Data protection : accountability in cloud computing

Abstract

This thesis delves into the efficiency of an accountability-based approach to data protection in the cloud. Potential users and customers are hesitant to embrace the cloud and enjoy its various benefits due to an inherent distrust and concern for their personal data. The protection of personal data has emerged as a fundamental right in recent years concurrently with technological developments. The cloud computing environment poses certain challenges to effective data protection. As it is recognised today, cloud computing interrupts the usual awareness of whom is processing data and where, due to the possibility of a complex cloud architecture. In order to encourage confidence in the cloud and unlock its potential and revenue, the EU has led numerous initiatives such as the European Cloud Strategy. The EU has also made great strides in data protection legislation with the General Data Protection Regulation applying from 2018, repealing the current legal framework. Accountability mechanisms are woven into the regulation which applies to any processing of personal data. The GDPR modifies existing accountability relationships and creates new ones. Accountability is embedded into the provisions relating to controllers and processors. However, the GDPR is not a cloud-specific legislation and certain provisions do not lend themselves to a cloud environment. The architecture of service types and deployment models in the cloud create certain difficulties in the practical application of the GDPR. Other accountability mechanisms are necessary such as codes of conduct, privacy policies, terms of service and contracts, in order to foster confidence in the cloud and the realisation of a Digital Single Market.