Israeli Law Information and Technology Authority. Privacy and Data Security in the Cloud - The Israeli Perspective

Size: px

Start display at page:

Download "Israeli Law Information and Technology Authority. Privacy and Data Security in the Cloud - The Israeli Perspective"

Abel Flowers
8 years ago
Views:

1 הרשות למשפט, טכנולוגיה ומידע Israeli Law Information and Technology Authority Privacy and Data Security in the Cloud - The Israeli Perspective Amit Ashkenazi, Head of the Legal Department

2 Outline Introduction The Israeli Data Protection regime ILITA and ILITA s regulatory strategy Setting the ground for the cloud Outsourcing in general Transfer Abroad regime Data Protection compliance in the cloud Identifying cloud specific legal and technical risk areas Mitigating risks through legal and technical measures 2

Transfer Abroad regime Data Protection compliance in the cloud Identifying cloud

3 Introduction OUTLINE 3

4 Data protection in Israel Basic law: Human Dignity and Liberty, Paragraph 7 The Protection of Privacy Act of 1981 Chapter A Privacy Torts and offenses Chapter B Regulation of databases collection and processing of PII - Reducing risks of misuse of collection and processing of PII Israel Data Protection regime found adequate according to EU Directive 4

Regulation of databases collection and processing of PII - Reducing risks of misuse of

5 ILITA ILITA set up in 2006 Regulatory functions according to three laws Protection of Privacy Act - Credit Information Services - Electronic Signature Head of ILITA (Data Protection Commissioner) Legal Department Enforcement Department Registration and Supervision Department 5

Electronic Signature Head of ILITA (Data Protection Commissioner)

6 Setting the ground for the cloud - Outsourcing and Cross border transfers OUTLINE 6

7 Outsourcing Guideline (1) Controller s duties: Article 17 Information Security Protection of Privacy Regulations 2 nd Draft of Protection of Privacy Regulations (Information Security) Preliminary analysis Description of the service and data involved Internal coordination Privacy analysis risks and measures Privacy by design Budget to include costs of protective measures 7

Preliminary analysis Description of the service and data involved Internal coordination

8 Outsourcing Guideline (2) Contract Checking and managing conflicts of interest Purposes of processing defined in clear terms. Access rules. Information security Personnel and training Communication and coordination mechanisms as part of the service. Effective sanctions Contract termination Monitoring compliance 8

Information security Personnel and training Communication and coordination

9 Cross-border Transfers - Overview Three specific requirements Notifying the transfer (section 9(b)(4) and (d) to the PPA) A base for transfer according to the Regulations* Adequate style country OR Other specific bases A written undertaking by the importer to the exporter regarding measures to protect privacy according to the Regulations. * Privacy Protection (Transfer of Data to Databases Abroad) Regulations,

bases A written undertaking by the importer to the exporter regarding measures to protect privacy

10 Cross-border Transfers (2) Regulation 2 - Bases for transfer Adequate style country OR Other specific bases Consent Protection of vital interest of the data subject To a company controlled by the database owner. According to an agreement A transfer to a country which is Part of the COE 108. Imports data from EU members under the same terms. 10

company controlled by the database owner.

11 The Cloud OUTLINE 11

12 Cloud challenges Technological challenges Virtualization Risks Network Risks Mutual Tenancy Risks Monitoring i data usage Legal challenges Standard form contracts Cross border transfers Monitoring compliance 12

Risks Monitoring i data usage Legal challenges

13 Uniformity and Transparency Challenges 13

14 Looking for a Solution - NIST 14

15 Looking for a Solution - ENISA 15

16 Accountability and the cloud An enhanced accountability model Forcing high level management awareness by procedural means. Mandating contracts and commitments (fashioned after EU model contractual clauses) A basic outsourcing framework PLUS [Choice of law] [Jurisdiction] Special measures to mitigate relevant risks. Understanding cloud specific risks Implementing relevant measures. Using industry best practices [i.e. NIST, CSA, ENISA, etc.] 16

Mandating contracts and commitments (fashioned after EU model contractual clauses) A basic outsourcing

17 Workflow Accountability - example Preliminary Actions Choose service model and check privacy implications Assess cloud service provider Assess control in the service model Ongoing Ias, Pas, SaS Private vs. public Encryption Separating access control Verify all contractual requirements are addressed in the SLA, including data protection and privacy issues Managing access control. Monitoring. Information security audits 17

public Encryption Separating access control Verify all contractual requirements are addressed in the SLA,

18 The Israeli Law Information and Technology Authority Amit Ashkenazi, Head of the Legal Department 18

The problem of cloud data governance

The problem of cloud data governance Vasilis Tountopoulos, Athens Technology Center S.A. (ATC) CSP EU Forum 2014 - Thursday, 22 nd May, 2014 Focus on data protection in the cloud Why data governance in