Global ETD Search

1	Searching for the silver lining of the US cloud Di Gleria, Sonja January 2022 (has links) We live in a society where more and more services are available online, and to an increasing extent, people expect that there should be a digital solution. The demand for digitalization of the public sector is increasing. However, at the same time, there are requirements for public activities to handle tax funds responsibly and not buy more expensive solutions than necessary. Here, cloud providers are often used to solve the equation of being both efficient and economical - and not least secure. The problem is that after a judgment in the Court of Justice in the European Union (Schrems II), cloud-based solutions supplied by US-based providers appear to be legally prohibited as their use violates the GDPR. GDPR complicates the digitization work by creating uncertainty about what a public organization is allowed to do. The research question to help shed light on this issue is “How can the public sector in Sweden use US cloud providers in the light of Schrems II?” This research uses design science as a research method to find the critical factors to support the use of US cloud service providers and use the factors as requirements. As the problem is practical, action research is used as a research strategy. The primary data collection methods are interviews of subject matter experts for their knowledge and direct insight into the problem, document research of mostly official documents as a knowledge base for the research with their validity and reliability, and a variant of brainstorming for new perspectives. Thematic analysis is used to analyze the results and help define the requirements for using US cloud providers in the public sector, along with explanation and root cause analysis. The GDPR is clear about third country transfers, but the additional laws and demands cause uncertainties on applying it and for which kind of data. The critical factors found are contributing laws, data classification, risk management, internal procurement,routines, employee knowledge level, and the need for documentation. These results led to a conclusion that open, public data is the only kind of data for which it is possible to use US cloud providers. After carefully examining the critical factors, some public organizations have chosen to use US cloud services for other data types, as they decided it was the safer choice. EU and the US have just agreed on the principles of a new trans-Atlantic data transfer treaty. This treaty must solve several problems to guarantee an adequate level of protection, and the probability that this will be met creates continued uncertainty in the affected organizations. One thing is clear - an organization that meets the critical requirements is firmly facing whatever future may come. Schrems II public sector privacy GDPR Computer Sciences Datavetenskap (datalogi)
2	Livet efter Schrems II : EU:s integritetsskydd i ljuset av statlig övervakning Olsson, Mattias January 2021 (has links) International transfers of personal data impose great risk to the fundamental rights of individuals. Equally true however is the fact that international transfers of personal data (as well as other categories of data) are of great value to the global economy and to the business of many European companies. Personal data has to be able to flow freely within the European single market as well as to the rest of the world, but if the fundamental rights which are recognized by the EU are to be taken seriously this simply can’t be the case, there has to be restrictions of some sort. In other words, international transfers have to recognize fundamental rights, or otherwise they can’t occur. The million-dollar question, therefore, is how these two interests can merge. International transfers of personal data are regulated in the general data protection regulation, which is explored in depth in the thesis. The rules of such transfers are quite complex and have of late been vigorously debated. In the center of it all is Maximilian Schrems, who has succeeded in his attempts to tear down the regulation’s popular mechanisms for international transfers, namely Safe Harbour and Privacy Shield. It has successfully been argued that these mechanisms don’t guarantee an adequate level of protection of the fundamental rights of individuals within the EU when their personal data is transferred to the United States. The secret surveillance of the American intelligence agencies imposes to great of a threat to the fundamental rights, which aren’t safeguarded by these mechanisms. The European Court of Justice has in its case law been sympathetic to the criticism of Mr. Schrems and has judged both Safe Harbour and Privacy Shield invalid. In the light of the case law of the court, specifically the Schrems II ruling, international data transfers to the United States are very problematic from a privacy perspective, and I argue that all transfers to all third countries are troublesome as a consequence of Schrems II. If an international transfer is to be carried out to a country which performs secret surveillance (i.e. most countries of the world) the data controller and processor have to guarantee the protection of the rights of the data subject vis-à-vis the state’s surveillance throughout the transfer, otherwise it can’t materialize. This I argue is not possible, which in practice prohibits the possibility for transfers to most countries almost completely. In summary the thesis explores the dynamic relationship between international transfers of personal data and national security. The overriding conclusion is that it is a dysfunctional relationship indeed and that transfers can’t occur to third countries which doesn’t respect fundamental rights. This is the case in general, regardless of what mechanisms are used, what data is to be transferred and what supplementary measures the parties apply. GDPR Schrems International transfers privacy Facebook GDPR Schrems tredjelandsöverföring integritet Facebook Law (excluding Law and Society)
3	Molnmigration efter Schrems II: Utmaningar och möjligheter / Cloud Migration after Schrems II: Challenges and possibilities Wetterlund, Gustaf, Lind, Oscar January 2023 (has links) År 2020 meddelade Europeiska domsstolen den så kallade Schrems II-domen som komplicerar hur europeiska verksamheter får använda amerikanska molntjänstleverantörer på grund av oförenliga lagar och regleringar mellan USA och EU vid hantering av känsliga uppgifter. Eftersom amerikanska molntjänstleverantörer dominerar den europeiska marknaden lever många verksamheter i en osäkerhet om de kan fortsätta använda deras verksamhetskritiska molntjänster. Denna studies syfte är att bidra med kunskap kring vilka möjligheter som finns för dessa verksamheter, samt undersöka vilka kontraster det finns mellan den svenska privata och offentliga sektorn efter Schrems II-domen. Den primära empiriska datan har samlats in genom kvalitativa intervjuer med totalt elva respondenter. Åtta intervjuer genomfördes med respondenter från svenska verksamheter från både privat och offentlig sektor med olika perspektiv och arbetsbakgrund inom IT med fokus på att identifiera de utmaningar som upplevs under molnmigrationer. Tre intervjuer genomfördes sedan med respondenter som är insatta i Schrems II-frågan för att identifiera möjligheter och bringa ytterligare klarhet på studiens frågeställningar. Studiens resultat visade att den offentliga sektorn har påverkats avsevärt mer än den privata sektorn av Schrems II-domen och identifierade följande möjligheter: En juridisk bedömning på nationell nivå inom Sverige för användande av amerikanska molntjänster skulle klargöra och underlätta för framförallt mindre myndigheter som i dagsläget måste göra bedömningen själv. Resultatet av den nya rättsliga ramen Trans-Atlantic Data Privacy Framework som eventuellt ersätter den ram som Schrems II-domen ogiltligförklarade skulle ge ny klarhet i vad som gäller juridiskt för verksamheter. Ett beslut av EU-kommissionen förväntas komma till sommaren 2023. Licensering av amerikanska molntjänstleverantörers produkter som bedrivs av svenska IT-leverantörer. / In 2020, the Court of Justice of the European Union announced the so-called Schrems II-ruling, which complicates how european businesses can use American owned cloud service providers due to incompatible laws and regulations between the US and the EU regarding sensitive data. Since American cloud service providers dominate the european market, many businesses are uncertain about whether or not they can continue to utilize their business-critical cloud services. The purpose of this study is to contribute knowledge about the possible opportunities for these affected businesses and to examine the contrast between the Swedish private and public sectors after the Schrems II-ruling. The primary empirical data was collected through qualitative interviews with a total of eleven respondents. Eight interviews were contucted with respondents from both the private and public sector with different perspectives and work background within IT, with a focus on identifying the perceived challenges during cloud migrations in the public and private sectors. Three interviews were then conducted with respondents who are knowledgeable about the Schrems II-issue to identify opportunities and gain further clarity on the study's questions. The study's results showed that the public sector has been significantly more affected by the Schrems II-ruling than the private sector and identified the followning possible opportunities: A legal assesment at the national level in Sweden for the use of American cloud services would clarify the uncertainty businesses experience today. It would esspecially aid smaller agencies that currently have to make the assessment themselves with limited resources. The outcome of the new legal framework, the Trans-Atlantic Data Privacy Framework, which may replace the framework invalidated by the Schrems II ruling, would provide new clarity on what is legally applicable to businesses. A decision by the EU Commission is expected in the summer of 2023. Licensing of American cloud service providers products operated by Swedish IT providers. Cloud service Cloud Migration Schrems II Molntjänst Molnmigration Schrems II Information Systems, Social aspects
4	Tredje gången gillt? : En analys av EU-US Data Privacy Framework / Third time’s the charm? : An analysis of the EU-US Data Privacy Framework Bjerselius, Nathalie January 2023 (has links) Through the GDPR, the member states of the EU and the EEA countries ensure equivalent protection for personal data which is why personal data within this area can be transferred freely. Transfers of personal data to a country outside the EU/EEA area, such as the U.S., are only permitted under the General Data Protection Regulation (GDPR) under certain conditions, including if the EU Commission has decided that the country in question ensures an adequate level of protection. The EU Commission has previously adopted two such decisions for the U.S., based on Safe Harbour and Privacy Shield. Those decisions were, however, struck down by the Court of Justice of the European Union (CJEU) in Schrems I and II since the CJEU did not consider that the U.S. could ensure an adequate level of protection for personal data that was transferred from the EU to the U.S. In July 2023, the EU Commission announced that it had once again adopted an adequacy decision for the U.S. meaning that personal data can now flow freely from the EU to companies and organizations in the U.S. certified under the EU-US Data Protection Framework (EU-US DPF). The adequacy decision followed a presidential order signed by U.S. President Biden in October 2022, which introduced new security measures intended to remedy the problems identified by the CJEU in Schrems I and II. On the one hand, the US intelligence agencies’ access to personal data is limited to what is proportionate. On the other hand, a data protection court is established. The purpose of this essay is to examine whether the changes that the presidential order has given rise to has changed the legal situation after Schrems II in such a way that the U.S. can now be considered to ensure an adequate level of protection for personal data that is being transferred from the EU to the U.S. By analyzing the EU-US DPF against the background of the jurisprudence of the CJEU and the European Court of Justice, I find that this is not the case. The U.S. intelligence agencies’ use of and access to EU citizens’ personal data is still not limited to what is proportionate and EU citizens whose personal data is processed still do not have access to an effective remedy to challenge surveillance measures. Thus, the new adequacy decision for the U.S. is likely to be struck down by the CJEU in the coming years. The consequences of such an invalidation are examined to some extent in this essay, particularly in relation to other transfer mechanisms in Chapter V of the GDPR, namely standard contractual clauses and binding corporate rules. EU-US Data Protection Framework EU-US DPF GDPR tredjelandsöverföringar adekvansbeslut Schrems I Schrems II Safe Harbour Privacy Shield personuppgifter Law Juridik
5	Överföring av personuppgifter från EU till USA : Särskilt i ljuset av Schrems I och II / Transfer of personal data from the EU to the US : Especially in light of Schrems I and II Cahn, Henrietta January 2021 (has links) The judgments of the Court of Justice of the European Union (CJEU) in Schrems I and II have raised many questions regarding the circumstances in which personal data can be transferred legally from the EU to the US. Hence, the overarching purpose of this thesis is to examine and analyze these circumstances. According to article 45 of the General Data Protection Regulation (GDPR), a third country must ensure an adequate level of protection for personal data if it is to be transferred there. A first condition which must be met in order to reach that level is that the EU Commission, when making decisions about whether a third country offers an adequate level of protection, conforms to its competence according to EU law. The level of protection also has a procedural dimension. Furthermore, in order for an adequate level of protection to be reached, there must be limitations on the third country’s possibilities to conduct foreign intelligence surveillance. One problem with the CJEU’s interpretation of the level of protection in Schrems I and II is that it did not clarify under which circumstances exactly a proportionality analysis must be conducted. Another problem that the judgments have given rise to is that an adequate level of protection is very hard to reach for third countries, since it must be essentially equivalent to the level that applies within the EU. The extra-territorial application of the GDPR and the EU level of protection for personal data could also have a limiting effect on international trade. According to article 46 of the GDPR, standard contractual clauses (SCC’s) can be used to transfer personal data to a third country when the EU Commission has not made a decision under article 45. The CJEU’s judgment in Schrems II has clarified that the determining factor when deciding whether SCC’s are lawful is whether they contain effective mechanisms that make it possible to ensure that the EU level of protection is maintained, and whether transfers of personal data using SCC’s will be stopped or forbidden if the clauses are set aside or impossible to abide by. According to article 47 of the GDPR, binding corporate rules (BCR’s) can also be used to transfer personal data to a third country. The decision of a supervisory authority to approve BCR’s, however, does not take into account transfers to specific third countries. Anyone who transfers personal data to a third country using BCR’s must therefore decide in each individual case whether the use of the rules will provide a level of protection in the receiving country that fulfills the demands of the GDPR. The CJEU’s conclusions regarding the US level of protection for personal data indicates that a transfer there using BCR’s could be illegal. GDPR dataskyddsförordningen Schrems Law (excluding Law and Society)
6	Molntjänster i kommuner: en studie om rättsliga och informationssäkerhetsmässiga aspekter kring arbetet med molntjänster / Cloud computing in municipalities: a study of legal and information security aspects around the work with cloud computing Farah, Hamza Hayd, Aden, Ayan Ali January 2020 (has links) I samband med digitaliseringens framfart hanteras, lagras samt används information av allatyper av verksamheter. Den ökade digitaliseringen av samhället har bidragit till en förhöjdefterfrågan av innovativa teknologier såsom molntjänster. Molntjänster är en populär teknik vilken erbjuder skalbara IT-lösningar på begäran över internet och vilken har signifikanta fördelar när det gäller kostnadsreducering och säker IT-drift. Trots de positiva aspekterna med molntjänster uppkommer nya rättsliga och säkerhetsmässiga problem vilka inte tidigare existerat i den traditionella IT-infrastrukturen, såsom datalokalisering samt säkerhet och integritet av information. Syftet med detta arbete är att analysera samt undersöka legala och säkerhetsmässiga åtgärder som de undersökta kommunerna vidtar vid hantering av information i molnet. Studien genomfördes i form av en kvalitativ studie, där sju semistrukturerade intervjuer utfördes. Resultatet tyder på att de undersökta kommunernas val av molntjänstleverantör beror på flertal aspekter såsom den geografiska placeringen av data samt säkerhet på information i molntjänsten. Vidare visar resultatet att kommunerna genomför åtgärder såsom att utbilda sina medarbetare samt klassificera information som kommer att lagras i molnet. / Information is handled, processed, stored, and used by all types of businesses as a result of progress in digitalization. The increased digitalization of society has contributed to an increased demand for innovative technologies such as cloud computing. Cloud computing is a popular technology that offers scalable IT solutions on demand over the Internet, and which has major advantages regarding cost reduction and secure IT operations. Despite the positive aspects of cloud computing, new legal and security issues are emerging which have not previously existed in the traditional IT infrastructure, such as data localization and the security and integrity of information. The purpose of this work is to analyze and investigate legal and security measures that the surveyed municipalities take when handling information in the cloud. The study was conducted in the form of a qualitative study, in which seven semi-structured interviews were conducted. The results indicate that the surveyed municipalities' choice of cloud computing provider depends on several aspects such as the geographical location of data and security of information in cloud computing. Furthermore, the results show that the municipalities implement measures such as training their employees and classifying information that will be stored in the cloud. cloud computing municipalities GDPR Cloud Act Privacy Shield Schrems II-domen information security digitalization. molntjänster kommuner GDPR Cloud Act Privacy Shield Schrems II-domen informationssäkerhet digitalisering Information Systems, Social aspects
7	Kommersiella aktörers tredjelandsöverföring av personuppgifter efter Schrems II : GDPR-efterlevnad efter EU-domstolens ogiltigförklarande av Privacy Shield, och EU-domstolens uttalanden om acceptabel lägsta nivå för skyddet av personuppgifter / Transfers of personal data to third countries for commercial purposes, post Schrems II : – GDPR compliance after EU-US Privacy Shield invalidation by the Court of Justice of the European Union, and the courts statements regarding fundamental rights for the protection of personal data Bolin, Josef, Svensson, Jimmy January 2021 (has links) Sedan GDPR trädde i kraft har skyddet för personuppgifter stärkts och harmoniserats inom EU. GDPR tillförsäkrar fysiska personer en grundläggande rättighet till skydd för personuppgifter. Den som behandlar personuppgifter åläggs ett särskilt ansvar. Enligt huvudregeln är det förbjudet att överföra personuppgifter till tredjeland. För att tredjelandsöverföring ska vara tillåten, krävs att flera undantagsvillkor är uppfyllda. Den som ansvarar för behandling av personuppgifter, och inte uppfyller villkoren, riskerar dels skadeståndsansvar, dels administrativa sanktionsavgifter upp till så mycket som 20 000 000 euro, eller 4 % av den årliga omsättningen. Syftet med uppsatsen är att redogöra för de handlingsalternativ en kommersiell aktör har, för att tredjelandsöverföring av personuppgifter ska vara tillåten, vid lagring av personuppgifter hos molntjänstleverantör. För att besvara syftet har vi analyserat relevant svensk och EU-rättslig reglering, doktrin, praxis samt rekommendationer och riktlinjer utgivna av EDPB. Vi tillämpar en rättsdogmatisk och en EU-rättslig metod, vilket innebär att vi använder de allmänna rättskällorna, som för svensk rätt utgörs av lagar, förarbeten, praxis och doktrin. EU-rättslig praxis på området är begränsat och en betydelsefull dom avkunnades i närtid. Rättsläget efter domen är relativt oprövat. Den som behandlar personuppgifter är personuppgiftsansvarig. För denne föreligger ansvar att säkerställa att skyddet för personuppgifterna upprätthålls om uppgifterna överförs till tredjeland. Vid behandling av personuppgifter via molntjänst finns risk att personuppgifterna överförs till ett tredjeland, utanför den personuppgiftsansvariges kontroll. Om molntjänstleverantören faller under amerikansk jurisdiktion, kan amerikanska myndigheter med stöd av sin interna rätt, under vissa omständigheter, begära ut uppgifter från molntjänstleverantören. Kapitel V i GDPR reglerar ett antal undantag, som en personuppgiftsansvarig kan åberopa vid tredjelandsöverföring. Oavsett vilket verktyg som väljs, och oavsett om alla villkoren uppfylls, så har EU-domstolen genom Schrems II fastställt, att det i mottagarlandet måste finnas en adekvat skyddsnivå för personuppgifter, och att mottagarlandets interna rätt inte får urholka eller undanröja det skydd som säkerställs genom GDPR. Med adekvat skyddsnivå menas ett väsentligt likvärdigt skydd som tillförsäkras av EU-rätten. GDPR personuppgifter tredjelandsöverföring cloud act schrems integritet personuppgiftsskydd affärsrätt EU EU-rätt dataskydd dataskyddsförordning privacy shield Law and Society Juridik och samhälle
8	Digital distansundervisning och GDPR : Särskilt om Zoom vid Sveriges universitet och högskolor efter Schrems II-målet / Distance learning and GDPR : Especially about Zoom at Swedish universities after the Shrems II case Andersson Rosengren, Pontus January 2021 (has links) The ongoing Covid-19 pandemic has led to society being forced to switch to a digital presence, where physical meetings have been replaced by digital ones. For universities, this has meant that teaching and examinations have taken place through a special installation of the video conferencing service Zoom. Zoom is offered in a so-called on-premises installation which largely runs on private servers or instance, in Denmark. NORDUnet and Sunet are the providers of the special installation which has been given the “Sunet E-meeting”. For the service to work, personal data is processed. This data includes names and e-mail addresses, but also meeting data, gathered by the camera and audio feed, and IP-addresses. All personal data should be processed on the private instance according to the service description. To connect to the service, various options are provided, including installing a client provided by Zoom on a computer or smartphone. Another way to connect that does not require any installation is through a web client, also provided by Zoom. One of Sweden’s universities recently discovered that a student who joined the meeting via the web client was connected to a public Zoom data center in the United States. Through network analyzes and the study below, it turns out that the web client is a form of exception in the service where traffic does not go directly to the private cloud. Instead, the traffic goes via Zoom's public cloud where traffic is at risk of going to various data centers both outside and within the European Union. This study of the service is based on the data protection legislation. Questions concerning the division of roles and responsibilities between the data controller and the processor, security concerns, the use personal data, processing, and third-country transfers has been done. Following the Schrems II judgment, where the European Court of Justice ruled that the United States does not have an adequate level of protection regarding the protection of individuals' personal data, the possibilities of transferring personal data to the country were limited. Determining whether the usage of the cloud service means that personal data is transferred to the United States or not is therefore of great importance. This study concludes that a third country transfer has occurred at least once, which is not compatible within the data protection regulation. The study also shows the importance of knowledge of the service being used both by the controller and processor to ensure correct processing of the data. Zoom Videokonferens GDPR IT-säkerhet tredje land tredjelandsöverföring Schrems II personuppgiftsbehandling personlig integritet. Law (excluding Law and Society)
9	Protection of Personal Data, a Power Struggle between the EU and the US: What implications might be facing the transfer of personal data from the EU to the US after the CJEU’s Safe Harbour ruling? Strindberg, Mona January 2016 (has links) Since the US National Security Agency’s former contractor Edward Snowden exposed the Agency’s mass surveillance, the EU has been making a series of attempts toward a more safeguarded and stricter path concerning its data privacy protection. On 8 April 2014, the Court of Justice of the European Union (the CJEU) invalidated the EU Data Retention Directive 2006/24/EC on the basis of incompatibility with the Charter of Fundamental Rights of the European Union (the Charter). After this judgment, the CJEU examined the legality of the Safe Harbour Agreement, which had been the main legal basis for transfers of personal data from the EU to the US under Decision 2000/520/EC. Subsequently, on 6 October 2015, in the case of Schrems v Data Protection Commissioner, the CJEU declared the Safe Harbour Decision invalid. The ground for the Court’s judgment was the fact that the Decision enabled interference, by US public authorities, with the fundamental rights to privacy and personal data protection under Article 7 and 8 of the Charter, when processing the personal data of EU citizens. According to the judgment, this interference has been beyond what is strictly necessary and proportionate to the protection of national security and the persons concerned were not offered any administrative or judicial means of redress enabling the data relating to them to be accessed, rectified or erased. The Court’s analysis of the Safe Harbour was borne out of the EU Commission’s own previous assessments. Consequently, since the transfers of personal data between the EU and the US can no longer be carried out through the Safe Harbour, the EU legislature is left with the task to create a safer option, which will guarantee that the fundamental rights to privacy and protection of personal data of the EU citizens will be respected. However, although the EU is the party dictating the terms for these transatlantic transfers of personal data, the current provisions of the US law are able to provide for derogations from every possible renewed agreement unless they become compatible with the EU data privacy law. Moreover, as much business is at stake and prominent US companies are involved in this battle, the pressure toward the US is not only coming from the EU, but some American companies are also taking the fight for EU citizens’ right to privacy and protection of their personal data. EU EU Law US Privacy Law Safe Harbour Safe Harbor Data Protection Personal Data transfer Facebook Articles 7 8 and 47 of the Charter Article 16(1) of the TFEU Article 8 ECHR EDPS Decision 2000/520/EC Directive 95/46/EC Personal Integrity Right to Privacy Right to Private Life Data Retention Surveillance IT Law Article 29 Working Party EU-rätt EU-stadgan datalagring datalagringsdirektivet personlig integritet dataskydd grundläggande rättigheter proportionalitetsprincipen

Search results