Out-Law News 4 min. read
28 Sep 2012, 1:49 pm
Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that EU financial service firms will be less likely to utilise cloud computing than rivals based elsewhere in the world. This is because of the Commission's delay in endorsing "voluntary certification schemes" that can help demonstrate firms' legal compliance when using cloud services, he said.
EU laws specify that financial services regulators have physical access to places where information is stored. But use of cloud services where information is stored all over the world is not possible if those laws are interpreted strictly, Scanlon said.
On Thursday the Commission said it would seek to develop new "EU-wide voluntary certification schemes in the area of cloud computing", including certification schemes that enable businesses to review cloud providers' data protection compliance, and publish a list of those schemes "by 2014".
"It is disappointing that the strategy did not go further and specifically address the issue of the impracticality, from a cloud perspective, of references in EU legislation which require physical auditing of data processing facilities," Scanlon said.
"The Commission really needed to say that it would make it a matter of priority to remove obstacles currently set out in EU laws which are holding back the up take of cloud services, especially by organisations within specific sectors such as financial services, and that in the meantime, regulators should take a flexible approach to auditing requirements drafted at a time when cloud adoption was not contemplated," he added.
"Unfortunately, instead of taking this approach, the Commission has said that it will work with ENISA and other relevant bodies to identify appropriate voluntary certification schemes by 2014," Scanlon said. "This is not the answer in 2012 that industry needs to hear."
"Laws in non-EU markets are currently enabling competitors to European businesses to move to the cloud on the basis of certification schemes that are already in existence and used by the leading cloud providers such as Amazon Web Services and Microsoft. The Commission’s ‘we’ll get back to you by 2014’ puts Europe at a further competitive disadvantage," the expert said.
Under the EU's Markets in Financial Instruments Directive investment firms are required to "exercise due skill, care and diligence when entering into, managing or terminating any arrangement for the outsourcing to a service provider of critical or important operational functions or of any investment services or activities".
The firms, in particular, must "take the necessary steps to ensure that ... [it], its auditors and the relevant competent authorities must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the competent authorities must be able to exercise those rights of access," according to the Directive.
Scanlon said that this effectively means that UK investment firms need to ensure that the Financial Services Authority (FSA) has 'effective access' to the 'business premises' of cloud providers in cases where the firms intend to store data relating to ‘critical or important operational functions or of any investment services or activities’ in the cloud.
He added that recent guidance published by the Information Commissioner's Office (ICO) demonstrated a less prescriptive approach to data audit requirements for cloud computing under data protection laws.
Under the Data Protection Act (DPA) data controllers are required to take "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
When outsourcing personal data processing to others, such as to cloud providers, data controllers are required, among other things, to select processors that can provide "sufficient guarantees" that they can properly meet the "technical and organisational measures" requirement and that they will "take reasonable steps" to "ensure compliance".
In its guidance the ICO said that although "one of the most effective ways to assess the security measures used by a data processor would be to inspect their premises", it acknowledged that "this is unlikely to be practicable", in a cloud context. It put this down to "various logistical reasons" and because "it is also unlikely that a cloud provider would be willing to permit each of its prospective and current customers to enter its premises to carry out an audit."
The ICO said that in order to "deal with this problem", cloud providers could arrange for "an independent third party" to carry out a "detailed security audit" of their services and provide copies of the assessment to businesses so that those firms could "make an informed choice as to whether the provider’s security is appropriate".
In July Amazon submitted details of how it ensures the security of information that users store in its 'Amazon Web Services' cloud platform to the Security, Trust & Assurance Registry (STAR), operated by not-for-profit body the Cloud Security Alliance (CSA). A range of other cloud providers, including Microsoft, have published similar details on STAR.
The Registry enables cloud providers to submit "self assessment reports" documenting their compliance with "best practices" established by CSA. The Registry is free to view and helps "users assess the security of cloud providers they currently use or are considering contracting with," according to CSA's website.
CSA promotes "the use of best practices for providing security assurance within cloud computing" and that provides "education on the uses of cloud computing to help secure all other forms of computing".
Whilst the ICO welcomed the CSA's STAR initiative, which has been operating since the end of last year, it told Out-Law.com at the time that organisations cannot rely on the information available from cloud providers or other external certifications, to ensure their own compliance with UK data protection laws.
