The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/900970
10 PEER TO PEER: THE QUARTERLY MAGAZINE OF ILTA | FALL 2017 BEST PRACTICES Is Data in the Cloud Subject to International (EU) Privacy Laws? We have spent years building our IT infrastructure inside our perimeter, we can point to where the data is stored and we know who has access. So when asked to hand over all that control and data to a third-party cloud provider we get nervous! How do we provide the same protection to data stored in the cloud that we do within our own systems? by Greg Panayi Is Data in the Cloud Subject to International (EU) Privacy Laws? The responsibility to protect enterprise data in the cloud sits with the enterprise itself — that is, with us — but we have to accept that ultimate control for data in the cloud lies with the cloud provider. The good news for European Union (EU) citizens is that there are legal protections detailing what can and cannot be done with personal data, and cloud providers are bound by these laws with regard to the data they store. Understanding the scope of these regulations and the requirements they place on cloud providers is key to ensuring that data is protected regardless of where it is stored. EU Controls If you are in the EU or dealing with EU-based data, there are several controls in place regulating how data is managed. Not too long ago data protection fell under the EU Safe Harbor laws; however, those laws were deemed invalid due to concerns about how data requested by government agencies was handled. The new laws, defined as EU model clauses, are much more prescriptive in how EU personal data is processed. Still, it is not enough to rely solely on these laws to protect your enterprise data in the cloud. While the EU's new General Data Protection Regulation goes much further in protecting the right to data privacy, it places a lot of the onus for compliance on the data processor. Also be aware of the data protection code established by Cloud Infrastructure Services Providers in Europe (CISPE). This too is geared toward protecting personal data. It details protocols for handling data requests from government authorities and law enforcement agencies as well as for notification of data breaches. From an enterprise viewpoint the EU model clauses are likely to be at the forefront of ensuring that data is managed correctly. Look for a cloud provider who has signed up for these agreements if there is a chance that your data may travel outside the EU during cloud hosting. Microso commits to EU model clauses for data protection, ensuring that personal and private data is regulated by EU data protection laws when it is transferred to regions outside the European Economic Area. However, this commitment is only valid for