- What data security rules apply to cloud computing in your jurisdiction? Are specific security requirements for cloud initiatives under consideration? Has any authority issued guidelines in this regard?
Section 34 of the French Personal Data Protection Act requires that data controller take all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorized third parties. Breach of these obligations is a criminal offence.
- What are the implications of cloud computing for data sovereignty? Is sophisticated data encryption a meaningful solution to data sovereignty concerns?
This issue is raised by US Service Provider having subsidiaries in Europe. The Microsoft case is a good illustration of the legal criteria of “possession, custody or control” on information. Microsoft Inc. was directed to produce the contents of one of its customer’s e-mails stored on a server located in Dublin, Ireland exploited by one of its subsidiary. The order to access data has not involved government agents entering the premises of the ISP to search its servers and seize the e-mail account in question. The US test for production of documents is control, not location.
- Under what circumstances can governments (national and/or foreign) access data stored in the cloud? Must the information owner be informed before this happens? What are the rules of engagement in terms of transparency and accountability?
National government and related bodies can access data stored in the cloud in various circumstances: national security protection, suspected criminal offences. Absolute discretion is required and no prior notice is given to information owner. Most of the time, judges with specific jurisdiction have given their prior consent to such secret access to information.
- What are the implications of cloud computing in case of litigation? What are the implications for privilege?
If there is a legitimate reason to establish the evidence of the facts upon which the resolution of the dispute depends, the judge may order legally permissible inquiries; this may include access to computerized data.
- How can risks relating to cloud services be mitigated (eg, contractual safeguards, insurance etc)?
Contractual provisions are indeed very useful; clients require that they refer to standards such as the ISO/IEC 27001 and ISO/IEC 27002 certifications, or the ISO/IEC 19086 one. The « Cloud Service Level Agreement Standardisation Guidelines » https://ec.europa.eu/digital-agenda/en/news/cloud-service-level-agreement-standardisation-guidelines contain numerous provisions to increase the level of contractual protection. There are few Insurance offers to cover loss of data or data breach in the cloud.