Hogan Lovells has published a White Paper demonstrating that, contrary to recent reports, the limitations applied to U.S. law enforcement access to data stored in the Cloud during national security and foreign intelligence investigation surpass in many cases restrictions applied during similar investigations in other countries. “A Sober Look at National Security Access to Data in the Cloud,” written by Christopher Wolf and Winston Maxwell, lawyers in Hogan Lovells’ Privacy and Information Management Practice based out of the Washington D.C. and Paris offices, was released today at a panel of the authors which was presented by the OpenForum Academy in Brussels. The authors also will discuss the paper tomorrow in Paris at a roundtable discussion comparing U.S. and French government access to data in the cloud presented by the American Chamber of Commerce in France.
CNIL’s recently-released annual report gives insight from France’s authority into sanctions, the right to be forgotten, whistleblowing, and what it believes are several shortcomings in the proposed EU regulation.
The French CNIL’s new guidelines on cloud computing revisit the tricky question of whether a cloud provider is a data processor or a data controller under French data protection law. The CNIL’s guidelines contain seven recommendations for cloud customers, and a list of recommended contractual clauses. The CNIL points out that when the cloud provider is located in a non-European country “local government authorities can send requests to the provider to have access to the data.”
The Council of Europe’s 2012 Octopus Cybercrime conference closed today in Strasbourg, France. Hogan Lovells partner Winston Maxwell presented the firm’s white paper on government access to data in the cloud. This blog contains links to the conference materials.
Hogan Lovells has published a White Paper with the results of a study about governmental access to data in the cloud around the world. The White Paper debunks the frequently-expressed assumption that the United States is alone in permitting governmental access to data for law enforcement or national security reasons. The White Paper concludes that businesses are misleading themselves and their customers if they believe that restricting Cloud service providers to one jurisdiction better insulates data from governmental access. It is incorrect to assume that the United States government’s access to data in the Cloud is greater than that of other advanced economies. The White Paper examines the laws of the ten countries, including the United States, with respect to governmental authorities’ ability to access data stored in or transmitted through the Cloud, and documents the similarities and differences among the various legal regimes. The paper was written by Christopher Wolf, co-director of Hogan Lovells’ Privacy and Information Management practice, and Paris Office partner Winston Maxwell. It was released today at a program presented by the Openforum Academy in Brussels at which both Wolf and Maxwell spoke. This blog post links to a copy of the White Paper and summarizes its findings.
Privacy and data security were at the forefront of the May 11 PLI seminar program entitled “Cloud Computing 2012: Cut Through the Fluff and Tackle the Critical Stuff,” with presenters including Hogan Lovells partners Chris Wolf and Philip Porter. This blog post contains summarizes the panel discussions, with topics ranging from breach preparation to cloud contracting.
Following the example of the French Data Protection Authority, the Spanish Data protection Authority has opened a public consultation on cloud computing to learn the opinions and experiences of service providers and users.
On January 10, Peter Hustinx, the European Data Protection Supervisor, released his annual “Inventory” of issues of strategic importance for 2012, indicating that he would be focusing on, among other issues, the proposed EU data protection framework, IP rights versus privacy rights, cloud computing, and financial sector reform.
Hogan Lovells Privacy and Information Management practice leader Chris Wolf will moderate a complimentary lunchtime panel on cloud computing on Tuesday, November 15th in Washington, DC featuring government and industry leaders. Readers of the Hogan Lovells Chronicle of Data Protection are invited to attend and participate. For a place at the event, please send an e-mail to email@example.com
The French Data Protection Authority (the Commission Nationale de l’Informatique et des Libertés or CNIL) opened a public consultation on cloud computing, citing the growing significance of the cloud computing market: “already €6 billion at the European level, with a yearly growth of approximately 20%”. The CNIL is focusing on five areas: definition of cloud computing, role of the parties, applicable law, international transfers of data outside the European Union and data security. Public input into the issue is sought by the CNIL, as explained in this blog entry.
The German data protection authorities on September 26, 2011 adopted an “Orientation guide – cloud computing.” The guide sets out mandatory and recommended content for any agreement between German users of cloud computing services and cloud computing serving providers. It highlights the customer’s responsibility for full compliance with German data protection requirements for the cloud. Based on this orientation guide, customers and providers will have to review existing agreements in the German market.
Data stored in the cloud will be subject to numerous data security laws, explains Hogan Lovells partner Phil Porter in a recent article. Specific types of data will trigger different security regulations, ranging from HIPAA rules for health data, to Gramm-Leach-Bliley Act rules for financial service data, to COPPA for data about children. Data hosted in the cloud in the U.S. might also subject the data to U.S. national security rules, including USA Patriot Act. Cloud service providers and customers need to tailor their contractual provisions to match these regulatory imperatives.
After a year of hearings, including meetings in Washington with the FTC and DOJ, a French parliamentary commission released its findings on the protection of individual rights in the digital revolution. The 384-page report from the French National Assembly contains recommendations on cloud-computing, privacy by design, and EU privacy law reform.
Recent guidance from the National Institute of Standards and Technology (“NIST”) encourages federal agencies to take advantage of cloud computing. It also provides draft security and privacy guidelines for federal agencies to follow when engaging cloud providers. The draft guidelines serve as roadmaps for how to negotiate meaningful privacy and data security protections from cloud providers. Though prepared for federal agencies, the draft guidelines could prove influential to the private sector as an increasing number of private businesses use cloud services. NIST has requested comments on the drafts by no later than February 28, 2011.
Cisco has launched a Privacy and Security Compliance Journey web site with a variety of useful materials and resources. Hogan Lovells is pleased to have its primer on legal issues in Cloud Computing including privacy and data security concerns as the first featured content on the Cisco site. A link to the primer is contained in this blog entry.
On November 2, the General Services Administration published the Proposed Security Assessment & Authorization for U.S. Government Cloud Computing guidelines, developed by an interagency team composed of representatives from the CIO Council, GSA, the National Institute of Standards and Technology (“NIST”), and other organizations. This blog entry describes the proposals.
The European Network and Information Security Agency (ENISA) has just published a paper on cloud computing, which discusses the benefits and risks of cloud computing from a security perspective. The paper also includes recommendations for improving information security in the context of cloud computing and provides a – in our view very helpful – set of questions that organizations can use to assess whether or not providers of cloud computing services are sufficiently protecting the data entrusted to them.
Details regarding the FTC’s recently released agenda for the first of three privacy round tables it will hold over the course of the next few months.
Readers of our blog are cordially invited to a complimentary Hogan & Hartson webinar of the legal issues arising from Cloud Computing on Tuesday, October 6 from 11 AM – 12:30 PM EDT. To request an invitation to the webinar, please e-mail: firstname.lastname@example.org