Multinational

US and Foreign Laws Regulating Government Access to Data

Francoise Gilbert

Cloud service providers and users are becoming aware that data or communications held in the cloud may be subject to requests for access by third parties such as a government conducting an investigation, or a party involved in a lawsuit. Requests for access by law enforcement, intelligence and secret services are governed by very complex rules, and predictably, these rules differ from country to country.

A program sponsored by Box and the Cloud Security Alliance, and held in conjunction with the RSA San Francisco 2013 Conference, featured European and North American attorneys specializing in information privacy and information security, in a discussion of the laws that regulate government access to cloud data. (more…)

Read More

Hot Issues in Data Privacy and Security

Francoise Gilbert

Data privacy and security issues, laws and regulations are published, modified and superseded at a rapid pace around the world. The past ten years, in particular, have seen a significant uptake in the number of laws and regulations that address data privacy or security on all continents. On March 1, 2013, a program held at Santa Clara University’s Markkula Center for Applied Ethics, titled “Hot Issues in Global Privacy and Security”, featured attorneys practicing on all continents who provided an update on the privacy, security and data protection laws in their countries.

The second half of the program featured a panel moderated by Francoise Gilbert, where the chief privacy counsel or chief privacy official of McAfee, Symantec and VMWare talked about how to drive a global privacy and security program in multinational organizations.

Videos of the program are available by clicking here.

The program was the second part of a two-day series of events. The first program was held in San Francisco on February 28, 2013, and was sponsored by Box, Inc. and the Cloud Security Alliance. This program focused on Government Access to Cloud Data and started with an overview of the laws that regulate US government access to data, presented by Francoise Gilbert. A panel featuring European and North American attorneys followed; they discussed the equivalent laws in effect in their respective countries. The program concluded with a presentation by the general counsel of Box, Inc., who spoke about the way in which his company responds to government requests to access to data stored by his company.

Videos of this program are available by clicking here.

Read More

Comparative Analysis of the Laws Regulating Government Access to Cloud Data

Francoise Gilbert

A program held in conjunction with the RSA San Francisco 2013 Conference and sponsored by the Cloud Security Alliance and Box – a major provider of cloud services – recently featured some of the contributors to the Global Privacy & Security Law treatise, Jean-Francois Henrotte (Philippe & Partners, Belgium), Frederic Forster (Alain Bensoussan Avocats, Paris), Raffaele Zallone (Studio Zallone, Italy) and Francoise Gilbert (IT Law Group, USA). The program presented a discussion of the US and foreign laws that regulate government access to cloud data. (more…)

Read More

Article 29 Working Party’s Opinion on Cloud Computing: A Threat for the Industry?

Francoise Gilbert

In its Opinion 05/2012 on Cloud Computing published as document WP 196 in early July 2012, the Article 29 Working Party identifies the data protection risks that are likely to result from the use of cloud computing services, such as the lack of control over personal data and lack of information about how, where and by whom the data are being processed or sub-processed in the cloud.  It expressly deems the Safe Harbor regime insufficient to meet the requirements of the national data protection laws.

(more…)

Read More

Compliance by Design

Francoise Gilbert

How to build cloud applications that anticipate your customers’ legal constraints?

To succeed and gain market share, developers of cloud services and cloud-based applications must take into account the compliance needs of their prospective customers. For example, a cloud that offers services to the health profession must anticipate that its customers are required to comply with HIPAA, the HITECH Act, and the applicable medical information state laws. If it fails to do so, it will not be able to sign-up customers. Similarly, a cloud that uses servers that are located throughout the world must be sensitive to the fact that foreign data protection laws will apply, and that these laws have stringent requirements that differ from those in effect in the United States. If you fail to address these obstacles, your potential customers will take their business elsewhere.

(more…)

Read More

Server Location: A Significant Factor in Cloud Computing Services

Francoise Gilbert

In a cloud computing environment, data and applications are hosted “in the cloud.” What that cloud is made of, and where its components are located, matters. However, ask a cloud service vendor where your data will be stored or processed, the typical answers will likely range from “well… hum … in the cloud” to “we have servers everywhere, data moves around constantly” or “we cannot tell you for security reasons.”

As the custodian of confidential and valuable data — personal or company information — you need to know where data will be located at all times. In the cloud environment, location matters, especially from a legal standpoint. (more…)
Read More

How to Conquer Cloud Computing Contracts – Part 2

Francoise Gilbert

Cloud service relationships are very complex. Numerous important issues are at stake. In many cases, the use of cloud services may jeopardize an entity’s ability to comply with the numerous laws to which it is subject. In addition, even if there are no specific legal compliance requirements, sensitive data and significant intangible assets might be at risk. Thus, before venturing in the cloud, it is of utmost importance for an entity to understand the scope and limitations of the service that it will receive, and the terms under which these services will be provided.

In part 1 of this article we discussed the preliminary planning and due diligence involved with choosing a cloud service provider.

In this part 2, we review critical steps for developing, maintaining and terminating cloud computing contracts. (more…)

Read More

How to Conquer Cloud Computing Contracts – Part 1

Francoise Gilbert

The characteristics of cloud computing — on-demand self-service, elasticity, metered service or ubiquitous access — make it look like a simple and casual operation. Easy to get in, easy to get out, easy to augment, and easy to shrink; Just pay with your credit card. Attractive pricing structures are often justified by presenting cloud solutions as a “one-size-fits-all” product where standardization is key to reduced cost.

(more…)

Read More

Proposed Changes to the EU Data Directives: What Consequences for Businesses?

Francoise Gilbert

The European Commission has determined that the privacy and data protection framework applicable throughout the European Union must be revised in order to adapt the current rules to the rapid technological changes that have dramatically modified the way individuals live and companies operate. Communication COM (2010) 609, published on November 4, 2010, summarizes the goals that the European Commission has set for the overhaul of the EU data protection regime.[1]

The Commission intends to expand the duties and obligations of the data controllers, improve the awareness and understanding of privacy matters by individuals, increase the protection of individuals’ rights especially in the context of Web 3.0 applications, and ease the flow of information in the internal market as well as in the context of crossborder data transfers out of the European Union.

(more…)

Read More