Category Archives: Policy and Regulation

Can Safe Harbour stay afloat?

When the European Court of Justice declared the US-EU Safe Harbour framework invalid in the case of Schrems v Data Protection Commissioner, some 4,500 companies began to panic. Many are still struggling to decide what to do: should they implement an alternative method of transferring personal data from the EEA to the US, or should they simply wait to see what happens next?

Waiting is a risky game, as the European data protection authorities’ (DPAs) grace period extends only until January 31 2016, by which time companies must have their cross-Atlantic data transfers in order. After this date, enforcement action may be taken against those transferring personal data without a suitable mechanism in place to ensure adequate protections to personal data. Although the slow churning of US and EU authorities negotiating a replacement for Safe Harbour can be heard in the distance, no timeline has yet been set for its implementation. There is also the added complication of the newly approved EU General Data Protection Regulation, which is likely to muddy the waters of an already murky negotiation.

Will Safe Harbour 2.0 come to the rescue?

According to the European Commissioner for Justice, Consumers and Gender Equality (the Commissioner), the negotiations on ‘Safe Harbour 2’ continue, undoubtedly under added pressure following the invalidation of the original Safe Harbour framework. Whilst both sides understand the sense of urgency, no proposal has yet met the needs of both the national security services and the European DPAs.

In Autumn 2013, the European Commission created a report providing 13 recommendations for improving Safe Harbour Number 13 required that the Safe Harbour national security exception is used only to an extent that is strictly necessary. This recommendation remains a sticking point in negotiations. Human rights and privacy organisations have little hope that these hurdles will be effectively overcome: In November 2015, a letter was sent to the Commissioner from EU and US NGOs, urging politicians to commit to a comprehensive modernisation of data protection laws on both sides of the Atlantic.

Of course, the real bridge to cross is on US law reform, which the Commissioner sees as more about guaranteeing EU rules in the US than changing US law. It seems the ball is very much in the North American court.

Do not, however, be fooled by the House of Representatives passing the Judicial Redress Act, which allows foreign citizens to bring legal suits in the US for alleged violations of their privacy rights. Reform is not easy, and it is now for the Senate to decide whether to follow suit, or to find a way to water down the Act. The govtrack.us website which follows the progress of bills through Capitol Hill gives the act a 22% chance of success. With odds like these, maybe we shouldn’t bet on cross-Atlantic privacy reform in the immediate future

The future of global surveillance

Whilst there have been positive noises coming from the White House regarding the privacy rights of non-Americans, it is unlikely in a post-9/11 world that any government will allow itself to be prevented from accessing data of either its own or foreign nationals.

In light of recent terror attacks all over the world, the Snowden debate is more relevant than ever. How far should government intelligence agencies go towards monitoring communications? Snowden forced governments to think twice about their surveillance practices, but recent attacks may have the opposite effect. Although their so-called ‘snooping’ may breach citizens’ fundamental rights, it may be more a question of how many civil liberties citizens are willing to exchange for safety and security.

The British Government has suggested that fast-track aggressive surveillance proposals (dubbed ‘the Snoopers’ Charter’) are the way forward in helping prevent acts of terror. This new emphasis on drones and cyber-experts marks a big shift from 2010’s strategic defence review. This is a war fought online and across borders and one cannot ignore the context of Safe Harbour here.

The implications on global e-commerce

Hindering cross-border data transfer impedes e-commerce and can potentially causes huge industries to collapse. By 2017, over 45 percent of the world is expected to be engaging in online commerce. A clear path across the Atlantic is essential.

The Information Technology and Innovation Foundation put it bluntly in stating that, aside from taking an axe to the undersea fibre optic cables connecting Europe to the US, it is hard to imagine a more disruptive action to transatlantic digital commerce than a stalemate on data transfer– a global solution must be reached, and soon.

The future of global cross-border data transfer

Time is running out on the Safe Harbour negotiations, and creating frameworks such as this is not simple – especially when those negotiating are starting so far apart and one side (the EU) does not speak with a unified voice.

Most of the 28 European Member States have individual national DPAs, not all of whom agree on the overall approach to reform. If the DPAs could speak in one voice, there could be greater cooperation with the Federal Trade Commission, which could hasten agreements on suitable frameworks for cross-Atlantic data transfers. In the US, much will come down to the law makers and, with an election brewing, it is worth considering the different scenarios.

Even though the two main parties in the US stand at polar ends of the spectrum on many policies, they may not be so distant when it comes to global surveillance. In the wake of the Snowden revelations, Hilary Clinton defended US global surveillance practices. The Republican Party has also been seen in favour of increased surveillance on certain target groups. The question remains: if either party, when elected, is happy to continue with the current surveillance programme, how will the US find common ground with the EU?

Conclusion

Europe seems prepared to act alone in protecting the interests of EU citizens, and the CJEU’s decision in Schrems was a bold and unexpected move on the court’s part. However, with the ever increasing threat to EU citizens’ lives through organised terror, the pressure may be mounting on the EU to relax its stance on data privacy, which could mean that finding common ground with the US may not be so difficult after all. We shall have to wait and see how the US-EU negotiations on Safe Harbour 2 evolve, and whether the European Commission will stand firm and require the US to meet its ‘equivalent’ standard.

 

Written by Sarah Pearce, Partner & Jane Elphick, Associate at Cooley (UK) LLP.

UK Competition and Markets Authority to launch legal probe into cloud storage

personal cloudThe UK’s Competitions and Markets Authority (CMA) is to launch a review of how the cloud storage sector may be affected by consumer law, in the wake of rising concerns about pricing and services charges.

With an estimated 40% of consumers now using cloud storage to store music, images and documents, according to the CMA, compliance with consumer law is increasingly critical.  The CMA says that it is taking action as reports emerge of possible breaches of consumer law through rogue practices and terms.

In one case consumers were hit with surprise price increases and reductions to their ‘unlimited’ storage capacity deals after contracts had been agreed. The CMA is also concerned about incidents of loss and deletion of some consumers’ data.

The CMA’s review is to investigate how widespread these practices are, whether they breach consumer law and how they are affecting consumers. The process, which begins on December 1st, is open for responses until 15 January 2016. The CMA says it wants to hear from businesses about their practices and from consumers and industry experts about their experiences.

“We want to assess whether companies understand and comply with consumer law and whether cloud storage services are working well for consumers as a result,” said Nisha Arora, CMA Senior Director.

If the review finds breaches of consumer protection laws it will take action to address these, it says. This could include enforcement action using the CMA’s own consumer law powers, namely Part 2 of the Consumer Rights Act 2015 relating to unfair terms and for contracts entered into before 1 October 2015 the Unfair Terms in Consumer Contracts Regulations 1999. It can also invoke the Consumer Protection from Unfair Trading Regulations 2008 (CPRs). Alternatively, it may seek voluntary change from the sector or provide guidance to business or consumers.

The CMA has a general review function under section 5 of the Enterprise Act 2002. Information gathered can help the CMA to determine whether further action is warranted. However the CMA says it has not taken any decisions about what it might do once this review is completed.

EC calls for Safer Harbour agreement – issues new guidance

The European Commission has issued new guidance to companies on transatlantic data transfers and has called for a rapid creation of a new framework.

In October BCN reported how a ruling on the case of Schrems vs Data Protection Commissioner) rendered the US-EU Safe Harbour Agreement invalid as it was revealed that EU citizen’s data was being accessed by the US National Security Agency (NSA).

The Commission said it has stepped up talks with US authorities on a new framework and issued guidance to help companies comply with the ruling and work with alternative transfer tools.

“We need an agreement with our US partners in the next three months,” said EV VP Andrus Ansip, who is responsible for the Digital Single Market. “The Commission has been asked to take swift action: this is what we are doing. Today we provide clear guidelines and we commit to a clear timeframe to conclude current negotiations.”

“Citizens need robust safeguards of their fundamental rights and businesses need clarity in the transition period,” said Commissioner Vera Jourová, adding that 4,000 companies currently rely on the transatlantic data pact.

The EC guidelines advised on how data transfers can continue to be pursued by businesses in the interim period. It covers issues such as contractual solutions and contractual rules, binding Corporate Rules for intra-group transfers, derogations and the conclusion or performance of a contract. The guideline document, which is 7,981 words long, runs to 16 pages of challenging reading and is open to interpretation.

“As confirmed by the Article 29 Working Party, alternative tools authorising data flows can

still be used by companies for lawful data transfers to third countries like the United States,” concludes the guidance document. “However, the Commission considers that a renewed and sound framework for transfers of personal data to the United States remains a key priority.”

Enforcement against non-compliance with the Safe Harbour court ruling come into place at the end of January 2016.

Opinion divided on impact of CISA ruling on Safe Harbour

Open DataThe new US Cybersecurity Information Sharing Act (CISA), passed in the US Senate on Tuesday, has made it even harder for data sharing between the US and EU, according to critics.

However, attitudes to data sovereignty and the institution of a new Safe Harbour agreement seem to be polarising across both sides of the Atlantic.

Former White House cyber security advisor French Caldwell, chief evangelist at GRC software company MetricStream, said he recognised the ‘libertarian’ argument but that those at the front line in the IT industry have a more realistic grasp of the immediate issues. “Libertarians are strongly opposed and it’s easy to sympathise with that position. Once the door opens to information sharing, the arrangement might go from voluntary to mandatory over time,” said Caldwell.

However, security people on the ‘front lines’, at banks, electrical utilities, energy companies and hospitals, are fighting a war, he said. “Well financed gangs of criminal hackers are attacking businesses and government agencies daily. And as we’ve seen over the last few years, nation-states are probing for weakness. These cyberattacks amount to cyberwar,” said Caldwell.

The significant privacy protections in the CISA legislation will provide protections from anti-trust rules. Better still, it would bring data holders into a protective information sharing culture with federal agencies, he argued.

However, a UK counterpart saw the CISA ruling differently. “This is bad news. Just as the EU makes it clear that it’s a serious problem if security agencies get easy access to personal data, the US Government makes it even easier for this snooping to happen,” said Mike Weston, CEO of data science consultancy Profusion.

The Cybersecurity Information Sharing Act will make it significantly harder for the US and Europe to agree a replacement for the collapsed Safe Harbour provisions, according to Weston. “Without assurances that European citizens’ personal data is protected, it’s hard to see how such an agreement might be reached. The biggest stumbling block is that while US citizens are afforded some protection by the USA Freedom Act, none applies to citizens of other nations.”

In a Microsoft blog posting its chief legal office Brad Smith called on the US government to respect European Union privacy laws for transatlantic personal data in the post-Safe Harbour era.

The note describes privacy as a ‘fundamental human right’ and urges the US government to commit to only accessing private information stored in the United States about EU citizens in a manner that ‘conforms with EU law, and vice versa’.

AWS: examine fine print in data transfer legislation

In a week that has seen the European Court of Justice rule that the Safe Harbour agreement on data transfer as invalid, the significance of data transfer legislation in South East Asia has been under discussion at Cloud South East Asia.

Answering audience questions following his Cloud South East Asia keynote this morning, Blair Layton, Head of Database Services for Amazon Web Services, argued that some of the legislation against data transfer was not always as cast-iron as they appear.

Acknowledging that such legal concerns were indeed “very legitimate,” and that there were certainly countries with stringent legal provisions that formed an obvious barrier to the adoption of cloud services such as Amazon Web Services, Layton none the less stressed that it was always worth examining the relevant legislation “in more detail.”

“What we’ve found in some countries is that, even though the high level statement might be that data has to reside in one country, what you find in the fine print is that it actually says, ‘if you inform users then it is fine to move the data,”’ he told delegates. “Also, that for sensitive data you think you may not be able to move – because of company controls, board level concerns etc. – we can have many discussions about that. For instance, if you just want to move data for back-up and recovery, you can encrypt that on the premise, maintain the keys on premise, and shift that into the cloud for storage.”

In the same session, Layton, when not extolling the impressive scope and effectiveness of Amazon Web Services in the South East Asian region and beyond, discussed other reasons for the arguable disparity between the evident regional interest in cloud services, and the actual uptake of them.

“There are in different cultures in different countries, and they have different levels of interest in technology. For example, you’ll see that…. people in Singapore are very conservative compared to the Taiwanese In other countries their IT is not as mature and they’re not as willing to try new things and that’s simply cultural.”

Cloud industry shaken by European Safe Harbour ruling

Europe US court of justiceThe Court of Justice of the European Union has ruled the Safe Harbour agreement between Europe and the US, which provides blanket permission for data transfer between the two, is invalid.

Companies looking to move data from Europe to the US will now need to negotiate specific rules of engagement with each country, which is likely to have a significant impact on all businesses, but especially those heavily reliant on the cloud.

The ruling came about after Austrian privacy campaigner Max Schrems asked to find out what data Facebook was passing on to US intelligence agencies in the wake of the Snowden revelations. When his request was declined on the grounds that the safe harbour agreement guaranteed his protection he contested the decision and it was referred to the Court of Justice.

This decision had been anticipated, and on top of any legal contingencies already made large players such as Facebook, Google and Amazon are offered some protection by the fact that they have datacentres within Europe. However the legal and logistical strain will be felt by all, especially smaller companies that rely on US-based cloud players.

“The ability to transfer data easily and securely between Europe and the US is critical for businesses in our modern data-driven digital economy,” said Matthew Fell, CBI Director for Competitive Markets. “Businesses will want to see clarity on the immediate implications of the ECJ’s decision, together with fast action from the Commission to agree a new framework. Getting this right will be important to the future of Europe’s digital agenda, as well as doing business with our largest trading partner.”

“The ruling invalidating Safe Harbour is seismic,” said Andy Hardy, EMEA MD at Code42, which recently secured $85 million in Series B funding. “This decision will affect big businesses as well as small ones. But it need not be the end of business as we know it, in terms of data handling. What businesses need to do now is safeguard data. They need to find solutions that keep their, and their customer’s, data private – even when backed up into public cloud.”

“Symantec respects the decision of the EU Court of Justice,” said Ilias Chantzos, Senior Director of Government Affairs EMEA at Symantec. “However, we encourage further discussion in order to create a strengthened agreement with the safeguards expected by the EU Court of Justice. We believe that the recent ruling will create considerable disruption and uncertainty for those companies that have relied solely on Safe Harbour as a means of transferring data to the United States.”

“The issues are highly complex, and there are real tensions between the need for international trade, and ensuring European citizen data is treated safely and in accordance with data protection law,” said Nicky Stewart, commercial director of Skyscape Cloud Services. “We would urge potential cloud consumers not to use this ruling as a reason not to adopt cloud. There are very many European cloud providers which operate solely within the bounds of the European Union, or even within a single jurisdiction within Europe, therefore the complex challenges of the Safe Harbor agreement simply don’t apply.”

These were just some of the views offered to BCN as soon as the ruling was announced and the public hand-wringing is likely to continue for some time. From a business cloud perspective one man’s problem is another’s opportunity and companies will be queuing up to offer localised cloud services, encryption solutions, etc. In announcing a couple of new European datacentres today Netsuite was already making reference to the ruling. This seems like a positive step for privacy but only time will tell what it means for the cloud industry.

Google says trade agreement amendment hinders security vulnerability research

Google says the US DoC amendments would massively hinder its own security research

Google says the US DoC amendments would massively hinder its own security research

Google hit out at the US Department of Commerce and the Bureau of Industry and Security this week over proposed amendments to trade legislation related to the Wassenaar Arrangement, a multilateral export control agreement, arguing they will negatively impact cybersecurity vulnerability research.

The Wassenaar Arrangement is a voluntary multi-national agreement between 41 countries and intended to control the export of some “dual use” technologies – which includes security technologies – and its power depends on each country passing its own legislation to align its trade laws with the agreement. The US is among the agreement’s members.

As of 2013 software specifically designed or modified to avoid being found by monitoring tools has been included on that list of technologies. And, a recent proposal put forward by the US DoC and BIS to align national legislation with the agreement suggests adding “systems, equipment, components and software specially designed for the generation, operation or delivery of, or communication with, intrusion software include network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices” to the list of potentially regulated technologies, as well as “technology for the development of intrusion software includes proprietary research on the vulnerabilities and exploitation of computers and network-capable devices.”

Google said the US DoC amendments would effectively force it to issue thousands of export licenses just to be able to research and develop potential security vulnerabilities, as companies like Google depend on a massive global pool of talent (hackers) that experiment with or use many of the same technologies the US proposes to regulate.

“We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users, and make the web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure,” explained Neil Martin, export compliance counsel, Google Legal and Tim Willis, hacker philanthropist, Chrome security team in a recent blog post.

“Since Google operates in many different countries, the controls could cover our communications about software vulnerabilities, including: emails, code review systems, bug tracking systems, instant messages – even some in-person conversations! BIS’ own FAQ states that information about a vulnerability, including its causes, wouldn’t be controlled, but we believe that it sometimes actually could be controlled information,” the company said.

Google also said the way the proposed amendment is worded is far too vague and proposed clarifying the DoC-proposed amendments as well as the Wassenaar Arrangement itself.

“The time and effort it takes to uncover bugs is significant, and the marketplace for these vulnerabilities is competitive. That’s why we provide cash rewards for quality security research that identifies problems in our own products or proactive improvements to open-source products. We’ve paid more than $4 million to researchers from all around the world.”

“If we have information about intrusion software, we should be able to share that with our engineers, no matter where they physically sit,” it said.

Will Chicago’s “cloud tax” affect enterprise cloud services elsewhere?

Chicago is taxing some cloud services, an increasing trend in the US in recent years

Chicago is taxing some cloud services, an increasing trend in the US in recent years

Financially troubled and looking to raise funds to plug a swelling hole in the city’s budgets, Chicago recently extended its existing tax laws to levy a 9 per cent surcharge on cloud-based entertainment streaming services like Netflix and Spotify as well as certain software services hosted on cloud platforms in the city. But will the tax laws in Chicago – and elsewhere – soon be stretched to include other cloud services?

The tax law, an extension of existing laws, came from two separate rulings from the City’s Department of Finance. One covers “electronically delivered amusements”, which relates to music, TV and video streaming services like Netflix and Spotify, and another covering “nonpossessory computer leases,” which effectively includes rented storage and compute resources.

The law covering “electronically delivered amusements” doesn’t require those services to be hosted locally (only consumed locally), but the law relating to “nonpossessory computer leases” does, which means local cloud providers are due to collect 9 per cent on their transactions (the exception being when streaming data is in question / interaction with the “rented equipment” is minimal).

The reasoning for the legal reform is simple enough. Cloud is becoming the dominant means by which software and media are being delivered and consumed, and as a result web-based vendors are dominating brick-and-mortar outfits, with the city feeling the pressure from a loss of related sales and property tax revenue. Naturally, the city is looking to compensate that loss with more cash.

Some have suggested this sets a worrying precedent for the way cloud services could be taxed in the US going forward, but some legal experts believe it is not yet clear how the ruling will apply to a wide range of different kinds of cloud services in practice.

“It is likely that we will see more State and local government adopting a tax for certain services to compensate from the loss of revenue from other services that are not generating as much revenue as they did in the past,” Francoise Gilbert, managing director of the IT Law Group told BCN.

A number of US States have already determined they would tax such cloud services as a sale or license of software; information or data processing software; or a digital product or service.

New York, Colorado, Pennsylvania and Utah are all examples of States that have enacted rulings whereby remote access to software via the cloud is taxable if the software is used by in-State customer; Missouri and Tennessee also extend their tax laws to cloud services that are hosted out of State.

But some of those rulings have been challenged before, and a successful challenge can seemingly depend on how a state defines a cloud service and the level of the stack that offering sits in.

In April this year for instance the New York State Department of Taxation (which does tax some cloud services) released an advisory on a case where a company provided infrastructure-as-a-service to a business.  The Department found that the service provided by the cloud company is not taxable because it was used by one of the provider’s customers to run their own software application (advertising software).

“In purchasing an instance, a customer is provided with an operating system that is necessary for the instance to interact with Petitioner’s server network. The operating system represents prewritten software. The customer uses the operating system to perform certain administrative functions, such as to download an application, delete an application, or search for a file,” the advisory opinion reads.

“By granting the right to use the third-party operating system, Petitioner is transferring the right to use prewritten computer software within the meaning of § 526.7(e)(4) of the Sales Tax Regulations. However, a customer does not subscribe to Petitioner’s Cloud Computing product in order to use the operating system. Rather, it subscribes to the product in order to run an application of its choosing using Petitioner’s computing power. This makes Petitioner’s Cloud Computing product different from those products where the vendor’s transfer of the right to use prewritten software to the customer is what the customer primarily wants from the vendor.”

The opinion also concludes APIs do not constitute a taxable pre-written software good.

“It is not clear whether the Chicago tax decision will have an effect on cloud computing services in general.  For several years, States have examined the different categories of services and have opted, or not, to classify the service as taxable,” Gilbert explained.

But she reaffirmed that States will likely continue looking at cloud services for extra revenue, and that consumers shouldn’t write-off potential unintended consequences of taxing one class of cloud services or another – mainly, more taxation.

USA Freedom Act passes ending bulk data collection

The USA Freedom Act will end bulk data gathering familiar to the PRISM programme and other NSA iniatiatives

The USA Freedom Act will end bulk data gathering familiar to the PRISM programme and other NSA iniatiatives

The USA Freedom Act, a bipartisan bill aimed at reforming the US Patriot Act that would among other things end kind of bulk data collection Edward Snowden revealed two years ago, passed the House or Representatives by a wide margin this week. The move may be welcome news to both telcos and cloud service providers alike, many of which lobbied hard for US surveillance reform.

The bill, which passed in a 328 for – 88 against vote, ends the bulk collection of communications metadata under various legal authorities, and not only includes telephony metadata collected under Section 215 but internet metadata that has been or could be collected under other legal authorities as well.

It will also allow companies to be more transparent with the demands being placed on them by legal authorities, and will create  new oversight and accountability mechanisms that will shed more light on the decisions reached by the Foreign Intelligence Surveillance Court (FISC), which has so far operated in a deeply secretive manner and with little interference.

“This bill is an extremely well-drafted compromise—the product of nearly two years of work.  It effectively protects Americans’ civil liberties and our national security.  I am very proud of the USA Freedom Act and am confident it is the most responsible path forward,” said Jim Sensenbrenner, Republican Representative for Wisconsin’s fifth district.

“If the Patriot Act authorities expire, and the FISC approves bulk collection under a different authority, how would the public know?  Without the USA Freedom Act, they won’t.  Allowing the PATRIOT Act authorities to expire sounds like a civil libertarian victory, but it will actually mean less privacy and more risk.”

“Let’s not kill these important reforms because we wish the bill did more.  There is no perfect.  Every bill we vote on could do more,” he added.

Others, including Ted Lieu (D-CA), voted against the proposed reforms because the bill didn’t go far enough.

“While I appreciate a number of the reforms in the bill and understand the need for secure counter-espionage and terrorism investigations, I believe our nation is better served by allowing Section 215 to expire completely and replacing it with a measure that finds a better balance between national security interests and protecting the civil liberties of Americans,” Lieu said.

“Beyond Section 215, I am troubled that the USA Freedom Act would leave in place Sections 505 and 702, provisions that also allow sweeping data collection and backdoor searches circumventing encryption that can result in the collection of information of US citizens not identified in warrants.  The loopholes left in place will continue to undermine the trust of the American people.”

“A federal district court struck down the NSA’s spying on Americans and called the NSA PRISM program ‘Orwellian.’ A federal appellate court ruled last week that the NSA’s bulk collection program was illegal. Despite these two court decisions, the NSA continues to operate its unconstitutional and illegal programs.”

Many cloud service providers and telecoms companies have for the past two years (since Snowden’s NSA-related revelations primarily) voiced concerns that failure to reform US surveillance practices could alienate customers both foreign and domestic. Microsoft and Google have been particularly vocal about this in recent months.

Google’s vice president public policy and government affairs in the Americas Susan Molinari trumpeted her support of the bill. She said the bill takes a big step forward in surveillance reform “while preserving important national security authorities.”

“It ends bulk collection of communications metadata under various legal authorities, allows companies like Google to disclose national security demands with greater granularity, and creates new accountability and oversight mechanisms.”

“The bill’s authors have worked hard to forge a bipartisan consensus, and the approved bill is supported by the Obama Administration, including the intelligence community. The bill now moves to the other side of the Capitol, and we hope that the Senate will use the June 1 expiration of Section 215 and other legal authorities to modernize and reform our surveillance programs, while recognizing the importance of protecting Americans from harm,” she added.

US-based telco Verizon declined to comment on the passage of the bill.

ISO 27018 and protecting personal information in the cloud: a first year scorecard

ISO 27018 has been around for a year - but is it effective?

ISO 27018 has been around for a year – but is it effective?

A year after it was published,  – the first international standard focusing on the protection of personal data in the public cloud – continues, unobtrusively and out of the spotlight, to move centre stage as the battle for cloud pre-eminence heats up.

At the highest level, this is a competitive field for those with the longest investment horizons and the deepest pockets – think million square foot data centres with 100,000+ servers using enough energy to power a city.  According to research firm Synergy, the cloud infrastructure services market – Infrastructure as a Service (Iaas), Platform as a Services (PaaS) and private and hybrid cloud – was worth $16bn in 2014, up 50 per cent on 2013, and is predicted to grow 30 per cent to over $21bn in 2015. Synergy estimated that the four largest players accounted for 50 per cent of this market, with Amazon at 28 per cent, Microsoft at 11 per cent, IBM at 7 per cent and Google at 5 per cent.  Of these, Microsoft’s 2014 revenues almost doubled over 2013, whilst Amazon’s and IBM’s were each up by around half.

Significantly, the proportion of computing sourced from the cloud compared to on-premise is set to rise steeply: enterprise applications in the cloud accounted for one fifth of the total in 2014 and this is predicted to increase to one third by 2018.

This growth represents a huge increase year on year in the amount of personal data (PII or personally identifiable information) going into the cloud and the number of cloud customers contracting for the various and growing types of cloud services on offer. but as the cloud continues to grow at these startling rates, the biggest inhibitor to cloud services growth – trust about security of personal data in the cloud – continues to hog the headlines.

Under data protection law, the Cloud Service Customer (CSC) retains responsibility for ensuring that its PII processing complies with the applicable rules.  In the language of the EU Data Protection Directive, the CSC is the data controller.  In the language of ISO 27018, the CSC is either a PII principal (processing her own data) or a PII controller (processing other PII principals’ data).

Where a CSC contracts with a Cloud Service Provider (CSP), Article 17 the EU Data Protection Directive sets out how the relationship is to be governed. The CSC must have a written agreement with the CSP; must select a CSP providing ‘sufficient guarantees’ over the technical security measures and organizational measures governing PII in the Cloud service concerned; must ensure compliance with those measures; and must ensure that the CSP acts only on the CSC’s instructions.

As the pace of migration to the cloud quickens, the world of data protection law continues both to be fragmented – 100 countries have their own laws – and to move at a pace driven by the need to mediate all competing interests rather than the pace of market developments.

In this world of burgeoning cloud uptake, ISO 27018 is proving effective at bridging the gap between the dizzying pace of Cloud market development and the slow and uncertain rate of legislative change by providing CSCs with a workable degree of assurance in meeting their data protection law responsibilities.  Almost a year on from publication of the standard, Microsoft has become the first major CSP (in February 2015) to achieve ISO 27018 certification for its Microsoft Azure (IaaS/PaaS), Office 365 (PaaS/Saas) and Dynamics CRM Online (SaaS) services (verified by BSI, the British Standards Institution) and its Microsoft Intune SaaS services (verified by Bureau Veritas).

In the context of privacy and cloud services, ISO 27018 builds on other information security standards within the IS 27000 family. This layered, interlocking approach is proving supple enough in practice to deal with the increasingly wide array of cloud services. For example, it is not tied to any particular kind of cloud service and, as Microsoft’s certifications show, applies to IaaS (Azure), PaaS (Azure and Office 365) and SaaS (Office 365 and Intune). If, as shown in the graphic below, you consider computing services as a stack of layered elements ranging from networking (at the bottom of the stack) up through equipment and software to data (at the top), and that each of these elements can be carried out on premise or from the cloud (from left to right), then ISO 27018 is flexible enough to cater for all situations across the continuum.

Software as a Licence to Software as a Service: the Cloud Continuum

Software as a Licence to Software as a Service: the cloud continuum

Indeed, the standard specifically states at Paragraph 5.1.1:

“Contractual agreements should clearly allocate responsibilities between the public cloud PII processor [i.e. the CSP], its sub-contractors and the cloud service customer, taking into account the type of cloud service in question (e.g. a service of an IaaS, PaaS or SaaS category of the cloud computing reference architecture).  For example, the allocation of responsibility for application layer controls may differ depending on whether the public cloud PII processor is providing a SaaS service or rather is providing a PaaS or IaaS service upon which the cloud service customer can build or layer its own applications.”

Equally, CSPs will generally not know whether their CSCs are sending PII to the cloud and, even if they do, they are unlikely to know whether or not particular data is PII. Here, another strength of ISO 27018 is that it applies regardless of whether particular data is, or is not, PII: certification simply assures the CSC that the service the CSP is providing is suitable for processing PII in relation to the performance by the CSP of its PII legal obligations.

Perhaps the biggest practical boon to the CSC however is the contractual certainty that ISO 27018 certification provides.  As more work migrates to the cloud, particularly in the enterprise space, the IT procurement functions of large customers will be following structured processes in order to meet the requirements of their business and, in certain cases, their regulators. In their requests for information, proposals and quotations from prospective CSPs, CSCs now have a range of interlocking standards including ISO 27018 to choose from in their statements of requirements for a particular Cloud procurement.  As well as short-circuiting the need for CSCs to spend time in writing up detailed specifications of their own requirements, verified compliance with these standards for the first time provides meaningful assurance and protection from risk around most aspects of cloud service provision. Organisations running competitive tenders can benchmark bidding CSPs against each other on their responses to these requirements, and then include as binding commitments the obligations to meet the requirements of the standards concerned in the contract when it is let.

In the cloud contract lifecycle, the flexibility provided by ISO 27018 certification, along with the contract and the CSP’s policy statements, goes beyond this to provide the CSC with a framework to discuss with the CSP on an ongoing basis the cloud PII measures taken and their adequacy.

In its first year, it is emerging that complying, and being seen to comply, with ISO 27018 is providing genuine assurance for CSCs in managing their data protection legal obligations.  This reassurance operates across the continuum of cloud services and through the procurement and contract lifecycle, regardless of whether or not any particular data is PII.  In customarily unobtrusive style, ISO 27018 is likely to go on being a ‘win’ for the standards world, cloud providers and their customers, and data protection regulators and policy makers around the world.