Posted by anniecbai on September 22, 2013 · Leave a Comment
Recent massive data breaches lead us to discuss the movement for new thinking, new strategies and new leadership amongst IT security. In the new paradigm, flat-out prevention is no longer the goal. Companies need to pursue nuanced risk-management decisions that protect yet allow them to do business.
Category Annie C. Bai, English, Europe, European Union, Germany, Opinions · Tagged with Anonymous, BYOD, cybersecurity, cyberthreat, data breach, data security, Federal Office for Information Security (Germany), hackers, insider data breach, IT security, OVH, risk management, security breach, spearphishing, Ubuntu, Vodafone, Vodafone Deutschland
A central aspect of every cloud service contract is the security of data processing. It is therefore important, if only for liability reasons, that responsibility for specific security measures be clearly assigned. This can be done by using security service level agreements between the cloud service provider and its client that clearly assign who is responsible for which particular security measure.
Storing data in a cloud located outside the EU raises specific legal compliance issues. According to some experts, such clouds are even unlawful. There are, however, some ways to make sure that, even if a data controller stores data into a cloud located in a third country, he is still in compliance with German data protection law. A data exporter must use, in order to satisfy the adequate level of data protection requirement, specific standard contractual clauses for all contracts with a cloud service company located outside the EU. Binding corporate rules are the alternative solution, though only for private clouds.
Category Cédric Laurant, Comments, English, EU Law, Europe, European Union, Germany, Marie-Andrée Weiss, Outlines · Tagged with adequate level of data protection, anonymization, Argentina, Article 26 (EU DP Dir.), Article 29 Working Party, BDSG, Binding corporate rules, Bundesdatenschutzgesetz, cloud computing, cloud service contract, cloud service provider, confidentiality, data controller, data processing security, Data Protection Authority, data protection law, data security, data security breaches, Datenschutzzentrum, Düsseldorfer Kreis, Dr. Thilo Weichert, encryption, EU Directive 95/46/EC, European Commission, European Privacy Seal, EuroPriSe, external audit, German Federal Data Protection Act, Germany, Google, IaaS, integrity, liability, PaaS, personal data, private cloud, pseudonym, public cloud, SaaS, Safe Harbor Framework, Safe Harbor self-certification, SAS 70, Security Service Level Agreement, standard contractual clauses, State of Schleswig-Holstein, Switzerland, third country, third party, United States, Yahoo
On April 29, 2010, the Düsseldorfer Kreis, an informal group of German data protection authorities, published a decision that could have significant repercussions on U.S. companies importing personal data from organizations operating in the European Union. One of these repercussions is that German organizations exporting personal data to the United States should check if the U.S. data importer does indeed comply with the Safe Harbor Framework. Security plan recommendations will provide for a useful guideline to E.U. data exporters to help them comply with the Safe Harbor’s Security Principle.
Category Cédric Laurant, Comments, English, EU Law, Europe, European Union, Germany, Marie-Andrée Weiss, North America, United States · Tagged with adequacy requirement, adequate level of data protection, Article 25 (EU DP Dir.), Article 26(2) (EU DP Dir.), Article 29 Data Protection Working Party, Best Buy, Binding corporate rules, Bundesdatenschutzgesetz, co-regulation, contractual clauses, data exporter, data importer, data security breaches, data security plan, Düsseldorfer Kreis, DSW, due diligence, encryption, EU Directive 95/46/EC, European Commission, European data protection authorities, German Federal Data Protection Act, Germany, independent auditing firm, information security, ISO, ISO 27000, loss, misuse, personal data, personally identifying information, privacy policy, RealNetworks, reasonable security measures, Safe Harbor Framework, Safe Harbor Security Principle, Safe Harbor self-certification, Safe Harbor self-certified organizations, self-regulation, sensitive personal information, third countries, transborder data flows, unfair and deceptive practice, US Department of Commerce, US Department of Transportation, US False Statements Act, US Federal Trade Commission, US Food and Drug Administration
Are ‘clouds’ located outside the European Union unlawful?
Posted by "Security Breaches" Administrator on July 16, 2010 · 3 Comments
A central aspect of every cloud service contract is the security of data processing. It is therefore important, if only for liability reasons, that responsibility for specific security measures be clearly assigned. This can be done by using security service level agreements between the cloud service provider and its client that clearly assign who is responsible for which particular security measure.
Storing data in a cloud located outside the EU raises specific legal compliance issues. According to some experts, such clouds are even unlawful. There are, however, some ways to make sure that, even if a data controller stores data into a cloud located in a third country, he is still in compliance with German data protection law. A data exporter must use, in order to satisfy the adequate level of data protection requirement, specific standard contractual clauses for all contracts with a cloud service company located outside the EU. Binding corporate rules are the alternative solution, though only for private clouds.
Rate this:
Category Cédric Laurant, Comments, English, EU Law, Europe, European Union, Germany, Marie-Andrée Weiss, Outlines · Tagged with adequate level of data protection, anonymization, Argentina, Article 26 (EU DP Dir.), Article 29 Working Party, BDSG, Binding corporate rules, Bundesdatenschutzgesetz, cloud computing, cloud service contract, cloud service provider, confidentiality, data controller, data processing security, Data Protection Authority, data protection law, data security, data security breaches, Datenschutzzentrum, Düsseldorfer Kreis, Dr. Thilo Weichert, encryption, EU Directive 95/46/EC, European Commission, European Privacy Seal, EuroPriSe, external audit, German Federal Data Protection Act, Germany, Google, IaaS, integrity, liability, PaaS, personal data, private cloud, pseudonym, public cloud, SaaS, Safe Harbor Framework, Safe Harbor self-certification, SAS 70, Security Service Level Agreement, standard contractual clauses, State of Schleswig-Holstein, Switzerland, third country, third party, United States, Yahoo