Link to the previous article: Cloud: how to evaluate a contract - A lawyer's advice

If you are planning to use a Cloud service, then pay attention to certain aspects. In the previous issue we covered contractual clauses. Today we’ll deal about privacy defense.

 cloud

Privacy and data protection by part of a Cloud Provider is one of the most delicate topic when agreeing on a contract. When choosing a cloud service, you authorize the provider to manage your data (your own or your clients’), in addition to let them on the provider’s infrastructure.Needless to say that it’s very important to understand, when choosing the provider, what kind of rules he’s subject to, what kind of guarantees he must provide and how he can manage your data, also on a privacy perspective.

A recent study conducted by ABI and CIPA called “Rilevazione sull’IT nel sistema bancario italiano – Il cloud e le banche. Stato dell’arte e prospettive” (“Identification of IT in the italian banking system - Cloud and banks. State of the art and perspective”), published in May 2016, revealed that the guarantees about privacy and data security are of fundamental importance by 100% of the interviewed (on par with experience in the sector, and much more than any other factor). On the other hand, only in half the cases banks have found a correspondece in the service offered by providers, which signals that the topic is important and requires an in-depth analysis.

One of the biggest problems in terms of Cloud is the role of providers in the treatment of data given to the user in the cloud and the guarantee of compliance with privacy rules. As for us, the Garante per la Privacy (the italian data protection authority) gave indication about duties and responsibilities of the parts in data treatment (owner and responsible), also with regards to the transfer of extraUE data (2012 mini-guide: “Proteggere i dati per non cadere dalle nuvole” which can be found here).

The owner of data treatment is, according to the italian d.lgs 196/03, the user itself which will find that the provider is the responsible of the treatment (ie, according to the law definition, the subject “accountable for the treatment of personal data”).

The responsible will, among the other things, “provide data treatment by respecting the instructions provided by the owner who, also by means of periodic tests, will monitor the compliance of the orders in terms of treatment and instructions”. It’s quite evident how the owner can hardly, in the Cloud context, monitor, test and provide instructions to the provider. Note that by naming the provider as responsible of the treatment, the owner won’t be freed from responsibilities in terms of privacy rules violation: in case of violations committed by the provider, the owner/user too will be held responsible for any possible illicit.

Therefore, while waiting for the new European discipline to become law, pay a lot of attention to the choice of the Cloud Provider, to the localization of data centres (in Europe), to the compliance of the treatment with the laws in terms of privacy and, in general, to the privacy policy adopted by the provider (also with respect to the minimum security action described by d.lgs. 196/03 and to an adequate technical and organizational security level, a quick notification of potential abusive accesses and to patrimonial guarantees in case of illegal diffusion or leak of data).

Last May the new European guideline on privacy (defined as Data Protection) got published in order to align to european and national rules. We now list some news that can have a substantial impact on Cloud service.

The guideline, which will become enforceable by 2018, contains a unitary discipline which will substitute national laws, thus resolving the problem of what laws to apply when dealing with Cloud services characterized by the internationality of subjects and locations. The new regulation will also be enforceable to extra-UE companies that provide services within the European Union following the data subject criteria: it’s clear that it’s a guarantee for the user as foreign providers providing services to european clients will be subject to the new european law.

The figure of Joint Controllers is particularly useful when it comes down to cloud providers responsibilities about privacy defense. In the same habit ot data treatment, there could be two owners or co-owners (the user and the provider) that will share responsibilities with a pre-defined agreement that will be the reference in case of audits, violations or controversy.

Within the new guidelines the recognized right of data portability when changing provider, the principle of accountability (ie the commitment of the provider in demonstrating the suitability and efficiency of the measures adopted in terms of security and defense with respect to the very same rules), the duties in case of data breaches notification (ie the timely notification to authorities and to the affected party of incorrect or wrong data treatments) and the adoption of pre-defined principles when planning new products and services (privacy by design) will hold as well.
We will observe how the new guideline will concretely influence the development of the Cloud.

Lastly, in August 2014 the international certification Authority ISO published the ISO/IEC 27018:2014 guideline, a set of rules and international principles, a standard specifically elaborated for Cloud services providers, built on top of previous standards (ISO 27001 and 270001), verifiable by third parties which guarantee that providers adhering to it are compliant with the European laws in terms of privacy.
Therefore, when choosing a partner provider, it can be useful to note if ISO standards are present.

Other aspects related to Cloud Services are security and secrecy of data in terms not just of privacy defense but also of reserved contents and company properties to safeguard, which is the topic we will cover in the next issue.

About the Author

Veronica Morlacchi

Laureata a pieni voti in giurisprudenza, è Avvocato Cassazionista, iscritta all’Albo degli Avvocati di Busto Arsizio dal 2004 e all’Albo degli Avvocati abilitati al Patrocinio davanti alla Corte di Cassazione e alle altre Giurisdizioni superiori. Si occupa principalmente, nell’interesse di Privati, Professionisti, Aziende ed Enti pubblici, di diritto civile, in particolare responsabilità civile e risarcimento danni, diritto delle nuove tecnologie e privacy, contratti, persone e famiglia. Ha conseguito un master in Responsabilità civile e un corso di perfezionamento in Tecniche di redazione dei contratti e, da ultimo, si è perfezionata in Data Protection e Data Governance all'Università degli Studi di Milano e in Strategie avanzate di applicazione del GDPR. Pubblica periodici aggiornamenti e articoli nelle materie di cui si occupa sul suo sito www.studioavvmorlacchi.it e da giugno 2016 collabora con Guru Advisor

banner eng

fb icon evo twitter icon evo

Word of the Day

The term Edge Computing refers, when used in the cloud-based infrastructure sphere, the set of devices and technologies that allows...

>

The acronym SoC (System on Chip) describes particular integrated circuit that contain a whole system inside a single physical chip:...

>

The acronym PtP (Point-to-Point) indicates point-to-point radio links realized with wireless technologies. Differently, PtMP links connects a single source to...

>

Hold Down Timer is a technique used by network routers. When a node receives notification that another router is offline...

>

In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

>
Read also the others...

Download of the Day

Netcat

Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...

>

Fiddler

Fiddler is a proxy server that can run locally to allow application debugging and control of data in...

>

Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.

>

DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...

>

SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

>
All Download...

Issues Archive

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • GURU advisor: issue 13 - March 2017

    GURU advisor: issue 13 - March 2017

  • GURU advisor: issue 12 -  January 2017

    GURU advisor: issue 12 - January 2017

  • GURU advisor: issue 11 -  October 2016

    GURU advisor: issue 11 - October 2016

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1