New ISO International Standards concerning personally identifiable information should encourage the use of public cloud services
The publication of new ISO International Standards is seldom an exciting event. However, in September 2014 a new ISO International Standard, ISO/IEC 27018:2014, was adopted, its title being “Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors”. The cloud service provider who meets the requirements set out in this new standard will presumably also comply with the European Union requirements regarding the processing of personal data in the cloud, which also was one of the main purposes of the new standard. Hence, there is reason to believe and hope that September 2014 will be an important month for an increased use of the enormous potential in cloud computing for private and public organisations.
The American writer Nick Carr has pointed out the striking similarities between the phenomenon of cloud services and the proliferation of electricity around the turn of the last century. There is no doubt that we are moving towards a society where individuals, companies and public organisations may have their need for software, storage of data, application development et cetera satisfied by “pulling a switch” where you only pay for what you actually use, without the need for huge investments in IT assets.
Nevertheless, there are a number of important obstacles which have to be overcome. If I would dare to name the prime obstacle, I would call it trust. The use of a cloud service requires the user to trust its service provider, as the user is giving up its control over its IT assets. The importance of trust is even more apparent if the cloud service includes the processing of personal data. Within EU, to hire a cloud service provider to process personal data on your behalf means assigning the responsibility to someone else for ensuring that you do not breach fundamental rights of individuals relating to data privacy. Obviously, this is hardly something to be taken lightly.
It is in this light that ISO 27018 shall be viewed. As with all ISO Standards, the user is provided with a confirmation from an independent third party that the service provider meets the highly set standards. As regards ISO 27018, the confirmation includes the processing of personal data. This should give rise to trust in the cloud service providers who follow the standard.
ISO 27018 consists of two parts. The first part is based on the already established standard ISO 27002. ISO 27018 clarifies the guidelines in ISO 27002 as regards processing of personal data in public cloud services.
Furthermore, ISO 27018 includes an appendix in which a number of so-called “controls” are specified, which go beyond what follows from ISO 27002. People familiar with the requirements of the Article 29 Working Party as regards cloud services and data processing agreements are on familiar ground. Amongst other things, the cloud service provider is, according to ISO 27018, required to assist the cloud service customer to fulfill its obligations regarding the data subject’s right to information as well as the deletion and correction of personal data. Furthermore, the cloud service provider is prohibited to process personal data for its own purposes and may only process personal data as instructed by the user of the cloud service.
The cloud service provider must also be transparent regarding its use of subcontractors, including a right for the customer to terminate the agreement should the subcontractors be exchanged. Finally, the cloud service provider must ensure that appropriate security measures are implemented to protect the personal data.
Some things remain the same with ISO 27018. It is still the user of the cloud service who is considered to be the data controller and therefore is responsible for complying with the data protection regulation. This responsibility includes for example to carry out a risk and vulnerability assessment as regards the processing of personal data. Such assessment shall be made whether a cloud service provider is hired or not. As ISO 27018 clearly is developed with the EU requirements of data processing in cloud services in mind, the assessment should no doubt be simplified if the cloud service provider meets the requirements set out in the new standard.
The publication of ISO 27018 may still not be considered to be an exciting event. However, there is reason to believe that the enactment will give cloud services a good push forward towards a world with IT through just pulling a switch. Let us hope that the European Union regulators reviews the standard quickly and states whether cloud service customers can trust that service providers who follow ISO 27018 meet the highly set standards of the Data Privacy Directive.
About the Author
David Frydlinger is a lawyer for Lindahl law firm in Stockholm, Sweden, focussing on outsourcing and other strategic contracts. He also teaches Collaborative Contracting at the University of Tennessee and is a Certified Deal Architect of the Vested™ model for successful partnership.