The issues related to confidentiality and security play an important role in data protection. This is even more so when considering an information technology environment, and thus when considering cloud computing. Security is therefore at the forefront of current issues that private but also public stakeholders must face today.
In this third article of our cloud computing and privacy series (see our previous articles here and here), we examine some of the security requirements and guidance that apply to cloud computing in the EU and in certain key Member States(1).
Legal security requirements
It results from our study that security is currently one of the most regulated topics in the field of data protection, as well as in the field of telecommunications.
The importance given to security is constantly increasing and is expected to keep playing a central role in the future. In this respect, we note in particular the upcoming data protection Regulation, which focuses notably on security aspects. We also note other EU initiatives such as in the field of cybersecurity, where the adoption of a Cybersecurity Directive is on the horizon(2) (see our latest article on this topic here).
It shall be reminded that at EU level, the main requirements related to security are regulated by Article 17 of Directive 95/46. In a nutshell, it requires that the controller guarantees the security of the personal data and protects their integrity. In order to do so, the controller (or its processor where appropriate) must implement the ‘appropriate’ technical and organizational measures that are necessary to protect the personal data from accidental or unlawful destruction, accidental loss, as well as from alteration, access and any other unauthorized processing of the personal data "in particular where the processing involves the transmission of data over a network"(3).
More specifically, the controller shall adopt an internal security policy and implement technical and organizational measures to physically protect the premises where the information is stored, as well as the technical protection against hackers and unauthorized use of the system. The EU data protection legislation does not provide more details regarding the security obligation, but specifies nonetheless that the measures shall take into consideration the state of the art and the cost of their implementation, and that such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
Other EU instruments provide for similar obligations. Article 4(1) of the ePrivacy Directive 2002/58/EC(4) imposes a security duty on providers of publicly available electronic communications services(5).
It derives from the foregoing that a risk-based approach is imposed on controllers (and processors) or on providers of publicly available electronic communications services or of a public communications network, requiring a continuous risk assessment. Such assessment shall reflect the nature of the data (for instance whether it is ‘sensitive data’), the possible threats (technical and others) and the prejudice that could result from a security breach.
The various legal provisions at EU level are formulated in general terms. Member States therefore have a relatively high level of discretion when implementing such instruments into their legal system.
Our examination of the key Member States has shown that legislators have taken different approaches. Whereas some of them have transposed the EU provisions rather faithfully (e.g., the United Kingdom), some others are more prescriptive.
We note nonetheless that several Member States provide for interesting details as to the measures that shall be put in place by the data controller (or its processor where appropriate) or the electronic communication service provider.
For instance, although there is no specific law in Poland relating to cloud computing services, Cloud Service Providers ("CSP") must comply with the regulations related to personal data protection and sector specific regulations or soft law, if applicable (e.g., financial services or in the health sector).
With respect to the personal data protection, both the controller and the processor need to comply with very detailed regulations regarding technical and organisational measures set forth in the Polish Data Protection Act (articles 36-39a) and in the Regulation by the Polish Minister of Internal Affairs and Administration as Regards Personal Data Processing Documentation and Technical and Organisational Conditions Which Should be Fulfilled by Devices and Computer Systems Used for Personal Data Processing ("Security Regulation").
In Germany, there is also no specific law aimed at cloud computing services. CSPs must nevertheless comply with Section 9 of the German Data Protection Act, which provides obligations to implement certain security measures listed in an annex to the law. Said list is quite comprehensive and all elements must be fulfilled(6).
The situation in Spain is similar to that observed in Germany. In the absence of any specific law aimed at cloud computing services, the general security measures must be implemented depending on the level of sensitivity of the personal data processed. The Spanish Data Protection Regulation establishes a catalogue of security measures to be complied with by data controllers and data processors, depending on the "basic", "medium" or "high" level.
General security guidance
In view of the importance attributed to security at EU and national levels, several authorities have published guidance in order to provide more general and practical guidelines on how to implement the, often vague, legal provisions. In this section, we provide an overview of some of the most interesting initiatives in this respect, excluding however particularities regarding the health sector (addressed in our sixth article).
The European Network and Information Security Agency ("ENISA")(7) published numerous reports, some of which are specifically dedicated to cloud computing (link).
Furthermore, on 5 November 2001, the Article 29 Working Party (the "Working Party") published an Opinion on the Commission Communication on "Creating a safer information society by improving the security of information infrastructures and combating computer-related crime" (link). This outdated opinion constitutes at present the Working Party's sole attempt to address security issues.
In Belgium, the Data Protection Authority ("DPA") has published a document entitled "reference measures on the security of data" (link), which details ten areas of action regarding data security. In June 2012, the DPA also published guidelines for information security (link) based on the ISO/IEC 27002 structure.
In Germany, the annex to Section 9 of the German Data Protection Act (link) provides obligations to implement certain security measures(6). In addition, some German DPAs and industry associations provide guidance on how to include these technical measures in data processing agreements (link). Furthermore, Section 11 of the German Data Protection Act enumerates the items that must be specified in a data processing agreement, such as inter alia the subject and the duration of the agreement; the type of data and group of persons affected; and the technical and organizational measures to be taken.
In Poland, in 2007, the Inspector General for the Protection of Personal Data ("GIODO") published "The ABC of rules on personal data security processed by means of IT systems" (link). It includes a brief description of the detailed Polish requirements as to the security and organizational measures set forth in the Security Regulation, including some guidelines related to hosting. It comprises a detailed description of what the Security Policy and the Instruction of the Security Management System should look like, basic requirements regarding functionality of the security systems and explanations as to the levels of security (basic, medium, high).
In Spain, in addition to the general security measures that must be implemented depending on the level of sensitivity of the personal data processed, the Spanish DPA published a guide for the drafting of the Security document (link). More particularly, the guide covers security measures (including concept and use) and the security document (including concept and template). The guide lists the security measures required by Spanish data protection law, along with implementation strategies, including, (i) an explanation of the different security levels and their corresponding security measures; (ii) a template for the drafting of the compulsory internal security document; and, (iii) a questionnaire to automatically evaluate applicable security levels and their level of compliance.
Specific security guidance and standards related to cloud computing
In addition to the aforementioned general guidance on security, some authorities at international or EU level and in the key Member States provide for specific guidelines on security in a cloud environment. This is in many instances provided in the framework of general guidance related to cloud computing.
International ISO standards
Standards serve as an increasingly important tool for cloud customers to determine whether a cloud computing solution is secure and reliable. Up until recently, CSPs could only rely on existing general certification schemes to assure compliance with legal requirements.
However, a cloud-specific voluntary certification scheme saw the light of day in July 2014, when the International Organization for Standardization ("ISO") and the International Electrotechnical Commission ("IEC") teamed up for the publication of ISO/IEC 27018 (link). This code of practice for data security directed at public CSPs is based on the 2012 European Cloud Computing Strategy, referred to in our first article here, as well as on the Working Party's Opinion 05/2012 on Cloud Computing, referred to in our second article here. It further elaborates the general IT-related standards addressing data security, such as ISO/IEC 27001(8) and ISO/IEC 27002(9).
ISO/IEC 27018's objectives are fourfold: (i) to function as a tool for CSPs in their compliance with the applicable data protection obligations; (ii) to allow CSPs to be more transparent vis-à-vis cloud service customers; (iii) to assist both CSPs and customers in the negotiation of cloud service contracts; and, (iv) to provide cloud service customers with audit mechanisms.
It aims to achieve said objectives by inter alia requiring the CSPs certified under ISO/IEC 27018 to:
- Process personal information in accordance with the customer's instructions;
- Process personal information for marketing purposes only with the customer's express consent;
- Disclose personal information to law enforcement authorities only when legally obliged to do so;
- Disclose to the customer the identity of any subcontractors as well as the locations where personal information may be processed, prior to entering into a cloud services contract;
- Implement a policy for the return, transfer or erasure of personal information.
More recently, ISO/IEC 17788 (link) and ISO/IEC 17789 (link) were adopted, respectively providing for a common basic terminology and an architectural framework related to cloud computing.
The European Network and Information Security Agency ("ENISA") published reports on security in a cloud computing environment. We highlight in particular the following, along with a brief description provided by ENISA:
- "Cloud Computing: Benefits, risks and recommendations for information security" (20 November 2009) (link): outlines some of the information security benefits and key security risks of cloud computing. The report also provides a set of practical recommendations.
- "Cloud Computing Information Assurance Framework"(20 November 2009) (link): provides a set of assurance criteria designed to assess the risk of adopting cloud services, to compare different CSP offers, to obtain assurance from the selected CSPs, and to reduce the assurance burden on CSPs.
- "Security & Resilience in Governmental Clouds: Making an Informed Decision"(link): identifies a decision-making model that can be used by senior management to determine how operational, legal and information security requirements, as well as budget and time constraints, can drive the identification of the architectural solution that best suits the needs of their organisation.
- "Procure Secure: a guide to monitoring of security service levels in cloud contracts" (2 April 2012) (link): a practical guide aimed at the procurement and governance of cloud services. This guide provides advice on questions to ask about the monitoring of security. The goal is to improve public sector customer understanding of the security of cloud services and the potential indicators and methods which can be used to provide appropriate transparency during service delivery.
- "Good Practice Guide for securely deploying Governmental Clouds" (13 November 2013) (link): identifies the Member States with operational government Cloud infrastructures and underlines the diversity of Cloud adoption in the public sector in Europe. Moreover, through this document, ENISA aims to assist Member States in elaborating a national Cloud strategy implementation, to understand current barriers and suggest solutions to overcome those barriers, and to share the best practices paving the way for a common set of requirements for all Member States.
- "Incident Reporting for Cloud Computing" (9 December 2013) (link): analyses how CSPs, customers in critical sectors, and government authorities can set up cloud security incident reporting schemes.
- "Critical Cloud Computing-A CIIP perspective on cloud computing services" (14 February 2013) (link): looks at cloud computing from a Critical Information Infrastructure Protection ("CIIP") perspective and looks at a number of relevant scenarios and threats, based on a survey of public sources on uptake of cloud computing and large cyber-attacks and disruptions of cloud computing services.
The Working Party Opinion 05/2012 on Cloud Computing (link)(see also our second article) comprises a section entitled "Technical and organisational measures of data protection and data security", which applies in addition to the ENISA "Cloud Computing Risk Assessment" report. The Working Party highlights the fact that "in addition to the core security objectives of availability, confidentiality and integrity, attention must also be drawn to the complementary data protection goals of transparency, isolation, intervenability, accountability and portability". The document analyses such questions more in depth.
In Germany, the guidance paper "Orientierungshilfe Cloud Computing" of 26 September 2011 (updated version 2.0 of 9 October 2014) of the working groups "technology" and "media" of the German data protection authorities contains comprehensive recommendations on cloud computing, including rules on security which are similar to those in the Working Party Opinion 05/2012 (link).
Furthermore, the guidance of the German Federal Agency for Security in Information Technology entitled "Security Recommendations for Cloud Computing Providers" of February 2012 mainly deals with IT security related topics, such as security management; security architecture (data centre, server, network, application, platform, data, encryption); rights management; control options for users; monitoring and security incident management; business continuity management; portability and interoperability; security testing and audit; requirements of personnel of providers; drawing up agreements, incl. transparency and SLAs; data protection; and compliance (link).
The paper includes check-boxes and different levels of (security) requirements depending on the sensitivity of data stored in the cloud. It includes three different levels, which are however only described in general:
- Category B (basic requirement) includes those requirements which are basic for all CSP's;
- Category C+ (high confidentiality) includes additional requirements where data with a high protection requirement in terms of confidentiality is to be processed;
- Category A+ (high availability) includes additional requirements where services with a high protection requirement in terms of availability are to be considered.
In Spain, while there is no explicit guidance on security in the cloud, such topic is covered in the following documents:
- The 2013 cloud-related guides of the Spanish DPA, one for users (link) and one for providers (link).
- The "Guide for companies: security and privacy of Cloud computing" of 2011 ("INTECO Guide") (link), published by the Ministry of Industry, which examines closely the main implications as regards security and privacy, and in particular covering security in the cloud, including security on the part of the Cloud computing provider and on the part of the client.
The information given in this document concerning technical, legal or professional subject matter is for guidance only and does not constitute legal or professional advice.
This series of articles has been made possible thanks to the CoCo Cloud project (www.coco-cloud.eu) funded under the European Union’s Seventh Framework Programme, and of which Bird & Bird LLP is a partner. Said project aims to establish a platform allowing cloud users to securely and privately share their data in the cloud.
Our next article will address the topic of "data anonymisation and pseudonymisation" in the cloud computing context.
(1) Our study examined the particularities of national laws on key specific issues in ten selected EU Member States, i.e., Belgium, Czech Republic, Denmark, Finland, France, Germany, Italy, Poland, Spain and the United Kingdom ("Key Member States").
(2) See in particular the European Parliament legislative resolution of 13 March 2014 on the proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union (COM(2013)0048 – C7-0035/2013 – 2013/0027(COD)) (Ordinary legislative procedure: first reading)(link).
(3) Data Protection Directive 95/46/EC, Article 17(1). [Emphasis added].
(4) As amended by Directive 2009/136/EC.
(5) Article 7 of the Data retention Directive 2006/24/EC also required providers of publicly available electronic communications services or of a public communications network to respect certain security principles with respect to data retained in accordance with the Directive. Directive 2006/24/EC has however been deemed to be invalid by the CJEU (8 April 2014, joined cases C-293/12 and C-594/12).
(6) For more practical details on the situation in Germany, read "Praxishandbuch Rechtsfragen des Cloud Computing" by Fabian Niemann and Jörg-Alexander Paul (more information here).
(7) ENISA is not specifically set up to implement security measures in the field of data protection and telecommunications but has a broader mission in order to achieve a high and effective level of Network and Information Security within the European Union. Together with the EU-institutions and the Member States, ENISA seeks to develop a culture of Network and Information Security for the benefit of citizens, consumers, business and public sector organisations in the European Union.
(8) ISO/IEC 27001:2013, Information Technology – Security techniques – Information security management systems – Requirements (link).
(9) ISO/IEC 27002:2013, Information Technology – Security techniques - Code of practice for information security controls (link).