The goal of the ATMOSPHERE project is the design and development of an ecosystem comprised of a framework and a platform focussed on trustworthy cloud services on top of an intercontinental hybrid and federated resource pool. The framework considers several trustworthiness properties and their measures, while the platform supports the development, build, deployment, measurement and evolution of trustworthy cloud resources, data management services and data processing services. A distributed telemedicine scenario is used to demonstrate the usefulness of the proposed solutions.
This deliverable is the result of Task 3.4 - Compliance with Regulations whose goal is to analyse the applicability of regulations and laws in the context of ATMOSPHERE project, leading to a better understanding of the potential impact of them in the solutions proposed by the WPs. The outcomes of this task will guide, mainly, the design of the trustworthiness monitoring and assessment framework (WP3) as well as specific solutions developed in WP4, WP5 and WP6, while more general awareness will be communicated through WP2.
As a European-Brazilian project, ATMOSPHERE must comply laws and regulations from both regions. Besides laws and regulations, it will address as well future legislation and voluntary code of conduct. The deliverable also considers legislation for other countries, which are a good benchmark of future laws that may be implemented either in Europe and Brazil.
We perform an analysis of the main regulations and especially the European General Data Protection Regulation (GDPR) and the recent Brazilian Privacy Law 13.709/18. Both regulations are quite similar although there are some differences in the way that the communications should be performed and the time the logging information must be preserved.
The analysis takes into account how these laws affect ATMOSPHERE. Along with the development of guarantees to enhance privacy, there are several specific aspects in both regulations that are addressed in ATMOSPHERE. The deployment of a federated infrastructure opens the door to international data transfers, which may not be allowed for specific data items. The federation services must provide means to prevent such action. Second, ATMOSPHERE implements a metric for the privacy, which could provide a quantitative mechanism to evaluate the inherent privacy and the re-identification risk for an anonymised dataset, which could lead to applying the same privacy protection techniques as in the case of critical data. Finally, ATMOSPHERE will provide measures for fairness and transparency, quite aligned with the request of lawful processing and non-discrimination of both regulations.