The paper analyses the constraints of the current European directive on data protection regarding the free and active exercise of the right to informational self-determination in cloud computing with subcontractor chains.
The analysis focuses in particular on the personal and geographical scope of the protection of personal data, on the legitimation of data processing under the aspect of data transmission into secure and unsecure third countries with subcontractor involvement. Herein it will be critically analysed whether the options under which it is possible to process personal data, will deliver sufficient privacy security in cloud computing. Furthermore, the paper examines the effectiveness and the consequences of possible legitimation of processing personal data in cloud computing. Also, will be regarded the legitimation options to include subcontractors in complex cloud computing landscapes in secure and unsecure third countries. The data subject and the cloud user position and chances to execute their rights of informational self-determination in distributed cloud computing landscapes will be critical looked at.
Based on the multiple challenges that the personal data faces in complex cloud computing landscapes, various improvement potentials addressed to different actors emphasis the necessity to reduce the risk to the data subject´s informational self-determination in cloud computing.
Finally, the recent regulation on general data protection that was published by the Council on 11th June 2015 will be cross-checked against the identified gaps of the currently existing data protection directive, with an emphasis on the requirements to achieve informational self-determination.
Table of Contents
1 Foundation for Privacy Protection in Cloud Computing
1.1 Business Opportunity Cloud Computing
1.2 Private Persons Paradoxical Behaviour
1.3 Legal Framework in the EU
1.4 Legal Framework in Germany
2 Application Area
2.1 Personal Scope
2.1.1 Anonymous Data
2.1.2 Pseudonymised Data
2.1.3 Encrypted Data in Cloud Computing
2.1.4 Interim Conclusion to the Personal Scope
2.2 Geographical Applicable Law
2.2.1 ECJ Decisions on the Geographical Scope
2.2.2 Interim Conclusion to the Geographical Scope
3 Data Processing Legitimacy
3.1 Consents in Cloud Computing
3.2 Lawful Personal Data Processing based on Contracts
3.2.1 Distinction between Contract Data Processing and Functional Transmission
3.2.2 Privileged Contract Data Processing
3.3 Data Processing within the EU including Subcontractors
3.4 Practical Assessment of the Legitimacy Criteria in Cloud Computing
3.5 Interims Conclusion to Chapter 3
4 Data Transmission Outside the EU
4.1 Legal Foundation
4.2 International Agreements
4.3 Data transfer to Countries Outside the EU with an Unsatisfactory Data Protection Level
4.3.1 Standard Contractual Clauses
4.3.2 Binding Corporate Rules
4.4 Interim Conclusion to Chapter 4
5 Personal Data Transmission to Unsecure Non-EU Countries Including Subcontractors
5.1 Non-EU Country Cloud Provider and Subcontractor
5.2 EU Cloud Providers and Non-EU Subcontractors
5.3 Non-EU Cloud Providers, EU Subcontractors
5.4 Interim Conclusion to Chapter 5
6 Informational Self-Determination Potential for Improvements in the Cloud Computing Chain
6.1 Technical and Organisational Potential for Improvements
6.2 Technical Potential for Improvements to Support the Law
6.2.1 Consent
6.2.2 Principle of Transparency
6.2.3 Principle of Purpose Limitation
6.2.4 Principle of Necessity
6.3 Economic and Political Potential for Improvements
6.4 Potential for Improvements through Self-Security
7 Informational Self-determination recognition in the new regulation
7.1 Application Area
7.1.1 General Provisions
7.1.2 Personal and material scope
7.1.3 Territorial Scope
7.2 Legitimation Scope of Personal Data Protection
7.2.1 Consent
7.2.2 Contract Data Processing
7.3 Cloud User and Cloud Provider Roles and Obligation in Subcontractor Chains
7.4 Data Transmission into Non-EU countries with Subcontractors
7.5 Interim Conclusion to Chapter 6 and 7
Objectives and Topics
The primary objective of this work is to analyze the legal constraints of European data protection regulations, specifically regarding the right to informational self-determination in the context of cloud computing and complex subcontractor chains. The research explores the effectiveness of existing data protection directives in safeguarding personal data when distributed across secure and unsecure third countries, and evaluates the potential of newly proposed regulations to resolve these issues.
- The challenges of maintaining privacy and informational self-determination in cloud computing environments.
- Legitimation criteria for data processing and transmission in cloud scenarios.
- Legal and geographical scope of data protection across EU and non-EU jurisdictions.
- The role and liability of cloud providers, users, and subcontractors in data processing chains.
- Proposed technical and organizational improvements for enhanced data security and legal compliance.
Excerpt from the Book
1.2 Private Persons Paradoxical Behaviour
In 2014, the protection of privacy on the Internet has evolved into a political topic. Generally, the media and the majority of the public opinion believe that the human being is transparent on the Internet, and it is impossible to avoid it, which announce the end of privacy. Consequently, the fulfilment of data protection in the digital world can be questioned. This represents even more the need for technical, legal, and social consideration for data protection from the very beginning. Even though, the intensity and desire for privacy is related to cultural consideration and varies from the country specific perspective. For example, in the UK it is common practise to surveil public places. In Sweden, every citizen income is public. In contrast, in Germany the desire of privacy protection is high. In a poll of the University of Hohenheim every age range answered to 95%, that their desire for privacy would be important or very important. Privacy has been considered very important and worthy of being protected. The concern of losing privacy on the Internet rose in the last years, albeit the publication of private data also rose. Nevertheless, the German public is concerned of losing privacy on the Internet. “Privacy” based on the concept of the “right to be left alone” should be distinguished from the privacy desire under the aspect of informational self-determination as basis of a democratic and self – controlled communication structure. Informational self-determination follows the perception to secure, to enable, and to establish self-determined communication. The aim is not to hamper business opportunities neither to avoid nor to reduce communication, but to support business development that respects data privacy and secures the data subject´s right of informational self-determination.
Summary of Chapters
Foundation for Privacy Protection in Cloud Computing: This chapter introduces the economic importance of cloud computing and the subsequent legal and privacy challenges regarding the protection of citizen data on the internet.
Application Area: This section defines the scope of data protection regulation by discussing the personal and geographical dimensions, and the technical challenges of identifying personal data in cloud environments.
Data Processing Legitimacy: This chapter analyzes the legal requirements for data processing, focusing on consent mechanisms and contract-based data processing within cloud infrastructures.
Data Transmission Outside the EU: This part examines the legal foundations and international agreements necessary for transferring personal data to countries outside the European Union.
Personal Data Transmission to Unsecure Non-EU Countries Including Subcontractors: This chapter explores the complexities and requirements for lawfully processing personal data when subcontractors in unsecure third countries are involved.
Informational Self-Determination Potential for Improvements in the Cloud Computing Chain: This chapter suggests technical, political, and economic measures to improve the effectiveness of data protection and to support the rights of the data subject.
Informational Self-determination recognition in the new regulation: This final analytical chapter cross-checks the provisions of the 2015 General Data Protection Regulation proposal against the existing gaps and identified challenges in the current directive.
Keywords
Cloud Computing, Informational Self-Determination, Data Protection, GDPR, Privacy, Subcontractors, Data Transmission, European Law, Personal Data, Consent, Transparency, Purpose Limitation, IT Security, Cloud Providers, Data Subjects
Frequently Asked Questions
What is the primary focus of this paper?
The paper examines how current European data protection laws address the challenges of maintaining informational self-determination for individuals when their data is processed in complex, cross-border cloud computing environments involving multiple subcontractors.
What are the central themes discussed?
Key themes include the legal legitimation of data processing, the geographical reach of data protection laws, the effectiveness of contractual safeguards, and the tension between economic innovation in cloud services and the fundamental right to privacy.
What is the central research question?
The research investigates whether existing European directives provide sufficient privacy security for data subjects in cloud computing and how upcoming regulations might bridge identified gaps to better protect informational self-determination.
Which scientific methods are employed?
The author performs a systematic legal analysis, comparing existing directives (EC/95/46) with the then-proposed General Data Protection Regulation (GDPR) and evaluates specific cloud computing scenarios and case studies.
What is covered in the main section?
The main section details the legal foundations of data privacy in the EU and Germany, analyzes personal and geographical scope, scrutinizes legitimation criteria, and evaluates various cloud scenarios involving transfers to third countries.
Which keywords characterize this work?
Relevant keywords include Cloud Computing, Informational Self-Determination, Data Protection, GDPR, Privacy, Subcontractors, Data Transmission, European Law, and Personal Data.
How are subcontractors handled in the current legal framework?
The text explains that subcontractors often receive access to personal data during cloud maintenance, and the paper highlights the legal requirements for including them via written contracts and maintaining consistent security standards.
How does the author evaluate the new 2015 regulation proposal?
The author views the 2015 Council proposal as a comprehensive and complex solution that addresses many previous shortcomings by introducing clearer rules for technical measures, supervisory independence, and enhanced data subject rights.
- Citar trabajo
- Jutta Grosse Wichtrup (Autor), 2015, Informational Self Determination in Cloud Computing. Data Transmission and Privacy with Subcontractors, Múnich, GRIN Verlag, https://www.grin.com/document/309264
