הרשות למשפט, טכנולוגיה ומידע Israeli Law Information and Technology Authority Privacy and Data Security in the Cloud - The Israeli Perspective Amit Ashkenazi, Head of the Legal Department
Outline Introduction The Israeli Data Protection regime ILITA and ILITA s regulatory strategy Setting the ground for the cloud Outsourcing in general Transfer Abroad regime Data Protection compliance in the cloud Identifying cloud specific legal and technical risk areas Mitigating risks through legal and technical measures 2
Introduction OUTLINE 3
Data protection in Israel Basic law: Human Dignity and Liberty, Paragraph 7 The Protection of Privacy Act of 1981 Chapter A Privacy Torts and offenses Chapter B Regulation of databases collection and processing of PII - Reducing risks of misuse of collection and processing of PII Israel Data Protection regime found adequate according to EU Directive 4
ILITA ILITA set up in 2006 Regulatory functions according to three laws Protection of Privacy Act - Credit Information Services - Electronic Signature Head of ILITA (Data Protection Commissioner) Legal Department Enforcement Department Registration and Supervision Department 5
Setting the ground for the cloud - Outsourcing and Cross border transfers OUTLINE 6
Outsourcing Guideline (1) Controller s duties: Article 17 Information Security Protection of Privacy Regulations 2 nd Draft of Protection of Privacy Regulations (Information Security) Preliminary analysis Description of the service and data involved Internal coordination Privacy analysis risks and measures Privacy by design Budget to include costs of protective measures 7
Outsourcing Guideline (2) Contract Checking and managing conflicts of interest Purposes of processing defined in clear terms. Access rules. Information security Personnel and training Communication and coordination mechanisms as part of the service. Effective sanctions Contract termination Monitoring compliance 8
Cross-border Transfers - Overview Three specific requirements Notifying the transfer (section 9(b)(4) and (d) to the PPA) A base for transfer according to the Regulations* Adequate style country OR Other specific bases A written undertaking by the importer to the exporter regarding measures to protect privacy according to the Regulations. * Privacy Protection (Transfer of Data to Databases Abroad) Regulations, 5761-2001 9
Cross-border Transfers (2) Regulation 2 - Bases for transfer Adequate style country OR Other specific bases Consent Protection of vital interest of the data subject To a company controlled by the database owner. According to an agreement A transfer to a country which is Part of the COE 108. Imports data from EU members under the same terms. 10
The Cloud OUTLINE 11
Cloud challenges Technological challenges Virtualization Risks Network Risks Mutual Tenancy Risks Monitoring i data usage Legal challenges Standard form contracts Cross border transfers Monitoring compliance 12
Uniformity and Transparency Challenges 13
Looking for a Solution - NIST 14
Looking for a Solution - ENISA 15
Accountability and the cloud An enhanced accountability model Forcing high level management awareness by procedural means. Mandating contracts and commitments (fashioned after EU model contractual clauses) A basic outsourcing framework PLUS [Choice of law] [Jurisdiction] Special measures to mitigate relevant risks. Understanding cloud specific risks Implementing relevant measures. Using industry best practices [i.e. NIST, CSA, ENISA, etc.] 16
Workflow Accountability - example Preliminary Actions Choose service model and check privacy implications Assess cloud service provider Assess control in the service model Ongoing Ias, Pas, SaS Private vs. public Encryption Separating access control Verify all contractual requirements are addressed in the SLA, including data protection and privacy issues Managing access control. Monitoring. Information security audits 17
The Israeli Law Information and Technology Authority www.ilita.justice.gov.il ilita@justice.gov.il Amit Ashkenazi, Head of the Legal Department 18