I'm Christopher Millard, Professor of Privacy and Information Law at Queen Mary University of London, where I lead the Cloud Legal Project. I'm delighted to welcome you to this course on data protection and cybersecurity in the cloud. This is the second in our series of courses on cloud computing law. Why is this important? As we saw in our course on cloud computing transactions, we use the cloud in everyday activities such as our work, our studies, commercial transactions, socializing, and much more. The provision and use of cloud services involve the processing of vast amounts of information relating to individuals. This information is often referred to as 'personal data'. In addition, societies are increasingly reliant on network and information systems, including cloud computing, for a broad range of essential services. As a result, IT infrastructure and services are now regarded as a significant area of systemic risk to be managed via legal and regulatory frameworks. Let's look first at data protection. Most countries in the world now have laws, which give individuals specific rights in relation to their personal information and also, impose corresponding obligations on organizations which process such data. Most national data protection laws are based on one or more of a series of international harmonization measures that have been introduced to improve privacy protection while at the same time preempting or removing unjustified obstacles to transborder flows of personal data. Key international initiatives include OECD Guidelines from 1980, a Council of Europe Convention from 1981, the Asia-Pacific Cooperation's 2005 Privacy Framework, and various significant legislative interventions by the European Union, including the 1995 Data Protection Directive and the 2016 General Data Protection Regulation. Data protection laws regulate the processing of personal data by giving rights to 'data subjects', the individuals whose data are being processed. Obligations are imposed on 'controllers' of processing activities who must ensure that data subjects are treated fairly and that they can exercise various rights. Moreover, where a controller delegates the processing of personal data to another organization, that so-called 'processor' will also have obligations including to ensure that appropriate security is maintained. Data protection regulators, also called 'supervisory authorities', and courts may become involved to ensure that data subjects can exercise their rights effectively and to impose sanctions for breaches of the rules by controllers or processes. Why focus on the General Data Protection Regulation? In this course, we will focus on the EU's General Data Protection Regulation, or GDPR, for three main reasons. First, the GDPR applies directly in 30 countries, comprising the 27 member states of the European Union and the three additional countries that with the EU make up the European Economic Area, or EEA. When we refer to EU data protection law, you can assume generally that the same rules will apply in the other EEA countries as well. That's just the beginning, however, as the GDPR has a long-arm reach or extraterritorial application that extends well beyond Europe. Indeed, the rules apply to processing that takes place anywhere on the planet in the context of an EEA establishment. This means, for example, that a company based in France may need to comply with the GDPR when it's using a cloud service in the United States. Moreover, the GDPR regulates processing by organizations based outside the EEA for purposes of offering goods or services to, or monitoring the behaviour of, individuals in the EEA. For example, a Chinese company that targets it services to customers in Germany or which monitors the activities of individual service users in Sweden may also be subject to the GDPR. Second, the GDPR has established a complex regulatory framework that governs transfers of personal data from the EEA to so-called 'third countries'. This matters for cloud services since major cloud providers operate across national borders using networks of cloud servers located in data centres around the world. Moreover, cloud customers may be located anywhere. The third reason the GDPR merits careful consideration is because it's having an impact on the development of data protection laws worldwide. From Brazil to Japan, and from California to Kenya, you can now find laws that are aligned in key respects with the GDPR. Indeed, many countries aspire to join a list of countries that the European Commission has designated as providing an 'adequate level of protection' for transfers of personal data from the EU. What will this course cover? This course consists of three weeks. Each week, you'll spend around four to six hours learning. That includes watching videos, reading materials, and answering quiz questions. We'll start by looking at the obligations imposed by the GDPR on cloud customers and service providers, and we'll consider the ways in which they depend on each other to achieve and demonstrate compliance. This is the focus of Week 1. Then we'll unpack the detailed GDPR rules that apply to transfers of personal data outside the EEA and examine the legal mechanisms, or instruments, which cloud customers and providers may be able to rely on to legitimize such transfers. That's the focus of Week 2. In Week 3, we'll turn to issues of cybersecurity, in particular under the EU's Network and Information Systems Directive, and we'll examine how these rules apply to cloud services.
