On 1 August 2014, the International Standards Organisation (ISO) and the International Electrotechnical Commission (IEC) published the first privacy-specific international standard for the cloud: ISO/IEC 27018 "Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors". Early adopters Microsoft announced on 16 February 2015 that it was the first company to receive certification for the standard.
ISO/IEC 27018 builds on existing ISO standards such as ISO 27001 (the existing best practice for information security management) and is aimed at increasing confidence in data security and cloud computing. Adoption of the standard would complement one of the exceptions to the prohibition on transferring personal data outside of the EEA such as model contracts, Binding Corporate Rules and Safe Harbour.
ISO/IEC 27018 provides best practices for public cloud service providers (CSPs) and establishes guidelines for implementing measures to protect personal data. CSPs that adopt the standard agree to adhere to specific guidelines which include:
- Control: only processing personal data in accordance with customers' instructions;
- Consent: only processing personal data for marketing/advertising purposes with the customers' express consent (consent cannot be made a condition for receiving the cloud services);
- Communication: notifying customers in the case of a breach and keeping clear records about the incident;
- Transparency: disclosing to the customer the identity of sub-processors and any possible locations where personal data may be processed; and
- Independent Audit: obtaining regular reviews of the CSP's compliance through a third party independent audit.
CSPs that can market their services in accordance with the standard will provide greater consumer reassurance as to the quality of their services.