Dr. Claude Micallef-Grimaud recently spoke on behalf of Microsoft Corporation ('Microsoft') at a half-day public seminar organised by the Malta IT Law Association (MITLA) on the topic of 'trust in cloud technology'. The event took place on 12th December 2016 at SmartCity Malta (SCM). Throughout his presentation, Dr. Micallef-Grimaud used Microsoft itself as a case-study to analyze what certain cloud service providers do to earn public trust in modern technology like 'the cloud'. The main point that he raised was that if people don't trust new technology, they simply won't use it and if that happens, innovation will grind to a halt and technological advancement will suffer.
In his talk, Dr. Micallef-Grimaud also discussed the various legal obligations on data controllers in terms of applicable data protection legislation (particularly under the current Maltese Data Protection Act – Chapter 440 of the Laws of Malta) focusing on the 'adequate level of security' requirement that data controllers are legally obliged to implement in their organisations. This includes the legal obligations of implementing appropriate technical and organisational measures to protect against accidental loss or destruction of data and other unlawful forms of processing of personal data (such as unauthorised access).
An important point that was emphasised during the talk was that data controllers also have a legal obligation to ensure that the data processors they engage to process data on their behalf (such as cloud service providers) also have these appropriate security measures in place and that these measures are actually implemented by the processors. If not, the data controllers would be exposed to both criminal and civil liability (as well as administrative sanctions).
Other legal issues that were discussed include the requirements for effecting data transfers outside of Malta, general obligations of fair and lawful processing (such as transparency) as well as certain obligations arising under the new EU General Data Protection Regulation (Regulation (EU) 2016/679), the 'GDPR', that will replace the current Maltese data protection regime in May 2018. Organisations must use the time leading up to this date to ensure full compliance with this new legal regime (applicable at the EU level).