COCO-CLOUD (completed)

The Confidential and Compliant Cloud (Coco-Cloud) project aims to provide new methods for disseminating and sharing data in the cloud while also meeting regulatory and compliance requirements.

About the Project

COCO-CLOUD: Confidential and Compliant Cloud

A main goal of the project is to increase user trust in cloud services, leading to a wider adoption of cloud computing. COCO-CLOUD is aligned with the European Commission’s strategy towards building a legally compliant and flexible framework for cloud computing. The project outcome will be evaluated via three pilot products in the Health-Care, Corporate Security, and Public Administration domains.

The ability to share data, be it by a private organization or public institution, is subject to a number of legal constraints. There may be requirements stemming from data privacy rules, copyright restrictions, or a duty of confidence, which affect how data is shared. In addition, there may be other specific statutory prohibitions such as those applicable to government-held data. The technology to be used in COCO-CLOUD will consider legal compliance from the earliest stages of design, making compliance a priority rather than an afterthought. This is intended to be achieved through a “compliance by design” approach. Protecting data (including personal information) is essential for citizens, governments and organizations across all sectors using cloud computing services. The outsourced nature of the cloud, and the inherent loss of control that goes along with using cloud computing services, requires that dissemination of sensitive data be carefully controlled. The aim is to ensure that the data is always protected by a technology that can adapt to the relevant context. If it is possible to provide assurances on data protection and data usage control, then data sharing among individuals, governments, and organizations can be done much more confidently. This could imply that suitable technology might contribute to providing greater protection of fundamental rights including the right to privacy.

The project started 1 November 2013 and will close 31 October 2016.

Objectives

The legal research addresses two main research tasks. First, the research examines the current legal and contractual requirements relating to cloud computing services pursuant to European law. The focus is on requirements that should be accounted for in designing a cloud computing infrastructure that is used for managing data. Second, the research examines methods for developing best practices that can be incorporated into data sharing agreements in a legally compliant manner.

The project is based on three pilots that provide the business case requirements according to which the Coco Cloud products will be designed and implemented. These pilots cover both the private and public sector and involve the management of health data, government-held data and other confidential data accessed via mobiles. The identification as well as analysis of the legal issues will be on the basis of the following business case requirements as defined in the pilots:

A cloud-based medical portal that facilitates the ubiquitous interaction of the patients and the medical specialists;
A cloud-based sharing of government-held data of citizens between and across different Italian Public Administrations (PA); and
A cloud-based use and sharing of confidential information in mobile devices with predefined confidentiality policies.

Cooperation

Nine European partners from academia and industry will collaborate in the COCO-CLOUD research project: Hewlett-Packard, The Italian National Research Council, Imperial College London, University of Oslo, SAP, Atos, AGID, Bird & Bird, and Grupo Hospitalario Quirón.