Informational Self Determination in Cloud Computing. Data Transmission and Privacy with Subcontractors

Table of Contents

1 Foundation for Privacy Protection in Cloud Computing

1.1 Business Opportunity Cloud Computing

1.2 Private Persons Paradoxical Behaviour

1.3 Legal Framework in the EU

1.4 Legal Framework in Germany

2 Application Area

2.1 Personal Scope

2.1.1 Anonymous Data

2.1.2 Pseudonymised Data

2.1.3 Encrypted Data in Cloud Computing

2.1.4 Interim Conclusion to the Personal Scope

2.2 Geographical Applicable Law

2.2.1 ECJ Decisions on the Geographical Scope

2.2.2 Interim Conclusion to the Geographical Scope

3 Data Processing Legitimacy

3.1 Consents in Cloud Computing

3.2 Lawful Personal Data Processing based on Contracts

3.2.1 Distinction between Contract Data Processing and Functional Transmission

3.2.2 Privileged Contract Data Processing

3.3 Data Processing within the EU including Subcontractors

3.4 Practical Assessment of the Legitimacy Criteria in Cloud Computing

3.5 Interims Conclusion to Chapter 3

4 Data Transmission Outside the EU

4.1 Legal Foundation

4.2 International Agreements

4.3 Data transfer to Countries Outside the EU with an Unsatisfactory Data Protection Level

4.3.1 Standard Contractual Clauses

4.3.2 Binding Corporate Rules

4.4 Interim Conclusion to Chapter 4

5 Personal Data Transmission to Unsecure Non-EU Countries Including Subcontractors

5.1 Non-EU Country Cloud Provider and Subcontractor

5.2 EU Cloud Providers and Non-EU Subcontractors

5.3 Non-EU Cloud Providers, EU Subcontractors

5.4 Interim Conclusion to Chapter 5

6 Informational Self-Determination Potential for Improvements in the Cloud Computing Chain

6.1 Technical and Organisational Potential for Improvements

6.2 Technical Potential for Improvements to Support the Law

6.2.1 Consent

6.2.2 Principle of Transparency

6.2.3 Principle of Purpose Limitation

6.2.4 Principle of Necessity

6.3 Economic and Political Potential for Improvements

6.4 Potential for Improvements through Self-Security

7 Informational Self-determination recognition in the new regulation

7.1 Application Area

7.1.1 General Provisions

7.1.2 Personal and material scope

7.1.3 Territorial Scope

7.2 Legitimation Scope of Personal Data Protection

7.2.1 Consent

7.2.2 Contract Data Processing

7.3 Cloud User and Cloud Provider Roles and Obligation in Subcontractor Chains

7.4 Data Transmission into Non-EU countries with Subcontractors

7.5 Interim Conclusion to Chapter 6 and 7

Objectives and Topics

The primary objective of this work is to analyze the legal constraints of European data protection regulations, specifically regarding the right to informational self-determination in the context of cloud computing and complex subcontractor chains. The research explores the effectiveness of existing data protection directives in safeguarding personal data when distributed across secure and unsecure third countries, and evaluates the potential of newly proposed regulations to resolve these issues.

• The challenges of maintaining privacy and informational self-determination in cloud computing environments.
• Legitimation criteria for data processing and transmission in cloud scenarios.
• Legal and geographical scope of data protection across EU and non-EU jurisdictions.
• The role and liability of cloud providers, users, and subcontractors in data processing chains.
• Proposed technical and organizational improvements for enhanced data security and legal compliance.

Excerpt from the Book

Summary of Chapters

Foundation for Privacy Protection in Cloud Computing: This chapter introduces the economic importance of cloud computing and the subsequent legal and privacy challenges regarding the protection of citizen data on the internet.

Application Area: This section defines the scope of data protection regulation by discussing the personal and geographical dimensions, and the technical challenges of identifying personal data in cloud environments.

Data Processing Legitimacy: This chapter analyzes the legal requirements for data processing, focusing on consent mechanisms and contract-based data processing within cloud infrastructures.

Data Transmission Outside the EU: This part examines the legal foundations and international agreements necessary for transferring personal data to countries outside the European Union.

Personal Data Transmission to Unsecure Non-EU Countries Including Subcontractors: This chapter explores the complexities and requirements for lawfully processing personal data when subcontractors in unsecure third countries are involved.

Informational Self-Determination Potential for Improvements in the Cloud Computing Chain: This chapter suggests technical, political, and economic measures to improve the effectiveness of data protection and to support the rights of the data subject.

Informational Self-determination recognition in the new regulation: This final analytical chapter cross-checks the provisions of the 2015 General Data Protection Regulation proposal against the existing gaps and identified challenges in the current directive.

Keywords

Cloud Computing, Informational Self-Determination, Data Protection, GDPR, Privacy, Subcontractors, Data Transmission, European Law, Personal Data, Consent, Transparency, Purpose Limitation, IT Security, Cloud Providers, Data Subjects

Frequently Asked Questions

What is the primary focus of this paper?

The paper examines how current European data protection laws address the challenges of maintaining informational self-determination for individuals when their data is processed in complex, cross-border cloud computing environments involving multiple subcontractors.

What are the central themes discussed?

Key themes include the legal legitimation of data processing, the geographical reach of data protection laws, the effectiveness of contractual safeguards, and the tension between economic innovation in cloud services and the fundamental right to privacy.

What is the central research question?

The research investigates whether existing European directives provide sufficient privacy security for data subjects in cloud computing and how upcoming regulations might bridge identified gaps to better protect informational self-determination.

Which scientific methods are employed?

The author performs a systematic legal analysis, comparing existing directives (EC/95/46) with the then-proposed General Data Protection Regulation (GDPR) and evaluates specific cloud computing scenarios and case studies.

What is covered in the main section?

The main section details the legal foundations of data privacy in the EU and Germany, analyzes personal and geographical scope, scrutinizes legitimation criteria, and evaluates various cloud scenarios involving transfers to third countries.

Which keywords characterize this work?

Relevant keywords include Cloud Computing, Informational Self-Determination, Data Protection, GDPR, Privacy, Subcontractors, Data Transmission, European Law, and Personal Data.

How are subcontractors handled in the current legal framework?

The text explains that subcontractors often receive access to personal data during cloud maintenance, and the paper highlights the legal requirements for including them via written contracts and maintaining consistent security standards.

How does the author evaluate the new 2015 regulation proposal?

The author views the 2015 Council proposal as a comprehensive and complex solution that addresses many previous shortcomings by introducing clearer rules for technical measures, supervisory independence, and enhanced data subject rights.