Data protection and privacy-related implications of a migration to the cloud – Roundtable


David Dab, National Technology Officer Microsoft Belux
Laurent Bounameau, DPO & Cyber Security Advisor (CISO) Federal Police Belgium
Magali Feys, IP, IT & Data Protection Lawyer AContrario.Law
Bojan Spasic, Cyber Security Technology Partner Manager SWIFT
Moderator: Bruno Wattenbergh, Chairman of the EY Belgium Innovation Board Professor of Strategy & Entrepreneurship at Solvay Business School

So, your company has decided to make ICT life easier by migrating to the cloud. Easy pie, just ring a reputable cloud provider? Unfortunately, there may be some data protection and privacy hurdles to jump, as we learned at the 2021 Belgian Cyber Security Convention (BCSC).

Yes, modern cloud environments are in most cases the safest and/or most secure place, because of automation, focus on operational security and more. But…. Lawsuits as Schrems II threw a wrench in the practice of international data transfers, because of location and ownership of cloud infrastructure centers. Plenty of norms and standards insure physical reliability and more of cloud environments, but privacy-wise the (legal) debate is still going on. More specifically, users should consider cloud ‘safety’ of ‘security’ from the point of view of ‘what are my risks?’ or ‘what is the right set-up in my case?’ That fits within the inherent ‘risk-based’ nature of the European privacy law GDPR.

Does the GDPR kill off innovation as e.g. provided by cloud environments? Not quite. GDPR demands data-protection in solutions and environments ‘by design’ and ‘by default’, and to be careful when handling personal data. Provided all necessary security elements are implemented, cloud environments can provide a faster way to ISO 27001 security compliance than going for this certification on premise (e.g., by more easily keeping up with changes in systems, perimeter etc.). In short, the GDPR is a non-technical answer to a technology problem, and it’s now up to technology to continue innovating.

Much privacy-enhancing technology is already in place, as encryption of data in transit and at rest. New developments target trust and confidentiality during processing by means of ‘computational encrypted data’ (homomorphic encryption), preventing leaks in memory. This kind of computing may be ultimately preferable to the (allowed by GDPR) technique of pseudonymization (the latter being subject of conflicting views at this roundtable). Other possibilities include processing without exchanging data, differential privacy (i.e. publicly sharing info about a dataset by describing the patterns of groups, while withholding info about individuals) and synthetic data generation (i.e. creating a subset of anonymized data). Also, more attention should be paid to the exact nature of data an application requires (e.g., an application counting people in streets for crowd control does not need actual images of the people, but only clear contours of those people).

New threats will require yet other innovations, as against attacks through machine learning (e.g. by poisoning the data set used to train the application) and AI (e.g. de-anonymization).
Actually, even privacy-enhancing technology may impact the privacy rights of a data subject. For instance, if somebody’s data has been rendered anonymized and included in a data set, it becomes impossible to enforce this person’s right that his data may not be used in machine learning.
Clearly, this roundtable presented an interesting and heady brew mix of technological and privacy concerns, going way beyond the specific subject of migration to the cloud. Well worth to be viewed again!

You can (re)watch the roundtable clicking on this link. The  recording can be found in the section 7 – Belgian Cyber Security Convention.

Andere blogposts

NIS-2: Where are you?

In December 2020 the European Commission published a proposal to repeal the current NIS Directive (European Directive on Network and Information Systems) and to replace it with a new Directive: the so-called NIS-2 Directive. This post will give an update on the status of negotiations of NIS-2, and will outline the aspects we already know and don’t know about the upcoming Directive’s final form.  

SANS Experience Sharing Event

The Cyber Security Coalition and top cybersecurity trainer SANS Institute joined forces to provide specially needed insights and recommendations on successful cloud security, as well as how to handle cyber security in these times of war.

Privacy Focus Group – Practical AI Use Cases

It is easy to drown in the sea of dire warnings about the danger of AI, in particular to our privacy. The main point is that AI in good trust is possible, but requires solid, long term and well-structured approaches. This session of the Privacy focus group offers some crucial insights and welcome examples.

30 November: Computer Security Day: Ada Lovelace

On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.

Deel deze nuttige inhoud met vrienden: