SlideShare a Scribd company logo

Compliance of the privacy regulations in an international Europe-Brazil context

ATMOSPHERE .
ATMOSPHERE .

Vasiliki Diamantopoulou, University of Piraeus - "Compliance of the privacy regulations in an international Europe-Brazil context"

Related slideshows

Janet in a changing world
Janet in a changing world Janet in a changing world
Janet in a changing world
 
Cybersecurity for Smart Grids: Technical Approaches to Provide Cybersecurity
Cybersecurity for Smart Grids: Technical Approaches to Provide CybersecurityCybersecurity for Smart Grids: Technical Approaches to Provide Cybersecurity
Cybersecurity for Smart Grids: Technical Approaches to Provide Cybersecurity
 
Witdom overview 2016
Witdom overview 2016Witdom overview 2016
Witdom overview 2016
 
1 of 10
Download to read offline
COMPLIANCE OF THE PRIVACY REGULATIONS IN AN INTERNATIONAL EUROPE-BRAZIL CONTEXT Rita Meneses, TRUST IT Regina Moraes, University of Campinas Vasiliki Diamantopoulou, University of Piraeus Ignacio Blanquer, Polytechnic University of Valencia
Challenges in the protection of personal data in cloud services environment ■ Globalisation of service providers ■ Use of provider complex APIs ■ Lack of knowledge of the backends ■ Combination of multiple providers – Services – Resources – Network – … ■ Multiple regulations 2
3
Common ground 4 ■ Establishment of the fundamental right of privacy for data subjects ■ Rules for processing of personal data (with special protection for sensitive data and minors’ data) ■ Extra-territorial application ■ Consent of data subjects (as one of the legal grounds for lawful processing) ■ Strict fines for non-compliance – EU 4% of turnover, or ~23M USD – BR 2% of turnover, or ~12.9M USD
Differences 5 ■ Retention period – EU: not specific time, or focus on specific applications, pending e-Privacy regulation – BR: ■ Telephone records and personal data: 5 years ■ Internet connection logs: 1 year
Application of the two regulations ■ Participants of international collaboration projects among EU-Brazil face both the regulations ■ The identification of the common grounds and the discrepancies is crucial for the lawful processing of personal data 6
The Atmosphere project ■ Focus on trustworthy federated clouds for critical applications (e.g., medical sector) ■ Analysis of trustworthiness attributes: – Security – Privacy – Isolation – Stability – Fairness – Transparency – Dependability 7
Atmosphere towards lawful processing in this context 1. Deployment of a federated infrastructure 2. Implementation of metric for privacy, providing a quantitative mechanism to evaluate the inherent privacy and the re-identification risk for an anonymised data set 3. Provision of measures for fairness and transparency 8 International data transfers Application of the same privacy techniques as of critical data Lawful processing and non-discrimination
Contribution of Atmosphere 1. Generation of quantitative evidence of the privacy risks – Provision of monitoring evidence of the trustworthiness of the services – Restriction of access to sensitive data to high-trustable services 2. Adoption of advanced techniques to reduce the vulnerabilities – Techniques based on the execution in encrypted memory areas through the SGX extensions – Non-trustable cloud infrastructures can be used without increasing the risk of information disclosure 3. Consideration of transparency and fairness at the same level as other properties – Provision of trustworthiness scores on complex matters (e.g. how ethical a service could be, by analysing the bias of specific critical data) – Information about how a data profiling decision is taken 9
Thank you for your attention… Contact me: vdiamant@unipi.gr 10

More Related Content

Compliance of the privacy regulations in an international Europe-Brazil context

  • 1. COMPLIANCE OF THE PRIVACY REGULATIONS IN AN INTERNATIONAL EUROPE-BRAZIL CONTEXT Rita Meneses, TRUST IT Regina Moraes, University of Campinas Vasiliki Diamantopoulou, University of Piraeus Ignacio Blanquer, Polytechnic University of Valencia
  • 2. Challenges in the protection of personal data in cloud services environment ■ Globalisation of service providers ■ Use of provider complex APIs ■ Lack of knowledge of the backends ■ Combination of multiple providers – Services – Resources – Network – … ■ Multiple regulations 2
  • 3. 3
  • 4. Common ground 4 ■ Establishment of the fundamental right of privacy for data subjects ■ Rules for processing of personal data (with special protection for sensitive data and minors’ data) ■ Extra-territorial application ■ Consent of data subjects (as one of the legal grounds for lawful processing) ■ Strict fines for non-compliance – EU 4% of turnover, or ~23M USD – BR 2% of turnover, or ~12.9M USD
  • 5. Differences 5 ■ Retention period – EU: not specific time, or focus on specific applications, pending e-Privacy regulation – BR: ■ Telephone records and personal data: 5 years ■ Internet connection logs: 1 year
  • 6. Application of the two regulations ■ Participants of international collaboration projects among EU-Brazil face both the regulations ■ The identification of the common grounds and the discrepancies is crucial for the lawful processing of personal data 6
  • 7. The Atmosphere project ■ Focus on trustworthy federated clouds for critical applications (e.g., medical sector) ■ Analysis of trustworthiness attributes: – Security – Privacy – Isolation – Stability – Fairness – Transparency – Dependability 7
  • 8. Atmosphere towards lawful processing in this context 1. Deployment of a federated infrastructure 2. Implementation of metric for privacy, providing a quantitative mechanism to evaluate the inherent privacy and the re-identification risk for an anonymised data set 3. Provision of measures for fairness and transparency 8 International data transfers Application of the same privacy techniques as of critical data Lawful processing and non-discrimination
  • 9. Contribution of Atmosphere 1. Generation of quantitative evidence of the privacy risks – Provision of monitoring evidence of the trustworthiness of the services – Restriction of access to sensitive data to high-trustable services 2. Adoption of advanced techniques to reduce the vulnerabilities – Techniques based on the execution in encrypted memory areas through the SGX extensions – Non-trustable cloud infrastructures can be used without increasing the risk of information disclosure 3. Consideration of transparency and fairness at the same level as other properties – Provision of trustworthiness scores on complex matters (e.g. how ethical a service could be, by analysing the bias of specific critical data) – Information about how a data profiling decision is taken 9
  • 10. Thank you for your attention… Contact me: vdiamant@unipi.gr 10