Posted on January 17, 2012 by Gonzalo Gallego

Spanish Data Protection Authority Launches Public Consultation on Cloud Computing

By Pablo Rivas in our Madrid Office

Following the example of the French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés or CNIL), the Spanish Data protection Authority (Agencia Española de Protección de Datos or AEPD) has opened a public consultation on cloud computing to learn the opinions and experiencse of service providers and users.

Interested parties have until January 27 to submit their comments. This public consultation is an good opportunity to enhance the AEPD's understanding of problems on data protection arising from cloud computing and may also help the AEPD find viable solutions and alternatives for data protection compliance within the cloud computing encironment.   

Interested parties can participate in the public consultation by fulfilling and online form (in Spanish) accessible by the AEPD's website, www.agpd.es.

We will keep you posted on the conclusions of this public consultation of the AEPD.

Tags: , , , ,
Posted on January 10, 2012 by Bret Cohen

European Data Protection Supervisor Releases "Inventory" of 2012 Priorities

On January 10, Peter Hustinx, the European Data Protection Supervisor (EDPS), released his annual "Inventory" of issues of strategic importance for 2012, along with an annex of the relevant Commission proposals and other documents that have been recently adopted or otherwise require the attention of the EDPS.  The strategic proposals can be grouped into four main categories:

  • Towards a new legal framework for data protection.  The European Commission has almost finalized its proposal for a new legislative framework, a draft of which was disclosed last month and which is likely to be published by the end of January.  Hustinx will issue an opinion on the legislative proposal in early 2012, closely follow the review process, and continue to fulfill his advisory role throughout the legislative process by intervening at the appropriate stages.
  • Technological developments and the Digital Agenda, IP rights, and Internet.  Of the European Commission's work in the area of new technologies, Hustinx will focus on the policy issues of Internet monitoring, IP enforcement, and takedown procedures (focusing on IP rights and privacy); cloud computing services (focusing on jurisdictional issues); e-Health; and a pan-European framework for electronic identification, authentication, and signature (focusing on e-security and privacy by design).
  • Further developing the Area of Freedom, Security, and Justice.  The items in this area at the top of Hustinx's agenda are immigration, border control, anti-terrorism, and internal security strategy, focusing on ensuring the right balance between privacy and security.
  • Financial sector reform.  Hustinx plans to issue a package of opinions on data protection issues with legislative proposals concerning the regulation and supervision of financial markets and actors, including the legislative package for the revision of the banking legislation; the market abuse regulation; the regulation and the directive on markets in financial instruments; and the revision of the credit rating agencies regulation.

Hustinx also identified trends of focus for 2012, which include:

  • Employment of effective information-gathering and investigative tools by administrative authorities (both EU and national).
  • Significant exchanges of information between national authorities, quite often involving EU bodies and large-scale databases (with or without a central part) of increasing size and processing power.
  • Developments in the field of technology, mainly due to the widespread use of the Internet and geolocation technologies.

The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies, focusing on monitoring the EU administration's processing of personal data; advising on policies and legislation that affect privacy; and cooperating with similar authorities to ensure consistent data protection.  Hustinx is serving a five-year term as the EDPS, which expires in 2013.
Tags: , , , , , , ,
Posted on November 10, 2011 by Christopher Wolf

Complimentary 11/15/11 Lunchtime Event on Cloud Computing Hosted by Microsoft Moderated by Hogan Lovells Privacy Leader

Hogan Lovells Privacy and Information Management practice leader Chris Wolf will moderate a complimentary lunchtime panel on cloud computing on Tuesday, November 15th in Washington, DC featuring government and industry leaders.  Readers of the Hogan Lovells Chronicle of Data Protection are invited to attend and participate.

For a place at the event, please send an e-mail to the the address below dcrsvp@microsoft.com

Tags: , ,
Posted on October 17, 2011 by Lionel de Souza

French Data Protection Authority launches public consultation on cloud computing

The French Data Protection Authority (the Commission Nationale de l'Informatique et des Libertés or CNIL) opened a public consultation on cloud computing, citing the growing significance of the cloud computing market: "already €6 billion at the European level, with a yearly growth of approximately 20%". The CNIL believes that the opacity inherent in cloud computing raises data protection concerns.

The CNIL’s consultation focuses on five areas: definition of cloud computing, role of the parties, applicable law, international transfers of data outside the European Union and data security.

The consultation process opened on 17 October 2011 and input is sought from the public.

Turning specifically to the five areas of focus:

(i) definition of cloud computing: the CNIL suggests a definitional approach based on the main functional characteristics of various cloud computing services ;

(ii) role of the parties: the CNIL analyzes the role of the customer and service provider as data controller and data processor, respectively. According to the CNIL, the customer should always be regarded as a data controller. The role of the service provider might vary; the service provider could be a data processor or in some cases a co-controller.

(iii) applicable law:  one of the stickiest issues relates to applicable law. If the controller (in most cases the cloud customer) is established in France, French law would apply. But the situation is more complex where the controller is located outside of France and uses a cloud service provider with servers in France.  Note that in a March 2011 decision, the CNIL decided to exempt companies established outside the European Union and using processors based in France from notifying their processing when the processing relates the processing of human resources data or client and prospects data.

(iv) international transfers: most cloud services do not have a fixed location. Rules on international transfers of personal data are therefore difficult to apply. The CNIL suggests a two-fold approach, applying both legal and technical safeguards to international transfers. From a legal standpoint, the CNIL recommends the implementation of Standard Contractual Clauses in service providers' agreements, but also launches the idea of developing "Processor Binding Corporate Rules" or "Processor BCRs". Technically, service providers should apply security measures and data minimization (e.g. through the use of metadata) before data are transferred internationally;

(v) data security: the CNIL recommends the inclusion of security requirements in cloud computing agreements, while noting that customers are not always in a position to impose these requirements.

Interested parties have until November 17 to submit their comments. This consultation is an excellent way to enhance the French DPA’s understanding of cloud computing and propose technical solutions that may mitigate data protection risks.

The public consultation paper can be found (in French) here
Tags: , , , ,
Posted on October 13, 2011 by Stefan Schuppert

German DPAs Issue Rules for Cloud Computing Use

The German data protection authorities on September 26, 2011 adopted an "Orientation guide – cloud computing."  The guide sets out mandatory and recommended content for any agreement between German users of cloud computing services (“customers”) and cloud computing service providers. It highlights the customer's responsibility for full compliance with German data protection requirements for the cloud. Based on this orientation guide, customers and providers will have to review existing agreements in the German market.

Privacy and data protection compliance has been a challenging and unclear issue for cloud computing customers and service providers. The new German "orientation guide", adopted by the Munich conference of the German data protection authorities gives clear guidance to cloud computing service providers and their customers in the German market. Privacy practitioners can expect that German DPAs will refer to this guide when addressing situations that raise close questions about the application of data protection laws to cloud computing.

Full control by the customer

The guide emphasizes that German cloud computing customers are data controller and therefore are responsible for the "cloud's" compliance with all data protection requirements under German law. This means the customer needs to know the identity not only of his immediate cloud computing service provider, but of all sub-processors involved in the cloud computing services. The agreement with the immediate cloud computing service provider must contain duties to disclose these sub-processors, and certain core elements of compliance, such as technical and organizational security measures, audit and control rights vis-à-vis such sub-processors, and all locations of data processing. The customer is required to safeguard data subjects’ rights. Examples of how this is achieved include having liquidated damages and penalties in the cloud agreement, and ensuring that data subjects' rights (for instance the right to access, to correct or to have the data deleted) are observed by all cloud service providers. To the extent that the service also includes locations outside the European Economic Area (EEA), the customer may not only rely on using the EU Model Clauses, but must enter into an additional data processing agreement with control and audit provisions, which are mandatory under German data protection law.

Sensitive data in the cloud

The guide gives specific attention to sensitive data. Under German data protection law, the transfer of sensitive data like health data, trade union affiliation, or religious beliefs cannot be justified by a balance of interest test (see, e.g., Art. 7(f) of the EU Data Protection Directive, which provides a legal basis for processing non-sensitive data as necessary for a controller’s legitimate interests unless the interests are outweighed by the fundamental rights and freedoms of the data subject; see also § 28 of the German Federal Data Protection Act). Instead, the transfer of sensitive data can only be justified by the data subject's consent or other very specific exceptions. For any intra-EEA-cloud, this is not an issue since an EEA-located data processor following the data controller's instructions is not considered a third party to which data are transferred. The case is different for any provider located outside the EEA: This is a "third party" to whom the personal data are "transferred", and thus, any use of such cloud for sensitive data cannot be justified by a balance of interest.

Safe Harbor and the cloud

The German DPAs are repeating their careful approach to Safe Harbor certifications. A customer may not rely solely on the service provider's assurance with regard to any Safe Harbor certification. Instead, the customer needs to certify the validity and the applicability (for the relevant type of data) of the provider's Safe Harbor certification at least on the Safe Harbor website. If the customer wants to transfer employee data to the U.S. in the cloud computing environment, the customer also has to verify that the service provider has accepted to cooperate in investigations by, and to comply with the advice of, competent EU authorities. This requirement is reflected in the Safe Harbor FAQs (question 9, section 4).

Relevance of technical safeguards

The guide deals with technical issues and security measures and specific threats for data protection principals by cloud computing services in detail. The guide frequently addresses transparency for customers and data subjects regarding the location of the data processing, and the identity of the service providers involved (even as subcontractors). The guide highlights the problem of the reliable deletion of the data in the view of the vast storage resources of cloud computing services providers, regular back-up services, and the easy copying and global transferring of data in broadband networks. The guide emphasizes that personal data for different clients need to be securely separated. The guide also raises the concern of the potential access to personal data by state authorities beyond what is accepted in the EEA, and views this as a relevant consideration by a customer when deciding on the service provider. Customers need to address security against illegal access to the data, but also the portability of the data in case of their service provider's insolvency or in case of a termination of the contract.

Conclusion

The guide does not contain revolutionary approaches to the difficult question of how to harmonize the benefits of cloud computing with the legitimate objective to ensure compliance with German data protection requirements. However, it is a clear statement that German DPAs do not compromise on sometimes very strict requirements even for globally standardized services. The guide supports the role of intra-EU/EEA cloud computing service providers and those services that are reliable and highly transparent regarding to the location of the data processing and the identity of any subcontractors used in these services.

Both customer and providers of cloud computing services with an interest in the German market should now review their standard agreements for compliance with the requirements published by the German DPAs.

The paper is published in German can be found here.
Tags: , , , , , , , , , , , , , , , ,
Posted on July 27, 2011 by Winston Maxwell

Cloud Computing for Regulated Industries: Security Requirements Differ

Data stored in the cloud will be subject to numerous data security laws, explains Hogan Lovells partner Phil Porter in a recent article.   Specific types of data will trigger different security regulations, ranging from HIPAA rules for health data, to Gramm-Leach-Bliley Act rules for financial service data, to COPPA for data about children.  Data hosted in the cloud in the U.S. might also subject the data to U.S. national security rules, including USA Patriot Act.  Cloud service providers and customers need to tailor their contractual provisions to match these regulatory imperatives.

Tags: , , , , , ,
Posted on July 4, 2011 by Christopher Wolf

French Parliamentary Commission Recommends Privacy Law Reform Citing Testimony of Hogan Lovells Privacy Lawyer

French FlagAfter a year of hearings, including meetings in Washington with the FTC and DOJ, a French parliamentary commission released its findings on the protection of individual rights in the digital revolution. The 384-page report from the French National Assembly covers a broad range of issues linked to data protection, including specific recommendations on EU privacy law reform. Hogan Lovells partner Winston Maxwell testified before the parliamentary commission and the commission cited Winston's testimony in connection with the commission's recommendations on the "right to be forgotten," privacy by design, and net neutrality. 

The parliamentary commission found that the "right to be forgotten," while an attractive concept, covers a broad range of different situations, and that the key element of the "right to be forgotten," i.e. that individuals have a right to access and to require the deletion of personal data about them, is already covered by existing law. Citing Maxwell's testimony, the commission concluded that the creation of a new "right to be forgotten" does not appear necessary from a legal standpoint. On the issue of privacy by design, the commission recommended that Europe invest heavily in privacy-enhancing technology, and use privacy by design to create competitive edge for European industry.

The commission issued several recommendations on cloud computing, including a startling suggestion that future legislation should prohibit cloud services located outside the EU from storing sensitive data, such as health data, genetic data, data about children, and financial data. Prohibiting cloud services based outside the EU from handling sensitive data could create a major barrier to the development of cloud computing for the financial services industry and health care industry. The commission also recommended that cloud service providers be required to conduct security audits, and that French and European authorities conduct impact assessments on the risks of cloud computing conducted outside the EU. 

The commission recommended that the Article 29 Working Party be given a budget and personnel of its own in order to ensure the group's independence. Echoing recommendations of the European Commission, the parliamentary commission urged reform of the rules on applicable law, citing diverging court decisions in France on the question of whether French data protection rules apply to Google.  

In an unexpected twist, the French parliamentary commission supported the use of a European Regulation in reforming European privacy rules, so as to ensure proper harmonisation of rules throughout Europe. This recommendation seems surprising coming from members of parliament because national parliaments generally want to maintain freedom to interpret EU rules, and a Directive, as opposed to a Regulation, gives Member States this freedom. Finally, the parliamentarians urge the French government to initiate diplomatic action to encourage the adoption of a new international treaty on data protection, under the auspices of the United Nations. The parliamentary commission echoed remarks of Hogan Lovells partner Christopher Wolf made at the eG8 conference in Paris, finding it highly regrettable that the eG8 had been organized without inviting a single data protection authority to speak.
Tags: , , , , ,
Posted on February 17, 2011 by HL Chronicle of Data Protection

NIST Issues Guidance on Cloud Computing Privacy and Security Requirements for Federal Agencies

Joel Buckman, an associate in Hogan Lovells Privacy and Information Management practice group located in the Washington, D.C office, assisted in the preparation of this entry.

Recent guidance from the National Institute of Standards and Technology (“NIST”) encourages federal agencies to take advantage of cloud computing. It also provides draft security and privacy guidelines for federal agencies to follow when engaging cloud providers. The draft guidelines serve as roadmaps for how to negotiate meaningful privacy and data security protections from cloud providers. Though prepared for federal agencies, the draft guidelines could prove influential to the private sector as an increasing number of private businesses use cloud services. NIST has requested comments on the drafts by no later than February 28, 2011.

On February 2, 2011, as part of its broader effort to encourage cloud computing for federal agencies, NIST announced a new cloud computing Wiki to enable industry-NIST collaboration and published three significant cloud computing documents. The documents separately address (1) security and privacy in public cloud computing, (2) the definition of cloud computing, and (3) a guide to security for virtualization technologies. For cloud providers, the most important is NIST’s draft Guidelines on Security and Privacy in Public Cloud Computing (the "Guidelines").  

The comprehensive 60-page Guidelines focus on identifying trouble spots that arise from using cloud providers and articulating an analytical framework to address them. Four overarching themes emerge: (1) moving data to the cloud does not relieve an organization from its privacy or data security obligations; (2) cloud computing complicates security because it adds layers of technology (and thus complexity and new avenues of attack) and strips the data owner of control over its data; (3) to the extent practicable, organizations should seek the same or better security on the cloud as in-house; and (4) cloud computing therefore requires a deliberative approach by organizations and unprecedented levels of trust between them and cloud providers. 

The Guidelines emphasize terms of service as a tool to deal with privacy and security challenges. Despite recognizing that many cloud providers offer only non-negotiable terms of service (and the cost-saving benefits that go with them), the draft guidelines offer a number of recommendations about what the terms of service should contain, including:

 

  • “A detailed description of the service environment, including facility locations and applicable security requirements”
    • disclosure of any third party arrangements or nested cloud services (where a cloud provider stores customer data on another cloud provider’s system)
    • a prompt reporting requirement of breaches involving both information held for an organization and information held about an organization
  • “Policies, procedures, and standards, including vetting [of staff] and management of staff”
  • “The process for assessing the cloud provider’s compliance with service level agreements, including audits and testing”
  • “Specific remedies for noncompliance or harm caused by the provider”
  • “Procedures, protections, and restrictions for commingling organizational data and handling sensitive data”
  • That the organization retains data ownership over all its data and the cloud provider acquires “no rights or licenses . . . to use the data for its own purposes”
  • The provider’s obligations on contract termination
  • That the contract should not be subject to unilateral amendment by the provider

NIST also released The NIST Definition of Cloud Computing (Draft) and its final Guide to Security for Full Virtualization Technologies. In the first, NIST formally adopts its working definition of cloud computing and asks for comments on whether it should be modified. In the second, NIST catalogues security risks for full virtualization and offers recommendations to address them. Virtualization is a core enabling technology that uses a layer of software to run multiple operating systems and applications on the same hardware. This allows cloud providers to maximize server resources.  The recommendations focus on the need to secure each component, especially the hypervisor, which is the software “conductor” that runs the virtual environment. NIST recommends securing the hypervisor by, for example, continuous monitoring, restricting administrative access, and disabling unnecessary tools. 

 

All three documents have the potential to shape how federal agencies and private-sector companies approach cloud computing and negotiating terms of service with cloud providers.  Comments on the draft documents are due on February 28, 2011.
Tags: , ,
Posted on February 2, 2011 by Christopher Wolf

Cisco Privacy Site Features Hogan Lovells Cloud Compliance Primer

Cisco has launched a Privacy and Security Compliance Journey web site with a variety of useful materials and resources. Here is how Van Dang, Vice-President, Law and Deputy General Counsel of Cisco describes it:

We want to share with our customers, colleagues in other legal departments and other interested parties our privacy and security compliance journey - and it is a journey since the legal framework and regulations in this area are still evolving. We hope you will find useful materials and resources featured in each tab below. We also hope that you will share your best practices and give us feedback on how we can improve. Cisco is pleased to host this collaborative site in support of the privacy community and is committed to continuously refreshing content, so please bookmark the site for future reference.

Hogan Lovells is pleased to have its primer on legal issues in Cloud Computing including privacy and data security concerns as the first featured content on the Cisco site.

Tags: , ,
Posted on November 17, 2010 by Mark Paulding

White House Proposes Cloud Computing Security Requirements for U.S. Government Agencies

On November 2, the General Services Administration (“GSA”) published the Proposed Security Assessment & Authorization for U.S. Government Cloud Computing guidelines, developed by an interagency team composed of representatives from the CIO Council, GSA, the National Institute of Standards and Technology (“NIST”), and other organizations.  The proposed guidelines are designed to provide a centralized system for assessing and authorizing cloud computing services for all U.S. government agencies in a manner that would provide appropriate security and maximize the efficiency of government contracting.  High impact U.S. government information services (e.g., classified military and intelligence data) would not be subject to these guidelines.  The agencies responsible for such activities would retain primary authority to assess and authorize information technology services in accordance with applicable laws and regulations.  Public comments on the proposed guidelines will be accepted until December 2, 2010.

The proposed guidelines call for security assessment and authorization of all cloud computing services for U.S. government agencies by the Federal Risk and Authorization Management Program (“FedRAMP”).  Consistent with the requirements of the Federal Information Systems Management Act, the proposed guidelines would require cloud service providers to demonstrate compliance with a variety of security obligations detailed in NIST Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations (August 9, 2009).  Some of the controls recommended within NIST SP 800-53 have been augmented in the proposed guidelines.  Examples of these modifications include:

  • implementation of FIPS 140-2 compliant encryption for any Software as a Service (“SaaS”) offering that includes email and
  • maintenance of at least three backups and user and system level data (one of which must be available online).

In addition to the goal of ensuring appropriate security for information used by the U.S. government, the guidelines are intended to improve the efficiency of the cloud service contracting process by creating an “authorize use, use many” system.  Once a cloud service provider has been authorized by FedRAMP for one agency, its services would be pre-authorized for other agencies. 

Notable Provisions

While most of the requirements and authorization procedures reflect well established best practices in information security, there are several elements of the proposed guidelines that are of particular note.

Authorization Renewal

Authorization under FedRAMP must be renewed every three years or whenever the cloud service experiences a significant change in security posture as defined in NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal information Systems: A Security Life Cycle Approach (February 2010).  NIST SP 800-37 broadly defines a “significant change” as a “change that is likely to affect the security state of an information system.”  Accordingly, examples of changes that may trigger reauthorization include:

  • operating system upgrades, such as transitioning from Windows Server 2003 to Windows Server 2008; 
  • changes in software applications, such as transitioning from Oracle 11g to Microsoft SQL Server 2008; or 
  • changes in physical location of cloud assets, which may have notable consequences for cloud service providers that may desire to add new facilities to meet rapidly increasing customer demand. 

Real Time Continuous Risk Management

The proposed guidelines emphasize real time continuous risk management – the process of using security management tools (e.g., regularly scheduled vulnerability scans and penetration tests, intrusion detection systems, and data loss prevention systems) and procedures to evaluate and revise security measures on an ongoing basis.  In fact, the proposed guidelines state that cloud services would only be required to conduct traditional point-in-time assessments every three years (possibly coinciding with the FedRAMP reauthorization schedule discussed above).  Prioritization of real-time risk management has been a major goal of U.S. Chief Information Officer Vivek Kundra, as he stated in testimony before the House Committee on Oversight and Government Reform, Subcommittee on Government Management, Organization, and Procurement.  In order to achieve this objective, the proposed guidelines call for cloud service providers to produce a number of artifacts to FedRAMP on a periodic basis.  Examples of the required artifacts include:

  • monthly vulnerability scans;
  • quarterly system configuration reports;
  • quarterly plans of action and milestones regarding efforts to remediate identified security vulnerabilities;
  • annual penetration testing;
  • annual security awareness and training reports; and
  • annual updates for security policies, incident response procedures, and change management procedures.

Implementation of these requirements in the final guidance could accelerate the acceptance and adoption of similar real-time risk management strategies in government and private enterprise.  However, it remains unclear how quickly (if ever) such an evolution in risk management would be reflected in the enforcement agenda of regulatory agencies such as the Federal Trade Commission that deal with a wide variety of enterprises within and outside of the cloud service industry. 

Competitive Impacts

If implemented, it should also be noted that the proposed guidelines could affect competition in the cloud service industry.  First, it is reasonably foreseeable that state and local governments may adopt similar assessment and authorization procedures and/or recognize authorization through FedRAMP as a way to demonstrate appropriate security for contractors.  Moreover, private institutions may implement similar authorization procedures for cloud service providers.  Adopting the same safeguards required for the protection of moderate impact federal information systems may serve as valuable evidence that a business has legally reasonable and appropriate security measures for third party service providers.  This may be particularly true for businesses required by law to supervise the security practices of third party service providers under HIPAA, the GLB Safeguards Rule, and state data security laws and regulations in Massachusetts, Nevada, and Oregon.  In the long run, cloud service providers may find that compliance with the proposed guidelines may affect their ability to serve customers beyond the U.S. government. 

Second, it is conceivable that the proposed guidelines may create an unintended barrier to entry for cloud service providers.  While there are a variety of areas in which businesses are required to receive authorization or certification in order to offer products or services to U.S. government agencies, many of these procedures allow prospective government vendors to submit their products and services for evaluation without sponsorship by a government agency.  For example, technology vendors may submit data encryption products for certification under the NIST Cryptographic Module Validation Program without first securing sponsorship from a government agency.  By contrast, the proposed guidelines envision a procedure by which cloud services are only authorized upon the request of the government agency seeking to acquire the services.  It is foreseeable that after a certain number of cloud services have been authorized, government agencies may choose to use cloud services that have already been authorized rather than devote agency resources to the authorization of a new cloud service provider.  Such an outcome could hinder entry of new cloud service providers and innovation in the long run.
Tags: , , ,
Posted on November 25, 2009 by Wim Nauwelaerts

European Network and Information Security Agency (ENISA) Issues Cloud Computing Guidance

 The European Network and Information Security Agency (ENISA) has just published a paper on cloud computing, which discusses the benefits and risks of cloud computing from a security perspective. The paper also includes recommendations for improving information security in the context of cloud computing and provides a - in our view very helpful - set of questions that organizations can use to assess whether or not providers of cloud computing services are sufficiently protecting the data entrusted to them.

The key conclusion of the paper is that the “cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defenses can be more robust, scalable and cost-effective.” 

The paper is particularly timely in light of the European Commission’s public consultation on the legal framework for the fundamental right to protection of personal data, which closes at the end of next month. ENISA’s paper includes specific recommendations for the European Commission’s future consideration. It rightfully points out that certain issues related to the EU Data Protection Directive and Article 29 Working Party recommendations warrant clarification. In the current legal framework, it is not clear, for example, under which circumstances a provider of cloud computing services may be classified as a “joint controller” of personal data. ENISA also recommends that the European Commission examine and clarify, inter alia:

-         whether providers of cloud computing services should be obliged to notify their customers of data security breaches (and what information should be provided to these customers);

-         the legal impact of data transfers to providers of cloud computing services in countries outside the European Economic Area (EEA), if those countries do not provide an “adequate” level of data protection;

-         how the intermediary liability exemptions arising from the eCommerce Directive apply to providers of cloud computing services.

As far as information security in concerned, ENISA’s paper provides useful and practical guidance for potential and existing users of cloud computing services as well as policy makers. It will be interesting to see to what extent its recommendations will result in concrete action by the European Commission and/or Article 29 Working Party.

Tags: , , , ,
Posted on November 23, 2009 by Bret Cohen

FTC Releases Details About December 7, January 28 Privacy Roundtables

On November 17, the Federal Trade Commission released the agenda of the first of three privacy round tables it will hold over the course of the next few months.  The first round table will occur on December 7 at the FTC Conference Center in Washington, DC, and will feature four panels entitled "Benefits and Risks of Collecting, Using, and Retaining Consumer Data," "Consumer Expectations and Disclosures," "Online Behavioral Advertising," and "Exploring Existing Regulatory Frameworks."

The FTC also announced that its second privacy round table will be held on January 28, 2010 at the University of California, Berkeley, School of Law.  The round table will focus on how technology affects consumer privacy, including its role in both raising privacy concerns and enhancing privacy protections, and will include specific discussions on cloud computing, mobile computing, and social networking.  The FTC has posed two questions for comment in advance of this round table:

  1. What role do privacy enhancing technologies play in addressing Internet-related privacy concerns?  Consider the efficacy of technological innovations in areas such as identity management systems, new means of providing consumer notice and choice, and emerging methods of ensuring accountability in data usage.  In framing comments, consider the costs and benefits of privacy-enhancing technologies in the following contexts:  cloud computing services; social networking sites; online behavioral advertising; the mobile environment; services that collect sensitive data, such as location-based information; and any other contexts you wish to address.  If privacy enhancing technologies do play a role in resolving privacy concerns, discuss whether and how to create incentives for the development and adoption of such technologies, and ways to ensure they are effective and useful to consumers.
  2. What challenges do innovations in the digital environment pose for consumer privacy, and how can those challenges be addressed without stifling innovation or otherwise undermining benefits to consumers?  For example, consider the technology and business practices that enable greater collection, use, and distribution of consumer data, including evolving methods of observation and tracking; techniques for correlating data, including the re-identification of anonymized data; the merging of data between on-line and off-line environments; and the emergence of third-party application developers in online platform environments.

The FTC currently is soliciting requests to participate as panelists in this second round table, as well as recommendations for topics for inclusion in the agenda, which are due by December 9.  Comments or additional research on the topics will be considered prior to the second round table if they are received by December 21.

Details have not yet been released for the third and final privacy round table, which is to be held on March 17, 2010 in Washington.

Tags: , , , , , , , , , ,
Posted on October 2, 2009 by Christopher Wolf

Complimentary Hogan & Hartson Webinar on Cloud Computing on October 6th at 11 AM EDT

Readers of our blog are cordially invited to a complimentary Hogan & Hartson webinar on the legal issues arising from Cloud Computing on Tuesday, October 6 from 11 AM - 12:30 PM EDT.  To request an invitation to the webinar, please e-mail:  jbhowe@hhlaw.com

Cloud computing allows businesses to use the remote computing power of others to handle data and data applications. For most businesses, it is not a question of whether but how to use cloud computing. Cloud computing — a unique form of outsourcing — can reduce costs, improve service delivery, and allow business innovation not feasible with proprietary servers and on-site software.

So the question is how a company can use the new services in ways that protect the company and its data. As with any transfer of valuable company information, there are legal issues and legal risks that must be addressed.

In this webinar, you will learn and have an opportunity to ask questions about these issues and more:

  • What exactly is cloud computing? What forms does it take?
  • What steps should a company take to protect its intellectual property, including trade secrets and confidential information, in the cloud?
  • Is data in the cloud safe from government view, and what can you do to protect it?
  • How should you address the privacy law issues implicated by cloud computing, especially in light of the international legal rules on the cross-border transfer of data?
  • What labor and employment law issues are implicated by sending data to the cloud?
  • How does a company deal with e-discovery when using cloud computing?
  • What data security safeguards should a company put in place before outing data in the cloud?
  • Whose responsibility is it if there is a data breach and how are the requirements of data security breach notification laws met?
  • What are the contracting issues with cloud computing and the best practices for getting a solid cloud computing contract?
  • How do companies and cloud service providers handle service level issues?

 

Tags: , ,