The European Commission recently announced a €10
million campaign aimed at establishing standards and voluntary
certification programs to make cloud computing services better
aligned with European data protection laws. The EC intends to
leverage the purchasing power of national and local governments
throughout Europe to persuade cloud providers to adapt their
services to meet European levels of data security and portability,
as well as improving transparency to end users concerning how and
where their data are processed. Although the EC stresses that
compliance will be voluntary, it's clear that there will be
significant commercial pressure on cloud providers to meet the EC
standards, which are to be defined by the end of 2013.
In a nutshell, the EC wants to ensure that individuals,
governmental entities, companies and other organizations that want
to use cloud services will not need to be concerned that cloud
service providers will fail to meet the relatively stringent
European data protection requirements. The EC sees this concern as
an obstacle to wider adoption of cost-saving cloud services in
Europe. The EC solution will include both technical (standard
setting) and legal elements. The EC has already signaled that it
intends to develop model contract terms covering data preservation
after a cloud service contract ends, data disclosure and integrity,
data location, data transfer, ownership of data and liability.
The recent announcements from the EC concerning cloud computing
are complemented by useful guidance published by the United
Kingdom's Information Commissioner's Office on personal
data and cloud computing. None of the recommendations in the
UK's new guidance are startling – the basic
proposition is that data controllers remain responsible for the
processing of personal data whether done via the cloud or more
traditional means. However, there are examples that could be useful
in determining how the UK's data protection laws can be
satisfied in the context of cloud services. The ICO has also
provided a helpful checklist of things to consider when using cloud
services – this list could be particularly useful when
reviewing a new contract for cloud services, or doing a contract
audit to check whether current arrangements are adequate. And to
its credit, the ICO managed to fit the checklist on a single,
The National Institute of Standards and Technology has released the fourth revision of its standard-setting computer security guide, Special Publication 800-53 titled Security and Privacy Controls for Federal Information Systems and Organizations, and this marks a very important release in the world of data privacy controls and standards.
The obligations of hedge funds, investment managers and service providers to protect confidential information relating to investors and avoid breaches of data privacy legislation is increasingly in focus.
In a recently released decision from the U.S. District Court for the Southern District of Florida, Mais v. Gulf Coast Collection Bureau, et al., Judge Robert N. Scola, Jr., granted in part and denied in part cross motions for summary judgment in a putative class action before considering the issue of class certification.
The report also found that most utilities only comply with mandatory cybersecurity standards, and have not implemented voluntary NERC recommendations regarding general or specific threats (e.g., Stuxnet).