Posted by marieandreeweiss on September 4, 2011 · 1 Comment
Depuis le début de cette série, la loi française en matière de notification des failles de sécurité a déjà changé. D’autres changements sont à venir, alors que Madame Viviane Reding expose son intention d’introduire une notification obligatoire des failles de sécurité pour les services bancaires et financiers et que la Commission européenne a lancé le 14 juillet dernier une consultation sur les règles pratiques de notification des violations de données à caractère personnel. (5e et dernière partie de notre série)
Filed under Europe, European Union, Français, France, Marie-Andrée Weiss, Outlines, Reports & Surveys · Tagged with article 226-17-1 du Code pénal (France), Assemblée nationale française, Californie, CIL, cloud computing, CNIL, Code des postes et des communications électroniques, Commission nationale de l’informatique et des libertés (France), Contrôleur Européen de la Protection des Données, correspondant "informatique et libertés", credit reporting agencies, credit score, data security breaches, Décret n° 2011-219 du 25 février 2011 (France), DGCCRF (France), Directive 2009/136/CE, Directive 2009/140/CE, Directive 95/46/CE, European Commission, failles de sécurité, Informatique en Nuage, loi "Informatique et libertés", Loi n° 2004-575 (France), Loi n°78-17 du 6 janvier 1978 (France), mesures de protection appropriées, notifications de failles de sécurité, Ordonnance 2011-1012 du 24 août 2011 (France), Paquet Télécom, Proposition de loi S.B. 24 (Etats-Unis)
Posted by marieandreeweiss on August 29, 2011 · Leave a Comment
Le rapport de l’Assemblée Nationale s’interroge également sur les garanties pour la confidentialité des données personnelles dans le ‘nuage’ et détaille les procédures légales d’exportation de ces données. (4e partie de notre série)
Filed under Europe, European Union, Français, France, Marie-Andrée Weiss, Outlines, Reports & Surveys · Tagged with Adéquation, Agence nationale de la sécurité des systèmes d'information (ANSSI), ANSSI, Assemblée nationale française, BCR, Binding corporate rules, Centre de données, Clauses contractuelles types, cloud computing, CNIL, Commission européenne, Commission nationale de l’informatique et des libertés, confidentialité des données, décision d’adéquation, Directive 2009/140/CE, Directive 95/46/CE, externalisation, Groupe de Travail de l'Article 29, infogérance, Informatique en Nuage, loi "Informatique et libertés", loi du 6 janvier 1978, règles d'entreprise contraignantes, Safe Harbor, transfert de données personnelles, Union européenne, vie privée
Posted by marieandreeweiss on August 22, 2011 · 1 Comment
Le rapport de l’Assemblée Nationale s’intéresse également à l’informatique dans les nuages, le ‘cloud computing’, qui présente de nombreux avantages économiques pour les entreprises, et même pour les gouvernements, mais dont l’utilisation n’est pas sans risques pour la sécurité des données personnelles. (3e partie de notre série)
Filed under Europe, European Union, Français, France, Marie-Andrée Weiss, Outlines, Reports & Surveys · Tagged with Agence Danoise de protection des données, Assemblée nationale française, Centres de données, cloud computing, CNIL, Commission nationale de l’informatique et des libertés, confidentialité des données, Congrès américain, Conseil Supérieur de la Propriété Littéraire et Artistique, CSPLA, data centers, externalisation, FCC, Federal Communications Commission, Google, IaaS, Informatique en Nuage, Infrastructure as a Service, Julius Genachowski, PaaS, Platform as a Service, SaaS, Software as a Service, sous-traitance, sous-traitant, Union européenne, vie privée
The European Data Protection Supervisor has recently issued an opinion on the review of the EU legal framework for data protection (Directive 95/46/EC). It expresses concerns regarding the increasing difficulties for individuals to protect the privacy of their personal data, and calls for strengthening individuals’ rights over them. This can be done, the EDPS argues, by making security breach notifications mandatory for all relevant sectors, increasing transparency of processing for data subjects, and introducing new rights, such as the “right to be forgotten” and the “right to data portability”.
Filed under Cédric Laurant, English, EU Law, Europe, European Union, Marie-Andrée Weiss, Outlines, Reports & Surveys · Tagged with Article 29 Data Protection Working Party, behavioral advertising, cloud computing, data controller, data portability, Data Protection Authority, data security breaches, data subject, EDPS, ENISA, EU Directive 2002/58/EC, EU Directive 2009/136/EC, EU Directive 95/46/EC, EU e-Privacy Directive, European Commission, European Data Protection Supervisor, European Network and Information Security Agency, European Union, right to be forgotten, right to data portability, right to oblivion, security breach, technologically neutral rights, transparency
The Article 29 Data Protection Working Party has adopted on July 13, 2010 a report on the EU Data Retention Directive (2006/24/EC). This report is the Working Party’s contribution to the evaluation of the implementation of the Data Retention Directive by the European Commission, which is due by September 15, 2010. The report details the results of a joint inquiry made by the data protection authorities about the compliance, at the national level, with the obligations of telecom providers and Internet service providers with both the Data Retention Directive and articles 6 and 9 of the EU e-Privacy Directive (2002/58/EC).
Filed under Cédric Laurant, English, EU Law, Europe, European Union, Marie-Andrée Weiss, Outlines, Reports & Surveys · Tagged with access control, access request, Article 29 Data Protection Working Party, authentication, back-up, biometrics, cloud computing, cloud computing system, confidentiality, contractual clauses, Council of Europe Recommendation R(87)15, data deletion, data security, data security breaches, data security principles, digital signature, dual authentication, encryption, EU Data Retention Directive, EU Directive 95/46/EC, EU e-Privacy Directive, European Commission, European data protection authorities, external audit, handover procedures, in-house policies, integrity, law enforcement authorities, LEA-accessible systems, log integrity, log retention, logs, mutual assistance and cooperation, mutual authentication, non-repudiation, outsourcing, password, personal data, retained data, retention period, security audit, security certification, security policy, security standards, self-regulation, sensitive information, sensitive personal information, system administrator, system maintenance, technical and organizational security measures, third party certification, tracking, traffic data, warrant
A central aspect of every cloud service contract is the security of data processing. It is therefore important, if only for liability reasons, that responsibility for specific security measures be clearly assigned. This can be done by using security service level agreements between the cloud service provider and its client that clearly assign who is responsible for which particular security measure.
Storing data in a cloud located outside the EU raises specific legal compliance issues. According to some experts, such clouds are even unlawful. There are, however, some ways to make sure that, even if a data controller stores data into a cloud located in a third country, he is still in compliance with German data protection law. A data exporter must use, in order to satisfy the adequate level of data protection requirement, specific standard contractual clauses for all contracts with a cloud service company located outside the EU. Binding corporate rules are the alternative solution, though only for private clouds.
Filed under Cédric Laurant, Comments, English, EU Law, Europe, European Union, Germany, Marie-Andrée Weiss, Outlines · Tagged with adequate level of data protection, anonymization, Argentina, Article 26 (EU DP Dir.), Article 29 Working Party, BDSG, Binding corporate rules, Bundesdatenschutzgesetz, cloud computing, cloud service contract, cloud service provider, confidentiality, data controller, data processing security, Data Protection Authority, data protection law, data security, data security breaches, Datenschutzzentrum, Düsseldorfer Kreis, Dr. Thilo Weichert, encryption, EU Directive 95/46/EC, European Commission, European Privacy Seal, EuroPriSe, external audit, German Federal Data Protection Act, Germany, Google, IaaS, integrity, liability, PaaS, personal data, private cloud, pseudonym, public cloud, SaaS, Safe Harbor Framework, Safe Harbor self-certification, SAS 70, Security Service Level Agreement, standard contractual clauses, State of Schleswig-Holstein, Switzerland, third country, third party, United States, Yahoo
Are ‘clouds’ located outside the European Union unlawful?
Posted by "Security Breaches" Administrator on July 16, 2010 · 3 Comments
A central aspect of every cloud service contract is the security of data processing. It is therefore important, if only for liability reasons, that responsibility for specific security measures be clearly assigned. This can be done by using security service level agreements between the cloud service provider and its client that clearly assign who is responsible for which particular security measure.
Storing data in a cloud located outside the EU raises specific legal compliance issues. According to some experts, such clouds are even unlawful. There are, however, some ways to make sure that, even if a data controller stores data into a cloud located in a third country, he is still in compliance with German data protection law. A data exporter must use, in order to satisfy the adequate level of data protection requirement, specific standard contractual clauses for all contracts with a cloud service company located outside the EU. Binding corporate rules are the alternative solution, though only for private clouds.
Rate this:
Filed under Cédric Laurant, Comments, English, EU Law, Europe, European Union, Germany, Marie-Andrée Weiss, Outlines · Tagged with adequate level of data protection, anonymization, Argentina, Article 26 (EU DP Dir.), Article 29 Working Party, BDSG, Binding corporate rules, Bundesdatenschutzgesetz, cloud computing, cloud service contract, cloud service provider, confidentiality, data controller, data processing security, Data Protection Authority, data protection law, data security, data security breaches, Datenschutzzentrum, Düsseldorfer Kreis, Dr. Thilo Weichert, encryption, EU Directive 95/46/EC, European Commission, European Privacy Seal, EuroPriSe, external audit, German Federal Data Protection Act, Germany, Google, IaaS, integrity, liability, PaaS, personal data, private cloud, pseudonym, public cloud, SaaS, Safe Harbor Framework, Safe Harbor self-certification, SAS 70, Security Service Level Agreement, standard contractual clauses, State of Schleswig-Holstein, Switzerland, third country, third party, United States, Yahoo