Privacy Level Agreement Working Group
Introduction to the PLA Working Group
Privacy is one of the top concerns for potential cloud customers. Both Cloud Service Providers (CSPs) and potential users struggle with different data protection legislation across the globe, where the inconsistencies between National legislations represent a significant barrier to a broad adoption of cloud computing.
Moreover, privacy compliance has become a fundamental evaluation criterion when choosing between Cloud Service Providers.
2012 has been a particularly important year of reforms on privacy, data protection, and cloud computing, with the publication of the European Commission proposal for a General Data Protection Regulation (amending the Directive 95/46/EC), the Article 29 Working Party Opinion 5/2012 on Cloud Computing and several national Data Protection Authorities’ recommendations on cloud (e.g., CNIL's recommendations for companies using these new services, Italian DPA Cloud Computing: il Vademecum del Garante, Irish DPC Data Protection in the Cloud.
I think [the PLA Outline] is a very helpful document, both for potential customers of CSPs and for CSPs themselves.
By following closely the WP29 Opinion it ensures that both parties understand the obligations under EU law - probably the strictest requirements they will have to comply with.
Hopefully it will be accepted by CSPs that, if they want to be viewed as acceptable service providers - especially by EU-based organisations - they are going to have to be able to answer successfully the questionnaire that is annexed to the document.
Irish Data Protection Commissioner
The Singapore Ministry of Information, Communications and the Arts ("MICA") has also released the draft Personal Data Protection Bill ("Draft Bill"). Parliament is expected to pass the Draft Bill in the third quarter of 2012. Reforms of the data protection and privacy legal framework are debated in other geography, as well, such as, for instance in USA.
With its mission to support the creation of a transparent and trusted cloud market and in order to remove barriers to cloud adoption, the CSA decided to define baselines for compliance with data protection legislation and best practices by defining a standard format for Privacy Level Agreements (PLAs) and standards, through which a cloud service provider declares the level of privacy (personal data protection and security) that it sustains for the relevant data processing.
The CSA believes that the PLA outline can be a powerful self-regulatory harmonization tool and could bring results that are difficult to obtain using traditional legislative means. Moreover, we see the PLA as:
- A clear and effective way to communicate to (potential) cloud customers the level of personal data protection provided by a CSP.
- A tool to assess the level of a CSP’s compliance with data protection legislative requirements and best practices.
- A way to offer contractual protection against possible financial damages due to lack of compliance.
PLA are meant to be similar to SLA for privacy. In the PLA (typically an attachment to the Service Agreement) the CSP will clearly declare the level of privacy and data protection that it undertakes to maintain with respect to the relevant data processing, in a format similar to that which is used by other CSPs. CSPs have realized the importance of privacy disclosures, and they are devoting time and resources at improving their privacy disclosures, in order to reassure the customers about their data handling practices. This working group will be working on the definition of a template (i.e., a sample outline) for PLA.
Transparency and information are key to build trust in the cloud ecosystem.
This is why the CNIL has actively contributed to the elaboration of the PLA-outline.
As it gets gradually adopted by CSPs, it will become an important building block for constructing a modern ethical and privacy-preserving framework, adequate to the challenges that face all stakeholders in the digital world.
President of the CNIL
Working Group Scope and Objectives
The initial scope is for Europe, as the EU Member States have the most stringent regulation on privacy compared to the rest of the world.
The initial PLA Outline deliverable should be seen as a timely answer to Article 29 WP Opinion 05/2012 on Cloud Computing, as well as a complement to the CSA Open Certification Framework initiative.
This working group aims at creating PLA templates that can be a powerful self-regulatory harmonization tool, which is almost impossible to achieve at global level using traditional legislative means. This will provide a clear and effective way to communicate to (potential) customers a CSP’s level of personal data protection, especially when trans-border data flaw is concerned.
A Privacy Level Agreement (PLA) has twofold objectives:
- Provide cloud customers with a tool to assess a CSP’s commitment to address personal data protection.
- Offer contractual protection against possible economical damages due to lack of compliance or commitment of the CSP with privacy and data protection regulation.
Working Group Milestones
The project will be structured in 3 phases:
Define structure and content of the PLA template, based on current or anticipated EU and OECD privacy principles:
- List the necessary fields to be filled in the PLA according to the principles of EU privacy law, OECD Guidelines (taking into consideration the general duties of CSPs' and the general needs of users with respect to data protection).
Adapt European model to global privacy needs:
- Perform a gap analysis on the EU PLA template aiming at producing a Global PLA template;
- List the necessary fields to be filled out in the PLA according to global privacy principles and legislation, and taking into consideration CSPs' obligations and users' needs;
- Provide instructions and explanatory notes to guide the CSP in the definition of its own template (which will serve as part of the Services Agreement);
- Provide instructions and explanatory notes to guide the cloud service customer when reading the PLA of a CSP with which it does, or is contemplating doing business.
PLA Working Group Timeline
Join the PLA Working Group
- Join the PLA Working Group email announcement list.
CSA PLA Initiative Process
Step 1 will be completed by a team of data protection law professionals (familiar with cloud services) from different Member States. Such team can be assembled using the fellows of the European Privacy Association (EPA), as well as privacy officers from industries.
Step 2 will be completed by a team of selected members of the Step 1 team and selected data protection law professionals (familiar with cloud services) representing the different regions of the world.
Step 3 will be completed by a team of selected members of WG involved in Step 1 and 2.
The PLA Working Group is by invitation only, even though unsolicited candidatures will be considered by the Working Group Co-Chairs.
A public call for review when every volunteer can participate will be launched the day after the publication of the first PLA deliverable, expected for Q3 2012.
CSA PLA Initiative Co-chairs
Please contact the Working Group co-chairs at: [email protected]
Key Links & Resources
June 02, 2015
February 24, 2013
February 24, 2013
The Outline provides a structure for Cloud Service Providers (CSP) to disclose, in a consistent matter, information about the privacy and data protection policies, procedures and practices used when processing personal data that customers upload or store in the CSP’s servers.
August 27, 2012
PLA Working Group News
January 14, 2013
The Cloud Security Alliance (CSA) Privacy Level Agreement (PLA) Working Group would like to invite you to review and comment on the Privacy Level Agreement document.
September 05, 2012
A Working Group to Support EU Data Protection Regulators’ Recommendation on Cloud Computing
July 16, 2012
The opinion, published July 2 as Document WP 196, analyzes the applicable data protection laws and obligations for companies providing, or using cloud computing services in the European Economic Area (EEA).