Compliance of the privacy regulations in an international Europe-Brazil context
- 1. COMPLIANCE OF THE
PRIVACY REGULATIONS
IN AN INTERNATIONAL
EUROPE-BRAZIL CONTEXT
Rita Meneses, TRUST IT
Regina Moraes, University of Campinas
Vasiliki Diamantopoulou, University of Piraeus
Ignacio Blanquer, Polytechnic University of Valencia
- 2. Challenges in the protection of personal
data in cloud services environment
■ Globalisation of service providers
■ Use of provider complex APIs
■ Lack of knowledge of the backends
■ Combination of multiple providers
– Services
– Resources
– Network
– …
■ Multiple regulations
2
- 4. Common ground
4
■ Establishment of the fundamental right of privacy for data subjects
■ Rules for processing of personal data (with special protection for sensitive data
and minors’ data)
■ Extra-territorial application
■ Consent of data subjects (as one of the legal grounds for lawful processing)
■ Strict fines for non-compliance
– EU 4% of turnover, or ~23M USD
– BR 2% of turnover, or ~12.9M USD
- 5. Differences
5
■ Retention period
– EU: not specific time, or focus on specific applications, pending e-Privacy regulation
– BR:
■ Telephone records and personal data: 5 years
■ Internet connection logs: 1 year
- 6. Application of the two regulations
■ Participants of international collaboration projects among EU-Brazil face both
the regulations
■ The identification of the common grounds and the discrepancies is crucial for
the lawful processing of personal data
6
- 7. The Atmosphere project
■ Focus on trustworthy federated clouds for critical applications (e.g., medical
sector)
■ Analysis of trustworthiness attributes:
– Security
– Privacy
– Isolation
– Stability
– Fairness
– Transparency
– Dependability
7
- 8. Atmosphere towards lawful
processing in this context
1. Deployment of a federated infrastructure
2. Implementation of metric for privacy, providing a quantitative mechanism to
evaluate the inherent privacy and the re-identification risk for an anonymised
data set
3. Provision of measures for fairness and transparency
8
International data transfers
Application of the same privacy
techniques as of critical data
Lawful processing and
non-discrimination
- 9. Contribution of Atmosphere
1. Generation of quantitative evidence of the privacy risks
– Provision of monitoring evidence of the trustworthiness of the services
– Restriction of access to sensitive data to high-trustable services
2. Adoption of advanced techniques to reduce the vulnerabilities
– Techniques based on the execution in encrypted memory areas through the SGX
extensions
– Non-trustable cloud infrastructures can be used without increasing the risk of
information disclosure
3. Consideration of transparency and fairness at the same level as other properties
– Provision of trustworthiness scores on complex matters (e.g. how ethical a service
could be, by analysing the bias of specific critical data)
– Information about how a data profiling decision is taken
9
- 10. Thank you for your attention…
Contact me:
vdiamant@unipi.gr
10