Today it is an undeniable fact that the “Cloud” Services are present in the forecasts of most businesses and public and private entities as a serious alternative to consider.
“Cloud” Services are characterized by a number of intrinsic qualities: they are efficient, comfortable, safe, and inexpensive, so that for the purposes of flexibility, ubiquity, security and cost savings are a proposal that many organizations are choosing.
However, it also brings a number of risks in compliance with the EU laws on the protection of personal data. These risks are concentrated, among others, in two main aspects.
The first of these is determined by the consideration by the service provider as “Data Processor” as specified under Spanish law (Organic Law 15/1999 – Data Protection Act) and EU (Directive 95/46/CE). In this matter there seems to be consensus among key privacy professionals gathered in the APEP-Spanish Professional Association of Privacy, as the “Cloud” service provider normally acts as “Data Processor”.
The second is determined by the very concept of “Cloud” Services, which are characterized in terms of internationalization which store and process customer data. The globalization of “Cloud” Services forces to have multiple data centers spread around the world, with load balancing between them to offer better response times, and subject to operational incidents such as Data Center drops by HW or SW, or interconnection lines and Internet access, or critical situations related to: weather, fire, flood or terrorism, as well as intrusion by hackers.
These contingencies are well resolved by the “Cloud” service providers with replication and switching centers acting “near” instantaneously, making it transparent to the user which continues to receive service without interruption or significant delays.
Precisely this feature of continuous service introduces an uncertainty principle on the location and treatment of the data, one can know where the data is at the right time to be checked, but no one can predict where they will be within 10 minutes.
These issues that are inherent to the safety, efficiency, and continuity of “Cloud” services, introduces the risk to be making an “International Data Transfer” to non-EU countries, or to those without “equivalent protection” qualification without mandatory authorization of the National Authority for Data Protection (Spain is the Spanish Agency for Data Protection), or without application of the mechanisms provided under EU legislation by means of “contractual clauses” or the BCR (Binding Corporate Rules).
How to provide security for EU compliance to customers who want to hire “Cloud” services?
Entities that are considering hiring “Cloud” services normally face Adhesion Contracts in which it is impossible to modify the clauses, it is common to bind for jurisdictions from non-EU countries, and probably (maybe not in all cases, would to study one to one) do not take into account the European regulations for the purpose of protecting the privacy and the customers obligation to respect EU law.
There are many vendors of “Cloud” Services. But, what should do a prospective customer to make sure that your provider will meet EU regulations?.
Well, the customer faces a problem of no easy solution, which in principle is to find the provider to have this situation resolved, make sure “Cloud” service provider respect EU laws, and is entrusted to the risk of making a wrong choice and being involved in an infringement procedure.
CLOUD PRIVACY SEAL – LEGITEC PROPOSAL TO THE EUROPEAN COMMISSION AND TO THE WORKING PARTY ART. 29:
The European Commission and the U.S. Government have established a “Safe Harbor” agreement, which facilitates the exchange of information, easing the authorization mechanisms provided in EU legislation. This agreement establishes a series of measures to protect personal data processed by the EU-USA companies that access data of EU citizens under its subsidiary corporate data, or by contracting services in the USA from EU business.
USA companies can adhere to this agreement and internal/external audit must provide mechanisms for enforcement.
The main features of the Safe Harbor agreement in relation to what is proposed in this paper are:
- Is an agreement between Governments: EU-USA
- This is referred to a specific geographic area where you make data transfers and treatments: EU and USA
- It does not limit the types of data processed or treatments being done.
Now we take the philosophy of the Safe Harbor agreement, and transform it into another way of approaching a practical, convenient solution to contract “Cloud” services by EU business.
PROPOSAL:
A. SAFE HARBOR transforming philosophy of concrete geographical states, to world-global geographic scope.
B. SAFE HARBOR transforming philosophy from agreement between governments to a EU-Cloud Services Companies.
Therefore:
- The EU establishes the “framework” and the requirements for “Cloud” services that are obliged to comply with EU regulations to protect personal data.
- EU establishes mechanisms to audit, certification, or self-audit/certification by the “Cloud” service providers.
- EU establish a “Seal” named “EU Cloud Privacy Safety Partner”, or similar title
- EU enables a website where everyone can see the list of companies participating in the program, cloud services provided, the validity of the “Seal”, and the list of companies that have been “Seal” removed.
- EU requires annually audits, either externally or internally, the verify “compliance” with the requirements of the “Seal”.
- To this “Seal” could adhere any company in the world that offers “Cloud” services if it meets the requirements.
Thus, EU companies could contract these “Cloud” service companies with high confidence that they are trusted providers, also EU companies can demonstrate diligence in complying with EU regulations on data protection, especially the due diligence for the choice of “Cloud” service provider, and compliance with international data transfers.
Copyright: © Vicente Moncholi Cebrián – December-2011
CEO Moncholi-Checa y Asociados S.L. – Legitec Consultores y Auditores S.L.
Twitter: @ VMoncholi – @ legitec Facebook: legitec Web: www.legitec.com
Pingback : LOS SERVICIOS CLOUD Y LA PROTECCIÓN DE LA PRIVACIDAD: PROPUESTA DE “SEAL” DE LA UE PARA EMPRESAS DE SERVICIOS “CLOUD” | Protección de datos