Link to the previous article: Cloud: how to evaluate a contract - A lawyer's advice

If you are planning to use a Cloud service, then pay attention to certain aspects. In the previous issue we covered contractual clauses. Today we’ll deal about privacy defense.

 

Privacy and data protection by part of a Cloud Provider is one of the most delicate topic when agreeing on a contract. When choosing a cloud service, you authorize the provider to manage your data (your own or your clients’), in addition to let them on the provider’s infrastructure.Needless to say that it’s very important to understand, when choosing the provider, what kind of rules he’s subject to, what kind of guarantees he must provide and how he can manage your data, also on a privacy perspective.

A recent study conducted by ABI and CIPA called “Rilevazione sull’IT nel sistema bancario italiano – Il cloud e le banche. Stato dell’arte e prospettive” (“Identification of IT in the italian banking system - Cloud and banks. State of the art and perspective”), published in May 2016, revealed that the guarantees about privacy and data security are of fundamental importance by 100% of the interviewed (on par with experience in the sector, and much more than any other factor). On the other hand, only in half the cases banks have found a correspondece in the service offered by providers, which signals that the topic is important and requires an in-depth analysis.

One of the biggest problems in terms of Cloud is the role of providers in the treatment of data given to the user in the cloud and the guarantee of compliance with privacy rules. As for us, the Garante per la Privacy (the italian data protection authority) gave indication about duties and responsibilities of the parts in data treatment (owner and responsible), also with regards to the transfer of extraUE data (2012 mini-guide: “Proteggere i dati per non cadere dalle nuvole” which can be found here).

The owner of data treatment is, according to the italian d.lgs 196/03, the user itself which will find that the provider is the responsible of the treatment (ie, according to the law definition, the subject “accountable for the treatment of personal data”).

The responsible will, among the other things, “provide data treatment by respecting the instructions provided by the owner who, also by means of periodic tests, will monitor the compliance of the orders in terms of treatment and instructions”. It’s quite evident how the owner can hardly, in the Cloud context, monitor, test and provide instructions to the provider. Note that by naming the provider as responsible of the treatment, the owner won’t be freed from responsibilities in terms of privacy rules violation: in case of violations committed by the provider, the owner/user too will be held responsible for any possible illicit.

Therefore, while waiting for the new European discipline to become law, pay a lot of attention to the choice of the Cloud Provider, to the localization of data centres (in Europe), to the compliance of the treatment with the laws in terms of privacy and, in general, to the privacy policy adopted by the provider (also with respect to the minimum security action described by d.lgs. 196/03 and to an adequate technical and organizational security level, a quick notification of potential abusive accesses and to patrimonial guarantees in case of illegal diffusion or leak of data).

Last May the new European guideline on privacy (defined as Data Protection) got published in order to align to european and national rules. We now list some news that can have a substantial impact on Cloud service.

The guideline, which will become enforceable by 2018, contains a unitary discipline which will substitute national laws, thus resolving the problem of what laws to apply when dealing with Cloud services characterized by the internationality of subjects and locations. The new regulation will also be enforceable to extra-UE companies that provide services within the European Union following the data subject criteria: it’s clear that it’s a guarantee for the user as foreign providers providing services to european clients will be subject to the new european law.

The figure of Joint Controllers is particularly useful when it comes down to cloud providers responsibilities about privacy defense. In the same habit ot data treatment, there could be two owners or co-owners (the user and the provider) that will share responsibilities with a pre-defined agreement that will be the reference in case of audits, violations or controversy.

Within the new guidelines the recognized right of data portability when changing provider, the principle of accountability (ie the commitment of the provider in demonstrating the suitability and efficiency of the measures adopted in terms of security and defense with respect to the very same rules), the duties in case of data breaches notification (ie the timely notification to authorities and to the affected party of incorrect or wrong data treatments) and the adoption of pre-defined principles when planning new products and services (privacy by design) will hold as well.
We will observe how the new guideline will concretely influence the development of the Cloud.

Lastly, in August 2014 the international certification Authority ISO published the ISO/IEC 27018:2014 guideline, a set of rules and international principles, a standard specifically elaborated for Cloud services providers, built on top of previous standards (ISO 27001 and 270001), verifiable by third parties which guarantee that providers adhering to it are compliant with the European laws in terms of privacy.
Therefore, when choosing a partner provider, it can be useful to note if ISO standards are present.

Other aspects related to Cloud Services are security and secrecy of data in terms not just of privacy defense but also of reserved contents and company properties to safeguard, which is the topic we will cover in the next issue.