CSA Official Press Release
Published 06/03/2015
Cloud Security Alliance Releases New Privacy Level Agreement Guidelines to Address Personal Data Protection Compliance
Powerful Self-regulatory Tool to Help Cloud Customers Better Understand and Evaluate Cloud Service Providers European Union Wide
LONDON - Infosecurity Europe – June 3, 2015 - The Cloud Security Alliance (CSA) Privacy Level Agreement (PLA) Working Group today released the Privacy Level Agreement (PLA) v2, a powerful tool that provides cloud customers and potential customers, of any size, with a mechanism to identify a baseline of mandatory personal data protection legal requirements across the European Union (EU). It also allows cloud customers the ability to evaluate the level of personal data protection offered by different cloud service providers (CSPs). PLA v2 also addresses the needs of CSPs by providing a guidance to achieve compliance with mandatory privacy legislations across the EU and a simple way to disclose, in a structured way, the level of personal data protection that they offer to customers.
“The continued reliance and adoption of the PLA by cloud service providers worldwide has been an important building block for developing a modern and ethical privacy-rich framework to address the security challenges facing enterprises worldwide,” said Daniele Catteddu, EMEA Managing Director of CSA. “This next version that addresses personal data protection compliance will be of significant importance in building the confidence of cloud consumers.”
Initially released in 2013, the PLA provides a structure for CSPs to disclose, in a consistent matter, information about the privacy and data protection policies, procedures and practices used when processing personal data that customers upload or store in the CSP’s servers. The updated release provides CSPs not only with a mechanism to support transparency but also, and most importantly, with a tool to achieve compliance with the EU-wide personal data protection legislations. It also provides cloud customers with a tool to understand and evaluate CSP EU-wide personal data protection compliance.
Key elements covered in the PLA v2 are:
- Identity of the CSP, its role, and the contact information for the data protection inquiries
- Ways in which the data will be processed
- Data transfer
- Data security measures
- Monitoring
- Personal data breach notification
- Data portability, migration and transfer back assistance
- Data retention, restitution and deletion
- Accountability
- Cooperation
- Legally required disclosure
"PLA V2 is a valuable tool to guide CSPs of any size to address EU personal data protection compliance," said Dr. Paolo Balboni, Co-Chair of the PLA Working Group, top tier European ICT, Privacy & Data Protection lawyer, Founding Partner of ICT Legal Consulting. “In a market where customers still struggle to assess CSP data protection compliance, PLA v2 aims to fill this gap and facilitate customer understanding”
“EMC as a sponsor of CSA PLA Working Group recognizes the CSA PLA v2 as a timely, key industry deliverable to enable CSPs and their clients to establish trust and transparency with respect to the EU data protection and privacy regulations, as well as with industry regulators,“ said Wayne M. Adams, Senior Technologist, Corporate Office of the CTO for EMC. “As many enterprises rapidly move forward implementing their hybrid cloud strategies in the European Union with CSPs based in both Europe and globally, PLA v2 provides the structure to assess CSP compliance and capabilities."
The CSA PLA Working Group was formed in 2012 to help transpose the Art. 29 WP and EU National Data Protection Regulators’ recommendations on Cloud Computing into an easy to use outline that CSPs can use to disclose personal data handling practices. The scope and objective of the PLA Initiative was previously presented to the European Parliament as part of discussions on the potential effect of the proposed General Data Protection Regulation on the cloud computing. Since then, the PLA Working Group has been working to define a structured method for communicating the level of privacy that a CSP agrees to maintain.
The PLA Working Group is comprised of independent privacy and data protection subject matter experts, privacy officers, and representatives from Data Protection Authorities. Organizations interested in PLA sponsorship opportunities can learn more by downloading the PLA Initiative Research Sponsorship Outline.
About the Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations, and other key stakeholders. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
Media Contact: Kari Walker [email protected] 703.928.9996
About Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.
For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.