data Protection Directive will be replaced by the upcomingGeneral Data Protection Regulation (GDPR), which is not to be expected to happen before 2017.4 In this thesis, the investigations will focus on current data protection law but also upcoming changes made by the upcoming regulation are considered where applicable.
The Data Protection Directive is implemented by the national data protection acts of each member state. In Germany it is generally theBDSGwhich regulates the processing of per- sonal data by public bodies and authorities of the federal government and non-public agencies. Additionally, there exist data protection laws in each federal state regulating data processing by its public bodies and authorities. However, there are special laws regulating data protec- tion within a specific context which have priority over theBDSG(§1 para. 3 cl. 1BDSG). For example, personal data within electronic communication, i.e., customer data, traffic data, usage data, and content data, are protected by theTelemediengesetz (TMG), primarily imple- menting the Directive on Electronic Commerce (Directive 2000/31/EG) – the latter explicitly does not cover data protection (Art. 1 para. 5 lit. b Directive on Electronic Commerce)5– and theTelekommunikationsgesetz (TKG)implementing in particular the Directive on Privacy and Electronic Communications(Directive 2002/58/EC). In electronic communication, the protec- tion of content data (i.e., the confidentiality of the communications, Art. 5 Directive on Privacy 1Established by theNIST[140] and originally defined by the United States Government Accountability Office [209]: “any information about an individual [...], including (1) any information that can be used to distinguish or trace an individual’s identity [...]; and (2) any other information that is linked or linkable to an individual [...].” 2In Germany, there is an ongoing legal discussion about whether personal identifiability is measured by the scope
of the controller/processor (i.e., subjective scope) or by the general possibility (i.e., objective scope) [28, ch. 1 §3 III.1]. On European level, the Article 29 Working Party stated [11, pp. 15 seqq.] that “a mere hypothetical possibility to single out the individual [sic!] is not enough to consider the person as identifiable”, that the purpose of data processing is “one relevant factor [...] for assessing all the means likely reasonably [sic!] to be used either by the controller or by any other person” and that a “case-by-case analysis should be carried out”. This generally supports the subjective scope but does not necessarily exclude the objective, particularly not for purposes including admissible transfer to third parties. Then again, cloud computing can provide a large variety of means for identifying individuals including access to additional information sources and data mining tools on demand [164], where the use of these means becomes more likely. In this thesis, the applicability of the large scope (i.e., generally identifiable) is assumed since case-by-case analyses are beyond the scope of this theses and legal certainty is generally provided due to being compliant with the most general case. This is in conformance with the recommendation byBrennscheidt[28, ibid.] and the definition on linkability of personally identifiable information by theNIST[140, ch. 2.1].
3In theEuropean Economic Area (EEA), this right is established by Art. 8 European Convention on Human Rights which covers privacy generally and particularly data protection in correspondence to theECtHR’s interpretation (decision dated 13.11.12, application no. 24029/07, recital 187).
4The regulation has not yet been finalised (June 2015), and will apply two years after coming into force (Art. 91 GDPR). At that point the regulation will become directly applicable (Art. 288 para. 2TFEU) and replace all national data protection law. Particularly in Germany, many sectoral regulation will become obsolete [104]. 5This is the reason that theTMGimplements the Data Protection Directive only for tele-media services (accom-
modating the priority ofTMG’s area specific regulations on data processing over theBDSG), which usually are information society services (according to Directive 2000/31/EC).
and Electronic Communications)1 and the protection of location data other than traffic data (Art. 9 Directive on Privacy and Electronic Communications) are regulated separately.
Furthermore, in the context of German social security services, personal data are protected by theSozialgesetzbücher (SGB), and moreover, personal data are protected by the StGB if there are obligations of professional secrecy (§203StGBin association with Art. 8 para. 3 Data Protection Directive). Additionally, personal data that are given to a German finance authority, i.e., tax data, are protected by tax secrecy regulations according to §30AO.Brennscheidtmen- tions that there exists a large number of area specific regulations on data protection in Germany [28, ch. 1 §3 III.4.c].
Encrypted personal data are considered personal data that are encrypted using a secure2 cipher algorithm. At least in German legislation, it is an open question whether encrypted personal data are still protected by data protection law [28, ch. 1 §3 III.1]. A hypothesis formulated bySpies[188] is that data protection law generally applies on transfer of encrypted personal data into the cloud, unless the cloud provider proves that the data are encrypted and that only the data subject can access the data (with the key necessary for decryption). Spies
argues that encrypted personal data may not be considered personal data but anonymised data (according to §3 para. 6 BDSG). Current investigations by Brennscheidt indicates that the discussion is still open but there are strong arguments3for considering encrypted personal data still protected by data protection law. At a European level, the Article 29 Data Protection Working Party consider “encryption with secret key” pseudonymisation which “when used alone will not result in an anonymous dataset” since it “reduces the linkability” and, therefore, is “a useful security measure but not a method of anonymisation” [12, ch. 4]. This is also in conformance with theNIST’s definition of the linkability of personally identifiable information [140, ch. 2.1]. Consequently, in this thesis, personal data are considered continuously protected by data protection law whether they are encrypted or not.
Business data are data associated with an organisation and usually contain trade secrets. In clouds, business data of corporate customers and corporate clients of a corporate customer might be processed as well as business data from software providers, hardware providers, ser- vice providers and cloud providers themselves. Business data are usually protected by non- disclosure agreements (NDAs)in business contracts. Particularly the outsourcing contract be- tween cloud provider and corporate customer may containNDAs. There are additional require- ments for data processing that may apply to business data for specific contexts. For example, in Germany, business data are protected against disclosure by §203StGBif there are obligations of professional secrecy and in the context of unfair competition (§§17, 18Gesetz gegen den unlauteren Wettbewerb (UWG)).
1In Germany, content data are protected by theBDSGand, in the context of telecommunication, also by the secrecy of telecommunication according to §88TKG.
2In the sense of using current cipher algorithms with sufficient key lengths, which are adequate to protection re- quirements and period of usage according to existing recommendations [85].
3According toBrennscheidt[28, ch. 1 §3 III.1]: Encryption is a necessary safeguard which shall not change the data themselves. Further, decryption might be possible in the future without the necessary key due to progress in breaking the cipher. Additionally, the applicability of data protection law may change during processing – due to encryption and decryption – resulting in unpredictably of the effective protection, which is to the data subject’s disadvantage.
Property right protected data are data that contain (or represent) intellectual property and, therefore, are protected by intellectual property right and copy right law. The applicable requirements on processing property right protected data depend on multiple factors including applicable property rights and used license models. In particular, in the context ofIaaS, dealing with intellectual property can be complex, especially if corporate customers utilise licensed software [102, part 3 recital 143]. Also, the lawfulness of temporal duplication in clouds is discussed controversially [102, part 3 recital 151], which is particularly relevant for the cloud provider when migrating virtual resources or creating backups. Due to this complexity, a case- by-case analysis of property rights and their impact on outsourcing data processing to the cloud is necessary, which is beyond the scope of this thesis. Therefore, property right protected data and their processing in the cloud are not further investigated in this thesis. Possibilities for applying methods identified in this thesis to processing of property right protected data are disused in the outlook (cf. Section7.3).
Unprotected data are the remainder of all data that are not considered personal data, busi- ness data, or property right protected data. The collection and processing of such data are unregulated and basically legal. Therefore, they can be processed freely and without any addi- tional requirements in the cloud. Before marking data unprotected, the cloud providers should clarify that neither legal norms nor specific legal requirements apply. In particular, it is possible for unprotected data to become personal data, for example by linking unprotected data with a person. In general, unprotected data can be processed any time in the cloud whether safeguards are applied or not. Therefore, they are not further investigated in this thesis.