Privacy Implications of Cloud Computing in Israel

Transcription

1 January 2012 Privacy Implications of Cloud Computing in Israel Adv. Naomi Assia Co-chairman of the Data Protection Committee -ITECHLAW

2 Cloud Computing One widely accepted definition of Cloud Computing has been offered by the U.S National Institute of Standards and Technology (NIST): Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing resources (e.g. servers, storage, networks, applications and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction.

3

4 Cloud Computing Vendors and Service Providers are investing in solutions and services in terms of efficiency gains, cost reduction, productivity and scalability. Many technical, commercial and legal issues will require a thorough examination.

5 Cloud Computing A great deal of information that once stored on local computer hard drives is now being stored on remote servers, sometimes referred to the Clouds. Outsourcing of data processing functions to servers which are connected via the internet. Cloud Computing cover peaks in demand that overburden internal IT infrastructures.

6 Types of Cloud Services SaaS (Software as a Service)- application software that is not installed on the local computer but is made available as needed through external servers. IaaS (Infrastructure as a Service)- allows the cloud services provider to host entire IT infrastructure. PaaS (Platform as a Service)- allows the cloud provider to access the entire data processing environment, device management and database controller software. Storage as a Service- data backup and archiving services.

7 Moving into Cloud Computing Things to be considered Internal IT Security Controls Data processing on the cloud brings with it an inherent level of risk due to the bypass of the physical, logical, personal and technical controls of the internal IT personal. Server Elasticity Servers hosting personal data may be reconfigured or decommissioned frequently to accommodate capacity requirements. This means that the person/entity which uses Cloud Services can never be sure where the data resides at a given time.

8 Moving into Cloud Computing Things to be considered (continue) Compliance with Laws and Regulations Companies are ultimately responsible for the security and integrity of data entrusted to them, even when the data is stored in the Cloud.

9 Moving into Cloud Computing Things to be considered (continue) Monitoring Cloud Providers administrators Encryption, tokenizations, masking, auditing and monitoring can reduce the risk of an unauthorized use by the Cloud Service Provider. Physical Infrastructure It is important to determine the physical security measurements that the Cloud Services Provider should implement in the physical place of which the data is being stored.

10 Cloud Services Legislation Today, there is lack of worldwide legislation for drafting Cloud Services Agreements. On the other hand, there is a widespread legislation with regard to the outcome of such Cloud Services Agreements mainly in Privacy and Data Protection issues.

11 ISRAEL - Legislation The Israeli Law, Information and Technology Authority (ILITA), was established by the Ministry of Justice of Israel on September 2006 to become Israel's data protection authority. ILITA missions are, among other, to reinforce personal data protection and increase the enforcement of privacy and IT-related offences

12 ISRAEL - Legislation The adequacy of Israeli data protection law Following a detailed assessment of Israel s data protection law, at its December 2009 meeting, the Article 29 Working Party (which consists of EU data protection authorities) deemed Israel s law to be adequate. Data controller within the European Economic Area can now transfer personal data to Israel wthout breaching the EU data protection Directive s restriction on the transfer of personal data to third countries.

13 ISRAEL - Regulation While using Cloud Services, information may be also transferred to an overseas entities and kept on overseas servers. Such information can contain sensitive and confidential information of the Cloud Services consumers or even third parties information which is stored on the Cloud Services consumers databases.

14 ISRAEL - Regulation Legally, submitting sensitive or confidential information for storage or processing to a Cloud Service Provider, will not dismiss the service consumer from its obligation or responsibility to protect the information in accordance with the Privacy and Data Protection laws, regulations and agreements. An Israeli consumer of Cloud Services is subjected also to the foreign legislation of the Cloud Service Provider.

15 ISRAEL applicable legislation Protection of Privacy Act 1981 Protection of Privacy (Transfer of Data Abroad) Regulations. Protection of Privacy (conditions for keeping, safeguarding and transferring information between public bodies) Regulations. Database Registrar instruction 2/2011* the use of outsource services for personal information processing. * According to the 2/2011 instruction, the Database Registrar will issue a specific instruction for Cloud Computing which will complete the 2/2011 instruction. The 2/2011 Instruction will become valid and enforceable from May 19 th 2012.

16 Database Registrar Instruction 2/2011 Background Section B to the Protection of Privacy Act of 1981 (the Law ) regularizes the authorized use of personal information and determines the liability for prevention of misuse, leakage or theft of the information. While using Cloud Services it is important to pre-evaluate the level of the data sensitivity. The liabilities according to the Law on database s owner and/or database s holder, shall apply also while using Cloud Services.

17 Database Registrar Instruction 2/2011 (continue) Instruction - summary Preliminary exam of Cloud Service (scope and service model) The Service Provider - proved experience in processing personal data, background check and reputation, preliminary check for conflict of interests or the possibility for misuse of the stored information. Drafting the Cloud Services Agreement according to the applicable laws of the parties and the place which the servers are being stored.

18 Database Registrar instruction 2/2011 Instruction summary (continue) Data Protection and controlling the Cloud Services Provider activity. Determine the rights of the Data Subjects to review and make amendments to the data. To determine the period which the personal data is being stored with the service provider and the mechanism for data elimination.

19 Cloud Services Agreements As in any multinational agreements, the parties should determine the jurisdiction and governing law. Determining the above will not release the parties from other enforceable local laws and regulations with regard to Privacy and Data Protection issues. Also the place of which the servers are being stored have a significant influence on the parties responsibilities while executing the agreement.

20 Cloud Services Agreements (continue) Any database (as defined in the Israeli Privacy Protection Act of 1981) transfer to an overseas server, is subjected to the Protection of Privacy (Transfer of Data Abroad) Regulations and thus the transfer should be only to a server located in countries with adequate legislation. Cloud Services Agreements should include specific clauses which shall determine the responsibilities of the Cloud Service Provider for confidentiality, privacy and data protection and shall also determine controlling and reporting mechanism to verify standing by to the responsibilities.

21 The Business Software Alliance (BSA) has presented its Cloud Computing Policy Agenda for the EU. BSA identifies 10 concrete policy actions to boost users privacy and security in the cloud. The actions are aimed to promote the development of necessary standards and infrastructures and ensure an adequate degree of regulatory clarity in EU Cloud Computing Services.

22 Privacy and Data Transfer In order for Cloud Computing Services to develop to their full potential, it is essential to harmonize EU s data protection framework across the EU. That review provide the opportunity to clarify the rules related to privacy and data protection with regard to Cloud Computing. That should include a single definition of Personal Data across the EU and a simplified Data Protection Authority notification system. Efforts to clarify the applications of data retention rules across the EU would ensure a single, coherent and cost effective retention period within the EU market.

23 At the World Economic Forum in Davos on 2011, Neelie Kroes, VP of the EU Commission responsible for the Digital Agenda, reaffirmed that facilitating the take up of cloud computing is a priority in the EU, as it will help a new generation of services to emerge and to boost economic growth across a wide range of sectors.

24

25 CLOUD COMPUTING Overview of the responses given by ITECHLAW (France) and AFDIT to some of the issues raised in the CNIL open consultation of 17 October to 17 November 2011 Claire Bernier - ALTANA - Co-founding Partner Co-chairman of the Data Protection Committee - ITECHLAW Co-local representative for France - ITECHLAW Chairman of the Data Protection Commission - AFDIT Member of the Board - AFDIT cbernier@altanalaw.com

26 Definition of Cloud Computing

27 Creation of a specific legal status for Cloud providers? The CNIL is considering the creation of a specific legal status for Cloud providers Response from ITECHLAW and AFDIT: The creation of a specific legal status for Cloud providers is not necessary: The French Data Protection Act (loi informatique et libertés) excludes Cloud providers from any liability relating to obligations incumbent on data controllers. The various provisions currently laid down in French law, with regard to both the specific provisions contained in the French Data Protection Act(Articles 34 and 35) and criminal law and civil law (contract and tort), already cover the various situations that could arise in the context of Cloud computing services. Cloud providers are bound by all obligations incumbent on IT solution providers, including in particular a duty to provide full information regarding the service ( obligation d information ), a duty to give advice and due warning ( obligation de conseil et de mise en garde ) and a duty to render the data secure and confidential. Any increase in the number of services provided must not result in the transformation of the Cloud provider into a data controller (while the purpose of the data processing and the means implemented are unknown to the client, they are accepted by the latter and implemented at his/her instruction on his/her behalf). Suggestions by ITECHLAW and AFDIT: Given the client s lack of knowledge and/or control over the technical means implemented, it should be looked at how could be reinforced the Cloud provider s obligations and its liability broaden.

28 Applicable law with respect to Cloud computing providers The CNIL raises the question as to applicable law Response from ITECHLAW and from AFDIT: In terms of criminal law: French criminal law is applicable to both data controllers and sub-contractors where: One of the essential elements of the offence is committed on French territory (Cf. Article of the French Criminal Code [Code pénal]) The victim is French at the time of the offence (Cf. Article of the Criminal Code) The offence is committed outside French territory but by a French national and the acts are punishable by the legislation of the country in which they are committed (Cf. Article of the Criminal Code). In terms of civil law: The parties to a contract for the provision of a Cloud solution can include a choice of forum clause with a clause attributing jurisdiction. In the absence of such provisions in the contract, the French court before which the dispute is brought applies the provisions laid down in private international law, referring in particular to Article 4 of the Rome I Regulation, which provides that where the parties have not chosen the applicable law for the contract, the latter is governed by the law of the country relating most closely thereto. The contract is generally presumed to be most closely related to the country in which the party providing the characteristic performance of the contract has its habitual residence at the time the contract is entered into. Some service providers have, in the absence of international agreement on the matter, proposed that the characteristic performance of a Cloud should be the place where the servers are geographically localised and that, consequently, the law of the country in which the servers are located should apply. Observations by ITECHLAW and AFDIT: These solutions do not appear adequate with respect to Cloud because: clients are generally bound by membership agreements, clients would have to face high costs in order to defend their rights due to the high level of legal uncertainly surrounding the determination of applicable law. In terms of tort, the question remains unresolved by applicationof the conflict-of-law rules laid down in the Rome II Regulation.

29 Obligation to conduct a prior risk analysis? The CNIL would like data controllers to perform a risk analysis in order to assess the impact of resorting to a Cloud solution Response from ITECHLAW and AFDIT: From an economic point of view: imposing a legal risk analysis obligation on data controllers risks to make them incurring significant costs, which would contradict Cloud s primary aim, i.e. to rationalise costs. From a legal standpoint: If the risk analysis is conducted by a third party, the Cloud provider could rely on said analysis and seek for the liability of the third party that conducted it in order to avoid its duties to give advice and due warning. If the risk analysis is carried out by the provider itself: possibility that the service provider seeks to minimise the real risks incurred, a situation that would only be revealed in the event of a dispute and that would be difficult to dispute out of court, incurring therefore very high costs (expertise, etc.).

30 Questions?