Privacy Level Agreement Working Group
Introduction to the Privacy Level Agreement Working Group
Privacy is one of the top concerns for potential cloud customers. Both Cloud Service Providers (CSPs) and potential users struggle with different data protection legislation across the globe, where the inconsistencies between National legislations represent a significant barrier to a broad adoption of cloud computing.
Moreover, privacy compliance has become a fundamental evaluation criterion when choosing between Cloud Service Providers.
2012 has been a particularly important year of reforms on privacy, data protection, and cloud computing, with the publication of the European Commission proposal for a General Data Protection Regulation (amending the Directive 95/46/EC), the Article 29 Working Party </a href=”http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf”>Opinion 5/2012 on Cloud Computing and several national Data Protection Authorities’ recommendations on cloud (e.g., CNIL’s recommendations for companies using these new services, Italian DPA Cloud Computing: il Vademecum del Garante, Irish DPC Data Protection in the Cloud.
I think [the PLA Outline] is a very helpful document, both for potential customers of CSPs and for CSPs themselves.
By following closely the WP29 Opinion it ensures that both parties understand the obligations under EU law – probably the strictest requirements they will have to comply with.
Hopefully it will be accepted by CSPs that, if they want to be viewed as acceptable service providers – especially by EU-based organisations – they are going to have to be able to answer successfully the questionnaire that is annexed to the document.
Irish Data Protection Commissioner
The Singapore Ministry of Information, Communications and the Arts (“MICA”) has also released the draft Personal Data Protection Bill (“Draft Bill”). Parliament is expected to pass the Draft Bill in the third quarter of 2012. Reforms of the data protection and privacy legal framework are debated in other geography, as well, such as, for instance in USA.
With its mission to support the creation of a transparent and trusted cloud market and in order to remove barriers to cloud adoption, the CSA decided to define baselines for compliance with data protection legislation and best practices by defining a standard format for Privacy Level Agreements (PLAs) and standards, through which a cloud service provider declares the level of privacy (personal data protection and security) that it sustains for the relevant data processing.
The CSA believes that the PLA outline can be a powerful self-regulatory harmonization tool and could bring results that are difficult to obtain using traditional legislative means. Moreover, we see the PLA as:
- A clear and effective way to communicate to (potential) cloud customers the level of personal data protection provided by a CSP.
- A tool to assess the level of a CSP’s compliance with data protection legislative requirements and best practices.
- A way to offer contractual protection against possible financial damages due to lack of compliance.
PLA are meant to be similar to SLA for privacy. In the PLA (typically an attachment to the Service Agreement) the CSP will clearly declare the level of privacy and data protection that it undertakes to maintain with respect to the relevant data processing, in a format similar to that which is used by other CSPs. CSPs have realized the importance of privacy disclosures, and they are devoting time and resources at improving their privacy disclosures, in order to reassure the customers about their data handling practices. This working group will be working on the definition of a template (i.e., a sample outline) for PLA.
Transparency and information are key to build trust in the cloud ecosystem.
This is why the CNIL has actively contributed to the elaboration of the PLA-outline.
As it gets gradually adopted by CSPs, it will become an important building block for constructing a modern ethical and privacy-preserving framework, adequate to the challenges that face all stakeholders in the digital world.
President of the CNIL
CSA PLA Initiative Process
Step 1 will be completed by a team of data protection law professionals (familiar with cloud services) from different Member States. Such team can be assembled using the fellows of the European Privacy Association (EPA), as well as privacy officers from industries.
Step 2 will be completed by a team of selected members of the Step 1 team and selected data protection law professionals (familiar with cloud services) representing the different regions of the world.
Step 3 will be completed by a team of selected members of WG involved in Step 1 and 2.
The PLA Working Group is by invitation only, even though unsolicited candidatures will be considered by the Working Group Co-Chairs.
Working Group Scope and Objectives
The initial scope is for Europe, as the EU Member States have the most stringent regulation on privacy compared to the rest of the world.
The initial PLA Outline deliverable should be seen as a timely answer to Article 29 WP Opinion 05/2012 on Cloud Computing, as well as a complement to the CSA Open Certification Framework initiative.
This working group aims at creating PLA templates that can be a powerful self-regulatory harmonization tool, which is almost impossible to achieve at global level using traditional legislative means. This will provide a clear and effective way to communicate to (potential) customers a CSP’s level of personal data protection, especially when trans-border data flaw is concerned.
A Privacy Level Agreement (PLA) has twofold objectives:
- Provide cloud customers with a tool to assess a CSP’s commitment to address personal data protection.
- Offer contractual protection against possible economical damages due to lack of compliance or commitment of the CSP with privacy and data protection regulation.
Working Group Milestones
The project will be structured in 3 phases:
Define structure and content of the PLA template, based on current or anticipated EU and OECD privacy principles:
- List the necessary fields to be filled in the PLA according to the principles of EU privacy law, OECD Guidelines (taking into consideration the general duties of CSPs’ and the general needs of users with respect to data protection).
Adapt European model to global privacy needs:
- Perform a gap analysis on the EU PLA template aiming at producing a Global PLA template;
- List the necessary fields to be filled out in the PLA according to global privacy principles and legislation, and taking into consideration CSPs’ obligations and users’ needs;
- Provide instructions and explanatory notes to guide the CSP in the definition of its own template (which will serve as part of the Services Agreement);
- Provide instructions and explanatory notes to guide the cloud service customer when reading the PLA of a CSP with which it does, or is contemplating doing business.
PLA Working Group Timeline
Privacy Level Agreement Working Group Leadership
Privacy Level Agreement Co-chairs
Françoise Gilbert is Lead Outside Counsel to the CSA. She has focused on information privacy and security for more than 25 years. Francoise deals regularly with compliance challenges raised by cloud computing, connected objects, smart cities, big data, mobile applications, wearable devices, social media, and other cutting-edge developments. As a practicing attorney, she is a partner at Greenberg Traurig LLP in East Palo Alto, California, where she advises public companies, emerging technology businesses and non-profit organizations, on the entire spectrum of domestic and international privacy and cyber security issues legal issues.
Françoise is internationally recognized as a thought leader and expert in data privacy and cyber security. She was named “2014 San Francisco Lawyer of the Year” by Best Lawyers for her work in information privacy and security, and is listed in Chambers USA and Chambers Global (since 2008), Best Lawyers in America (since 2007), and Who’s Who in Ecommerce and Internet Law (since 1998). She is accredited as a Certified Information Privacy Manager (CIPM) and a Certified Information Privacy Professional (CIPP/US, CIPP/E) by the International Association of Privacy Professionals (IAPP).
Paolo Balboni (Ph.D.) is a top tier European ICT, Privacy & Data Protection lawyer and serves as Data Protection Officer (DPO) for multinational companies. Lead Auditor BS ISO/IEC 27001:2013 (IRCA Certified). Dr. Balboni (qualified lawyer admitted to the Milan Bar) is a Founding Partner of ICT Legal Consulting (ICTLC), a law firm with offices in Milan, Bologna, Rome, an International Desk in Amsterdam, and multiple Partner Law Firms around the world. He is the Co-Chair of the CSA Privacy Level Agreement Working Group, Scientific Director of the European Privacy Association based in Brussels and the Cloud Computing Sector Director and Responsible for Foreign Affairs at the Italian Institute for Privacy based in Rome.
Privacy Level Agreement Advisors
Chief Technology Officer, CSA
Daniele Catteddu is an information security and risk management practitioner, technologies expert and privacy evangelist with over 15 of experience. He worked in several senior roles both in the private and public sector. He is member of various national and international security expert groups and committees on cyber-security and privacy, keynote speaker at several conferences and author of numerous studies and papers on risk management, cyber security and privacy.
Currently he is the Chief Technology Officer, at Cloud Security Alliance, where he is responsible to drive, on a global scale, the adoption of the technology strategy roadmap within key CSA lines of business: Research, Membership Services, Standards, Education and Products. He identifies technology trends, global policies and evolving social behavior and their impact on information security and on CSA’s activities.
Daniele leads the product management for CSA and chairs the Futures Advisory Committee.
Mr Catteddu is the co-founder and executive of the CSA Open Certification Framework / STAR Program. Moreover he leads definition and implementation of the CSA research agenda in Europe and manages the relations with European public institutions and is member of the CSA International Standardization Council.
He has been recently appointed as Member of the Policy and Scientific Committee of the European Privacy Association.
In past he worked at CSA as Managing Director for the EMEA Region, at ENISA (European Network and Information Security Agency), as Expert in areas of Critical Information Infrastructure Protection (CIIP) and Emerging and Future Risks Management, and in particular, having a leading role in developing EU cloud security research. Before joining ENISA, Daniele worked as an Information Security consultant in the banking and financial sector. Daniele graduated from the University of Parma (Italy) in Business Administration and Economics, and he is an ISACA Certified Information Security Manager.
Privacy Level Agreement Working Group Initiatives
There are no documents currently in peer review.
Other ways to Connect
Privacy Level Agreement Working Group News
January 14, 2013
The Cloud Security Alliance (CSA) Privacy Level Agreement (PLA) Working Group would like to invite you to review and comment on the Privacy Level Agreement document.
September 05, 2012
A Working Group to Support EU Data Protection Regulators’ Recommendation on Cloud Computing
July 16, 2012
The opinion, published July 2 as Document WP 196, analyzes the applicable data protection laws and obligations for companies providing, or using cloud computing services in the European Economic Area (EEA).
Privacy Level Agreement Working Group Downloads
PLA [V2] is intended to be used as an appendix to a Cloud Services Agreement, and to describe the level of privacy protection that the CSP will provide. While Service Level Agreements (“SLA”) are generally used to provide metrics and other information on the performance of the services, PLAs will address information privacy and personal…
Release Date: June 02, 2015
The Outline provides a structure for Cloud Service Providers (CSP) to disclose, in a consistent matter, information about the privacy and data protection policies, procedures and practices used when processing personal data that customers upload or store in the CSP’s servers.
Release Date: February 24, 2013