In August this year (to not a great deal of fanfare), ISO published a new security standard for cloud services: ISO/IEC 27018Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (“ISO 27018”).  Datonomy reported in May this year, that this new standard was on its way. This publication is a welcome step towards ensuring compliance with the principles of privacy laws and further boosting customer confidence in in cloud computing technologies.  Here are Datonomy’s questions and answers on this new security standard.    What’s the aim of ISO 27018?  The standard’s aim is to create a common set of security controls that can be implemented by a public cloud computing service provider that is processing personal data on behalf of another party.     How is ISO 27018 structured?  The standard is based on (and follows a similar … Continue Reading ››
On August 19, 2014, more than one year after the first draft bill of an IT Security Act, the German Federal Ministry of the Interior has published the new draft bill of the Act, aimed at boosting the security of information technology systems. The full title of the legislation is “Entwurf eines Gesetzes zur Erhöhung der Sicherheit informationstechnischer Systeme" (IT Sicherheitsgesetz) (“IT Security Act”). The new rules are still subject to change but look likely to come into force in early 2015. General overview In fact, the IT Security Act will not be an individual law, but will amend the Act on the Federal Office for Information Security, the Telecommunication Act, the Telemedia Act and the Act on the Federal Criminal Police Office as well as the Act on the German Federal Office of Information Security. The IT Security Act contains five central topics and provides for:
CNIL’s recent ruling against Orange has wider lessons for all data controllers who rely on processors and sub processors to process personal data. Datonomy’s correspondent in Paris analyses the issues. Facts In its deliberation dated 7 August 2014 (but only published on 25 August), the CNIL issued, for the first time, a public warning (i.e no fine has been imposed on Orange, but the sanction consists in the publication of CNIL’s ruling on its website) against a telecoms operator on the basis of personal data breach requirements (pursuant to Article 34 bis of the French data protection act 1978). On 25 April 2014, Orange notified the CNIL of a technical failure in one of its marketing sub-processors, resulting in the leak of personal data (name, surname, birth date, email address and phone number) concerning 1.3 million subscribers. Following this notification, the CNIL investigated Orange and its processors’ premises and found … Continue Reading ››
Our quarterly IT and data protection newsletter keeps you informed of current legal issues, decisions and events in the technology sector in Germany. We hope you enjoy reading. This edition covers the following topics. I.          Canvas Fingerprinting – Tracking without Cookies II.          District Court of Berlin: WhatsApp must provide terms and conditions in German, and improve the legal notice III.          „No-Spy decree“ of the German Federal Ministry of Interior requires guarantee in procurement procedures IV.          German Supreme Court: Collection of minors’ personal data for marketing purposes in the course of a competition is not permitted V.          ECJ: Copies on the user’s computer screen as well as in the ‘cache’ of a computer’s hard disk, created in the course of viewing a website, do not infringe copyright This is the link to the full version.