Data protection and privacy-related implications of a migration to the cloud – Roundtable

Participants:

David Dab, National Technology Officer Microsoft Belux
Laurent Bounameau, DPO & Cyber Security Advisor (CISO) Federal Police Belgium
Magali Feys, IP, IT & Data Protection Lawyer AContrario.Law
Bojan Spasic, Cyber Security Technology Partner Manager SWIFT
Moderator: Bruno Wattenbergh, Chairman of the EY Belgium Innovation Board Professor of Strategy & Entrepreneurship at Solvay Business School

Yes, modern cloud environments are in most cases the safest and/or most secure place, because of automation, focus on operational security and more. But…. Lawsuits as Schrems II threw a wrench in the practice of international data transfers, because of location and ownership of cloud infrastructure centers. Plenty of norms and standards insure physical reliability and more of cloud environments, but privacy-wise the (legal) debate is still going on. More specifically, users should consider cloud ‘safety’ of ‘security’ from the point of view of ‘what are my risks?’ or ‘what is the right set-up in my case?’ That fits within the inherent ‘risk-based’ nature of the European privacy law GDPR.

Does the GDPR kill off innovation as e.g. provided by cloud environments? Not quite. GDPR demands data-protection in solutions and environments ‘by design’ and ‘by default’, and to be careful when handling personal data. Provided all necessary security elements are implemented, cloud environments can provide a faster way to ISO 27001 security compliance than going for this certification on premise (e.g., by more easily keeping up with changes in systems, perimeter etc.). In short, the GDPR is a non-technical answer to a technology problem, and it’s now up to technology to continue innovating.

Innovation
Much privacy-enhancing technology is already in place, as encryption of data in transit and at rest. New developments target trust and confidentiality during processing by means of ‘computational encrypted data’ (homomorphic encryption), preventing leaks in memory. This kind of computing may be ultimately preferable to the (allowed by GDPR) technique of pseudonymization (the latter being subject of conflicting views at this roundtable). Other possibilities include processing without exchanging data, differential privacy (i.e. publicly sharing info about a dataset by describing the patterns of groups, while withholding info about individuals) and synthetic data generation (i.e. creating a subset of anonymized data). Also, more attention should be paid to the exact nature of data an application requires (e.g., an application counting people in streets for crowd control does not need actual images of the people, but only clear contours of those people).

New threats will require yet other innovations, as against attacks through machine learning (e.g. by poisoning the data set used to train the application) and AI (e.g. de-anonymization).
Actually, even privacy-enhancing technology may impact the privacy rights of a data subject. For instance, if somebody’s data has been rendered anonymized and included in a data set, it becomes impossible to enforce this person’s right that his data may not be used in machine learning.
Clearly, this roundtable presented an interesting and heady brew mix of technological and privacy concerns, going way beyond the specific subject of migration to the cloud. Well worth to be viewed again!