Peer to Peer Magazine

Fall 2017

The quarterly publication of the International Legal Technology Association

Issue link: https://epubs.iltanet.org/i/900970

Contents of this Issue

Navigation

Page 9 of 59

11 WWW.ILTANET.ORG BEST PRACTICES Is Data in the Cloud Subject to International (EU) Privacy Laws? "in-scope Microso services"; for your own data and systems Microso states that enterprise customers "are the controllers of the personal data" and that they "carry the primary obligation to protect that data." Microso guarantees that it adheres to EU data protection law where it is the processor, such as with Office 365, but with services where they are not the main processor the responsibility falls to customers to ensure that they are complying with the law. This makes sense: if you are using Information as a Service or Platform as a Service, you alone are in control of how the data is managed and where it is stored, and only you can stipulate into where your Office 365 tenant is deployed. U.S. Challenges You might assume that an EU citizen's data is protected by EU laws even if the data is held in the U.S. This aligns with the well-known "Microso Ireland" case in which the Second Circuit Court of Appeals in New York ruled that Microso should not be compelled to hand over data stored in an EU region that belonged to an EU citizen. However, in June of 2017 the U.S. government appealed this decision to the Supreme Court. The Supreme Court will determine if it will hear the case later this year. In addition, a recent ruling in California ordered that data belonging to a U.S. Gmail customer stored in an EU region must be handed over because that data was managed from Google's U.S. operation. As of this writing the case is ongoing, but it shows there is still use case testing to be done regarding how the rules are applied. Protecting Your Data How do we ensure that our data falls within the right set of clauses to provide the best level of protection? If you have not already done so, start defining cloud data policies. Place restrictions on where data can be created, stored or replicated within your system. Encrypt in transit and at rest, and even beer, manage the encryption key. Define retention policies; this is not just a good security principle — it makes good financial sense, too. Understand your role regarding data management; ultimately it is up to you to ensure that you are in compliance. P2P GREG PANAYI Greg Panayi is a senior cloud architect with experience across several sectors. As an early adopter of cloud technologies, he was one of the first to push for a cloud first principle among the top six law firms. Greg works for an InsureTech start up and is driving the adoption of cloud technologies within that sector. While the EU's new General Data Protection Regulation goes much further in protecting the right to data privacy, it places a lot of the onus for compliance on the data processor.

Articles in this issue

Links on this page

Archives of this issue

view archives of Peer to Peer Magazine - Fall 2017