Cloud Legal Project

You can view the list of full text QMUL Cloud Legal Project papers, and their download links, on our Research pages.

Other Cloud Legal Project links of interest:

• Response to Justice Select Committee's Call for Evidence on the EU Data Protection Framework Proposal
  17 August 2012. The written evidence of the CLP is also available as part of the Official Committee Report, available here.
• Ministry of Justice Summary of Responses to the Call for Evidence on the proposed EU Data Protection Legislative Framework, 28th June 2012. 
• Cloud Legal Project response to the Ministry of Justice Call for Evidence on the European Commission's data protection proposals.
• Cloud Legal Project response to the European Commission's 2011 cloud computing consultation
• Cloud Legal Project response to European Commission Cloud Computing Consultation

EU

Article 29 Data Protection Working Party Opinion 05/2012 on Cloud Computing, adopted July 1st 2012

European Commission's cloud computing developments page, including notes of Dec 2011 hearings with telecommunications/web hosting industry, SMEs and "user industries".

European Commission's Cloud Computing: Public Consultation Report, 5 Dec 2011, and Industry Recommendations to Vice President Neelie Kroes on the Orientation of a European Cloud Computing Strategy, Nov 2011 (Annexes; Commission press release 14 Dec 2011), following the European Commission's consultation on cloud computing, 16 May 2011.

Some relevant EU regulations / regulators' or legislators' views etc
- in reverse chronological order

Spain: AEPD consults on cloud computing - press release, 28 Dec 2011; consultation (closes 27 Jan 2012)

France: CNIL consults on cloud computing - press release, 17 Oct 2011 with link to the consultation document

Sweden: Datainspektionen (all documents in Swedish) - 

• press release on the risks of cloud contracts and cloud contract terms, 30 Sept 2011
• Cloud computing and Personal Data Act (guidance), Sept 2011
• decisions on:
  • Salem Municipality (Google Apps, a SaaS service), 28 Sept 2011
  • Enköpings Municipality (Dropbox, a file storage/sharing SaaS service built on Amazon Web Services IaaS), 28 Sept 2011
  • Brevo (an electronic mailbox SaaS service built on Microsoft Windows Azure PaaS), 28 Sept 2011

European Data Protection Supervisor: Data protection and security - the EU approach, Giovanni Buttarelli, Sept 2011

Germany: Entschließung der 82. Konferenz der Datenschutzbeauftragten des Bundes und der Länder, Datenschutzkonforme Gestaltung und Nutzung von Cloud-Computing, 28/29 Sept 2011 and Orientierungshilfe – Cloud Computing der Arbeitskreise Technik und Medien der Konferenz der Datenschutzbeauftragten des Bundes und der Länder Version 1.0 Stand 26.09.2011 (guidance on cloud computing and data protection law)

• See also Germany’s Federal Office for Information Security (BSI) White Paper, Security Recommendations for Cloud Computing Providers (Minimum information security requirements), June 2011

Netherlands: Public procurement in ICT services - question to European Parliament by Sophia in 't Veld regarding Dutch minister's statement on US Patriot Act, 27 Sept 2011

France: CNIL facilitates the use of outsourcing services performed in France on behalf of non-European companies, press release 15 Mar 2011 (which links to the full text of the exemption, in French)

Denmark: Datatilsynet (Danish Data Protection Agency), Processing of sensitive personal data in a cloud solution (on use of Google Apps), 3 Feb 2011

• See also the terms of the Odense Google Apps agreement, Nov 2010

Germany: Dr Thilo Weichert (Schleswig-Holstein), Cloud Computing & Data Privacy, English translation Feb 2011

UK: Information Commissioner's Office, Personal Information Online Code of Practice, Jul 2010

        Summary of Key Points from ICO Cloud Event 27 Feb. 2012

Germany: Decision by the supreme supervisory authorities for data protection in the nonpublic sector on 28/29 Apr 2010 in Hannover [revised version of 23 Aug 2010], Examination of the data importer’s self-certification according to the Safe-Harbor-Agreement by the company exporting data

European Data Protection Supervisor: Data Protection and Cloud Computing under EU Law, Peter Hustinx, Apr 2010

Norway: The Norwegian Data Protection Authority has reviewed the use of cloud computing services at the municipalities of Narvik and Moss. The conclusion is that the Data Protection Authority will allow use of the services. For further information see here.

Organisations

• Cloud Standards Customer Council
• Cloud Security Alliance
• The Cloud Industry Forum 
• Eurocloud and Eurocloud UK
• Open Cloud Initiative (OCI)
• The Open Computing Alliance 
• Open Data Center Alliance

Other Selected Papers (in reverse chronological order under each sub-heading; not comprehensive)

• ENISA (European Network and information Security Agency)
  • Jan 2011 - Security & Resilience in Governmental Clouds: Making an informed decision (PDF) 
  • Nov 2009 -
    • Cloud Computing Risk Assessment "Benefits, risks and recommendations for information security"
    • Cloud Computing - An SME perspective - Survey
    • Cloud Computing - Information Assurance Framework
• UK G-Cloud (government use of cloud computing)
  • Added Jan 2012 - 
    • Official UK G-Cloud site - including UK Government Cloud Strategy (sub strategy of Government ICT Strategy Mar 2011)
    • Cabinet Office Standards Hub challenges include browser access to G-Cloud and data transfer to G-Cloud.
    Nov 2011 -
    • UK G-Cloud Twitter page
    • Buying Solutions page on G-Cloud - including
      • Supplier questions and answers regarding the procurement, published 24 11 Nov 12 Dec 2011, and also Q&A on the draft Framework Agreement's terms
      • ApplyCamp slides and video, 22 Nov 2011
  • Oct 2011 -
    • Government Cloud Strategy, Oct 2011
    • G-Cloud framework contract notice, 22 Oct 2011 - 
      • OJEU on TED; 
      • on UK Buying Solutions portal (no direct link possible, click "View current opportunities and notices"; registration necessary to view documents)
      • G-Cloud 'Simple' Procurement Instructions, Nov Oct 2011 - short guide for prospective suppliers, provides a concise overview that's useful not just to providers
    • Press release on ICT strategy, 21 Oct 2011; and UK Government ICT Strategy resources page linking to documents including -
      • Government ICT Strategy and 
      • Government ICT Strategy - Strategic Implementation Plan
  • Feb 2011 - reports on Phase 2 of the G-Cloud Programme
• US National Institute of Standards and Technology (NIST) cloud computing program (with cloud collaboration site)
  • Guidelines on Security and Privacy in Cloud Computing, SP 800-144, Jan 2012
  • US Government Cloud Computing Technology Roadmap:
    •  Volume I High-Priority Requirements to Further USG Agency Cloud Computing Adoption, NIST Special Publication 500-293, Release 1.0 (Draft), Nov 2011
    • Volume II Useful Information for Cloud Adopters - NIST Special Publication 500-293, Release 1.0 (Draft), Nov 2011
    • Technical Considerations for USG Cloud Computing Deployment Decisions - working draft only, to become Vol III
  • Challenging Security Requirements for US Government Cloud Computing Adoption, First Working Draft, 31 Oct 2011 - 'to provide an overview of the high-priority security and privacy challenges perceived by Federal agencies as impediments to the adoption of the Cloud Computing... provides description of existing mitigations, or if no mitigations were identified, descriptions of ongoing efforts that could lead to mitigations. In the cases where no ongoing efforts were identified, the document makes recommendations for mitigation.'
  • A NIST Definition of Cloud Computing, Oct 2011
  • What's next?, Sept 2011
  • NIST Cloud Computing Reference Architecture, NIST SP - 500-292, 8 Sept 2011
  • NIST Cloud Computing Standards Roadmap, NIST-SP 500-291, 10 Aug 2011
  • Inventory of Standards Relevant to Cloud Computing
  • draft NIST Cloud Computing Synopsis and Recommendations, SP 800-146, May 2011 - for comment by 13 June 2011
  • draft definition of cloud computing, SP 800-145, Feb 2011
  • draft Guidelines on Security and Privacy in Public Cloud Computing, SP 800-144, Feb 2011
  • Guide to Security for Full Virtualization Technologies, SP 800-125, Feb 2011
  • Useful info for cloud adopters
• US G-Cloud
  • US Federal Cloud Computing Strategy, Feb 2011
  • Proposed Security Assessment & Authorization for U.S. Government Cloud Computing, draft version 0.96, Nov 2010, CIO Council (FedRAMP)
  • Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies, Privacy Committee, CIO Council, Aug 2010
  • Cloud Computing: Benefits and Risks of Moving Federal IT into the Cloud, Vivek Kundra, Jul 2010
  • State of Public Sector Cloud Computing, Vivek Kundra, May 2010