Privacy Level Agreement Working Group
Introduction to the Privacy Level Agreement Working Group
Privacy is one of the top concerns for potential cloud customers. Both Cloud Service Providers (CSPs) and potential users struggle with different data protection legislation across the globe, where the inconsistencies between National legislations represent a significant barrier to a broad adoption of cloud computing.
Moreover, privacy compliance has become a fundamental evaluation criterion when choosing between Cloud Service Providers.
2012 has been a particularly important year of reforms on privacy, data protection, and cloud computing, with the publication of the European Commission proposal for a General Data Protection Regulation (amending the Directive 95/46/EC), the Article 29 Working Party </a href=”http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf”>Opinion 5/2012 on Cloud Computing and several national Data Protection Authorities’ recommendations on cloud (e.g., CNIL’s recommendations for companies using these new services, Italian DPA Cloud Computing: il Vademecum del Garante, Irish DPC Data Protection in the Cloud.
I think [the PLA Outline] is a very helpful document, both for potential customers of CSPs and for CSPs themselves.
By following closely the WP29 Opinion it ensures that both parties understand the obligations under EU law – probably the strictest requirements they will have to comply with.
Hopefully it will be accepted by CSPs that, if they want to be viewed as acceptable service providers – especially by EU-based organisations – they are going to have to be able to answer successfully the questionnaire that is annexed to the document.
Irish Data Protection Commissioner
The Singapore Ministry of Information, Communications and the Arts (“MICA”) has also released the draft Personal Data Protection Bill (“Draft Bill”). Parliament is expected to pass the Draft Bill in the third quarter of 2012. Reforms of the data protection and privacy legal framework are debated in other geography, as well, such as, for instance in USA.
With its mission to support the creation of a transparent and trusted cloud market and in order to remove barriers to cloud adoption, the CSA decided to define baselines for compliance with data protection legislation and best practices by defining a standard format for Privacy Level Agreements (PLAs) and standards, through which a cloud service provider declares the level of privacy (personal data protection and security) that it sustains for the relevant data processing.
The CSA believes that the PLA outline can be a powerful self-regulatory harmonization tool and could bring results that are difficult to obtain using traditional legislative means. Moreover, we see the PLA as:
- A clear and effective way to communicate to (potential) cloud customers the level of personal data protection provided by a CSP.
- A tool to assess the level of a CSP’s compliance with data protection legislative requirements and best practices.
- A way to offer contractual protection against possible financial damages due to lack of compliance.
PLA are meant to be similar to SLA for privacy. In the PLA (typically an attachment to the Service Agreement) the CSP will clearly declare the level of privacy and data protection that it undertakes to maintain with respect to the relevant data processing, in a format similar to that which is used by other CSPs. CSPs have realized the importance of privacy disclosures, and they are devoting time and resources at improving their privacy disclosures, in order to reassure the customers about their data handling practices. This working group will be working on the definition of a template (i.e., a sample outline) for PLA.
Transparency and information are key to build trust in the cloud ecosystem.
This is why the CNIL has actively contributed to the elaboration of the PLA-outline.
As it gets gradually adopted by CSPs, it will become an important building block for constructing a modern ethical and privacy-preserving framework, adequate to the challenges that face all stakeholders in the digital world.
President of the CNIL
CSA PLA Initiative Process
Step 1 will be completed by a team of data protection law professionals (familiar with cloud services) from different Member States. Such team can be assembled using the fellows of the European Privacy Association (EPA), as well as privacy officers from industries.
Step 2 will be completed by a team of selected members of the Step 1 team and selected data protection law professionals (familiar with cloud services) representing the different regions of the world.
Step 3 will be completed by a team of selected members of WG involved in Step 1 and 2.
The PLA Working Group is by invitation only, even though unsolicited candidatures will be considered by the Working Group Co-Chairs.
Working Group Scope and Objectives
The initial scope is for Europe, as the EU Member States have the most stringent regulation on privacy compared to the rest of the world.
The initial PLA Outline deliverable should be seen as a timely answer to Article 29 WP Opinion 05/2012 on Cloud Computing, as well as a complement to the CSA Open Certification Framework initiative.
This working group aims at creating PLA templates that can be a powerful self-regulatory harmonization tool, which is almost impossible to achieve at global level using traditional legislative means. This will provide a clear and effective way to communicate to (potential) customers a CSP’s level of personal data protection, especially when trans-border data flaw is concerned.
A Privacy Level Agreement (PLA) has twofold objectives:
- Provide cloud customers with a tool to assess a CSP’s commitment to address personal data protection.
- Offer contractual protection against possible economical damages due to lack of compliance or commitment of the CSP with privacy and data protection regulation.
Working Group Milestones
The project will be structured in 3 phases:
Define structure and content of the PLA template, based on current or anticipated EU and OECD privacy principles:
- List the necessary fields to be filled in the PLA according to the principles of EU privacy law, OECD Guidelines (taking into consideration the general duties of CSPs’ and the general needs of users with respect to data protection).
Adapt European model to global privacy needs:
- Perform a gap analysis on the EU PLA template aiming at producing a Global PLA template;
- List the necessary fields to be filled out in the PLA according to global privacy principles and legislation, and taking into consideration CSPs’ obligations and users’ needs;
- Provide instructions and explanatory notes to guide the CSP in the definition of its own template (which will serve as part of the Services Agreement);
- Provide instructions and explanatory notes to guide the cloud service customer when reading the PLA of a CSP with which it does, or is contemplating doing business.
PLA Working Group Timeline
Privacy Level Agreement Working Group Leadership
Privacy Level Agreement Co-chairs
Privacy Level Agreement Advisors
Managing Director EMEA
Daniele Catteddu, is the Managing Director, EMEA, in Cloud Security Alliance, where he is responsible for the definition and execution of the company strategy in EU, Middle East and Africa. He also leads CSA participation in FP7 projects, coordinates European CSA Chapters research projects and manage the relations with European public institutions. In past worked at ENISA (European Network and Information Security Agency), as Expert, where he was responsible of projects in the areas of Resilience and Critical Information Infrastructure Protection (CIIP) and in particular he was supporting EU Member States in implementing the security obligations in the new European Framework Directive on Telecommunication. He has also worked within ENISA as a risk management expert, on various activities in the area of the Emerging and Future Risks, and in particular, having a leading role in developing EU cloud security research. Before joining ENISA, Daniele worked as an Information Security consultant in the banking and financial sector. Daniele is the author of the study: “Security and Resilience in Governmental Clouds” as well as co-author of the reports: “Cloud Computing: Benefits, risks and recommendations for information security” and “Cloud Computing: Information Assurance Framework”. He is member of various national and international security expert groups on cloud computing security and privacy, invited speaker at conferences and workshops (e.g. Digital Agenda Assembly, Word Economic Forum cloud workshop, OASIS Cloud Symposium, etc). Daniele graduated from the University of Parma (Italy) in Business Administration and Economics, and he is an ISACA Certified Information Security Manager and Certified Information Systems Auditor.
Privacy Level Agreement Working Group Initiatives
There are no documents currently in peer review.
Privacy Level Agreement Working Group News
January 14, 2013
The Cloud Security Alliance (CSA) Privacy Level Agreement (PLA) Working Group would like to invite you to review and comment on the Privacy Level Agreement document.
September 05, 2012
A Working Group to Support EU Data Protection Regulators’ Recommendation on Cloud Computing
July 16, 2012
The opinion, published July 2 as Document WP 196, analyzes the applicable data protection laws and obligations for companies providing, or using cloud computing services in the European Economic Area (EEA).
Privacy Level Agreement Working Group Downloads
PLA [V2] is intended to be used as an appendix to a Cloud Services Agreement, and to describe the level of privacy protection that the CSP will provide. While Service Level Agreements (“SLA”) are generally used to provide metrics and other information on the performance of the services, PLAs will address information privacy and personal…
Release Date: June 02, 2015
The Outline provides a structure for Cloud Service Providers (CSP) to disclose, in a consistent matter, information about the privacy and data protection policies, procedures and practices used when processing personal data that customers upload or store in the CSP’s servers.
Release Date: February 24, 2013