Public cloud legal jurisdiction and law enforcement considerations

Council of Europe and European Comission

I have been working with Solidsoft customers to address security and governance considerations in adopting the Windows Azure public cloud. Whilst we naturally refer to the Microsoft Trust centre as an authoritative source, it doesn’t always answer the questions we are asked.

 

Having researched some specific questions from European customers on the interaction of US Federal and EU laws and the impact on their data and services hosted in a global utility public cloud, I thought I would share my findings.

 

Note this applies to services provided/hosted in the European Economic Area only.

 

 

Question 1 - What is the place of jurisdiction and applicable law for customer information in a public cloud?

 

Data protection and disclosure are governed by legislation applicable to the jurisdiction in which each data centre is located.  Windows Azure allows data and processing to be restricted to specific regions.  This includes back-ups and other forms of data replication.  At the time of writing, Windows Azure operates in two European regions with datacentres in the Republic of Ireland and the Netherlands.

 

The legal basis for data disclosure for investigative or evidential purposes is harmonised across Europe and other countries, including the US, through the Council of Europe Convention on Cybercrime.  At the time of writing, the Netherlands has ratified the European Convention on Cybercrime.  The Republic of Ireland has signed, but not yet ratified the convention.  The legislative framework in the Republic of Ireland is similar to other European countries, but further reform is required to update definitions of cybercrime before the convention can be ratified.

 

There is no legal right to restrict data disclosure to European law enforcement agencies only.  Disclosure of data across jurisdictions is governed by an extensive network of bilateral treaties.  These Mutual Legal Assistance Treaties (MLATs) regulate disclosure between two specific jurisdictions (e.g., US and Ireland).  Cloud service providers must comply with existing legislation and must disclose data if required to do so.

 

Microsoft believes that its customers should control their own information whether stored on their premises or in a cloud service.  Customer Data will not be disclosed to a third party, including law enforcement agencies, other government entities or civil litigants except as directed by data owners or as required by law.

 

For the past decade, Microsoft has been a signatory to the US EU Safe Harbour agreement.  This provides a legally binding framework in which the EU recognises the provision of adequate protection in compliance with EU data protection law.  The E.U. Data Protection Directive (95/46/EC) sets a baseline for handling personal data in the European Union.  Doubt exists about the adequacy of Safe Harbour when applied to cloud computing.  In line with the EU Commission’s recommendations, Microsoft offers an additional Data Processing Agreement that details the company’s compliance with the E.U. Data Protection Directive and related security requirements for Windows Azure core features within ISO/IEC 27001:2005 scope. Microsoft also offers E.U. Model Contractual Clauses that provide additional contractual guarantees around transfers of personal data for Windows Azure core features within ISO/IEC 27001:2005 scope.  These are available to volume licensees only.

 

 

Question 2 - Could legally sanctioned action (such as seize or freeze) by law enforcement agencies on another public cloud tenant impact our operations ?

 

Search and seizure for the purposes of obtaining evidence with respect to specific criminal investigations is regulated by local legislation and written orders (e.g., court-issued warrants) in each jurisdiction.  Legislation is harmonised across Europe by the Council of Europe Convention on Cybercrime.  When granted adequate authority, law enforcement agencies can search, access, seize, secure and disclose data stored on computer systems located within their territories.  These rights are limited by articles 14 and 15 of the convention.  Articles 2, 3, 4 and 5 mandate that unauthorised system access, illegal interception of data transmissions and any unauthorised data or system interference must be established as criminal offences in each jurisdiction.

 

Windows Azure is a shared cloud utility based on the commercial and technical premise of multi tenancy.  To allow different contracted customers (“tenants”) to safely share the same physical platforms, the Windows Azure infrastructure ensures robust isolation and partitioning of data and processing.  This infrastructure ensures that datasets and data images (e.g., virtual hard disks) belonging to a specific tenant can be searched, accessed, seized and secured without disruption to other tenants and without unauthorised and unlawful disclosure of their data.  Microsoft believes that its customers should control their own information whether stored on their premises or in a cloud service.  As stated above, their policy is to refuse to disclose customer data to any third party, including law enforcement agencies, other government entities or civil litigants, except as directed by the client or required by law.  Across Europe, failure to abide by this policy could result in criminal liability.

 

In the highly unlikely event that your application is subject to appropriately authorised legal discovery, Microsoft will provide the requesting entity or agency with snapshot copies of data and images in compliance with their legal obligations.  If data is seized, a request can generally be made for permission to continue to run the system and access data under the ‘access and copy’ provisions of applicable local legislation.

 

It is widely recognised that the nature of public cloud platforms effectively precludes law enforcement agencies from gaining physical control of the media or network on which data resides.  A growing body of academic work describes the implications of the distributed, geo-replicated, virtualised and multi-tenancy nature of cloud platforms with respect to search and seizure.  Some doubt exists regarding the exact obligations of cloud providers in responding to authorised requests.  For example, issues concerning the detail of information that must be provided remain untested in the courts.

 

The Republic of Ireland has signed, but not yet ratified the Council of Europe Convention on Cybercrime.  However, the legislative framework for search and seizure in the Republic of Ireland is similar to other European countries.

 

 

Question 3 - What is the compliance situation between US-EU Safe Harbour and the EU Data Protection Directive ?

 

Although Safe Harbour legally confers the status of 'adequate' on US signatories (e.g. Microsoft) with respect to data protection, Europe is in a difficult situation with respect to cloud service providers since the independent advisory body (Article 29 Working Party) that advises the EU Commission on data protection formally advised the commission last year that Safe Harbour is inadequate for public cloud services (Opinion 05/2012 on Cloud Computing)

 

The  Article 29 Working Party advice on ensuring adequacy against E.U. Data Protection Directive (95/46/EC) suggests that the data controller needs to accept the 2010-version of EU Model Clauses and verify evidence of Safe Harbour self-certification.

 

Microsoft has been supporting this for some time, so for a European Windows Azure customer to ensure that they are compliant with EU data protection law, they need to ensure that the data controller;

 

1. Enrols as a Microsoft volume licensee

2. Signs the Microsoft Data Processing Agreement

3. Accepts the 2010 version of EU Model Clauses

4. Has sight of suitable audit reports that attest to the controls that Microsoft has in place

 

We are expecting publication of the proposed reforms to European Data Protection law in Q4 2013. A recent document from the US Department of Commerce International Trade Administration states; “Compliance with Safe Harbour will remain an officially recognized means of demonstrating that an eligible U.S. organization ensures an adequate level of data protection while the EU data protection reform proceeds.“

Written by Charles Young, Hans Baumhardt at 00:00

Categories :

0 Comments :

Comment

Comments closed