International Commercial Law Blog

ISO 27018 sets data protection standards for the cloud

In July 2014, the International Organization for Standardization (“ISO”) and International Electrotechnical Commission (“IEC”) published ISO/IEC 27018 (ISO 27018), a code of practice that sets forth standards and guidelines pertaining to the protection of data consisting of “personally identifiable information” processed by public cloud service providers.

ISO/IEC 27018 is the first International Standard that focuses on protection of personal data in the cloud. Although only a few months old, the new standard should finally give cloud users confidence that their service provider is well-placed to keep data private and secure.

ISO/IEC 27018 specifies certain minimum types of security measures that cloud providers should adopt, if applicable, including encryption and access controls. The cloud standard also requires cloud providers to implement security awareness policies and make relevant staff aware of the potential consequences (for staff, the cloud provider and the customer) of breaching privacy and security rules.

As the first-ever standard that deals with the protection of personal data for the cloud, ISO/IEC 27018 has the following key objectives:

  1. Help cloud service providers that process personally identifiable information to address applicable legal obligations as well as customer expectations
  2. Enable transparency so customers can choose well-governed cloud services
  3. Facilitate the creation of contracts for cloud services
  4. Provide cloud customers with a mechanism to ensure cloud providers’ compliance with legal and other obligation

ISO/IEC 27018 provides a practical basis to induce confidence in the cloud industry. At the same time, the public cloud industry will have clear guidance in order to meet some of the legal and regulatory concerns of its clients.

ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect “personally identifiable information” in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

In particular, ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of “personally identifiable information” which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

ISO/IEC 27018:2014 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as “personally identifiable information” processors via cloud computing under contract to other organizations.

The guidelines in ISO/IEC 27018:2014 might also be relevant to organizations acting as “personally identifiable information” controllers; however, “personally identifiable information” controllers can be subject to additional “personally identifiable information” protection legislation, regulations and obligations, not applying to “personally identifiable information” processors. ISO/IEC 27018:2014 is not intended to cover such additional obligations.

As a guiding principle, ISO/IEC 27018 standards and guidelines facilitate the retention by the cloud service customer of authority to determine the scope of any use and handling of its “personally identifiable information”. The following controls and implementation guidelines set forth in ISO/IEC 27018 as generally applicable to cloud service providers processing “personally identifiable information”:

  1. Customer and end user control rights:
    1. A cloud service customer should have the means to enable the individual to whom “personally identifiable information” relates to access, correct and/or erase such “personally identifiable information”;
    2. “personally identifiable information” should not be processed for any purpose except pursuant to the instructions of the cloud service customer;
    3. “personally identifiable information” should not be used for marketing or advertising purposes without the customer’s consent;
    4. Temporary files and documents associated with “personally identifiable information” processing should be erased or destroyed by a cloud services provider within a specified period;
  2. Restrictions on disclosure to or access of 3rd parties to “personally identifiable information”:
    1. Law enforcement requests for disclosure of “personally identifiable information” must be disclosed to a cloud service customer (unless such disclosure is prohibited by law);
    2. Other requests for disclosure of “personally identifiable information” should be rejected except to the extent authorized by a cloud service customer;
    3. Data relating to disclosures of “personally identifiable information” to third parties should be recorded;
    4. Subcontractors should be disclosed in advance by a “personally identifiable information” processor;
    5. Unauthorized access to “personally identifiable information” or processing equipment or facilities resulting in the loss, disclosure or alteration of “personally identifiable information” should be disclosed to a cloud service customer;
    6. Anyone (including cloud service provider employees) associated with the processing of “personally identifiable information” should be subject to a confidentiality obligation;
  3. Treatment of Media Containing “personally identifiable information”:
    1. A number of additional restrictions should be maintained for information security purposes, with respect to, inter alia, the creation of hard copy materials displaying “personally identifiable information”, data recovery or restoration efforts, “personally identifiable information” stored on transportable media, transmission of “personally identifiable information” over public networks, and user IDs for access to stored “personally identifiable information”.

Consultation on the Insurance Block Exemption Regulation

The Insurance Block Exemption Regulation (“IBER”) is a sector-specific legal instrument that allows (re)insurers to benefit from an exemption to the prohibition of anti-competitive arrangements laid down in Article 101 (1) of the Treaty on the Functioning of the European Union (TFEU). At present, the exemption covers two types of agreements between (re)insurance undertakings:

  1. Agreements with respect to joint compilations, joint tables and studies; and
  2. Common coverage of certain types of risks (co (re)insurance pools).

The insurance sector is one of three sectors that still benefits from a block exemption regulation, since the concept of the direct applicability of the exemption of Article 101 (3) TFEU was introduced with Council Regulation 1/2003. The IBER expires on 31 March 2017 and the Commission will consider whether any parts of it would merit a renewal. In this regard, the Commission is required to submit a report on the functioning and the future of the IBER to the European Parliament and the Council by March 2016. The Commission is therefore gathering views and market information to carry out its assessment.

To that purpose the Commission has drawn a Questionnaire and invited all stakeholders to submit all relevant information on the functioning of the IBER, as well as their views on whether the Commission should renew any of the IBER provisions in a new block exemption regulation. Input from stakeholders will be a key element for the Commission’s assessment. The Commission welcomes comments in particular from (re)insurance undertakings, industry associations, insurance intermediaries, public authorities, consumer organisations and customers, as well as competition practitioners, researchers and think tanks. Comments from other stakeholders who have direct experience with the application of the IBER are also welcome.

The return of the Italian mandatory mediation procedure

On 24 October 2012, the Italian Constitutional Court declared invalid the provision of Legislative Decree n. 28 dated 4 March 2010 which had implemented the mandatory mediation procedure for the resolution of certain disputes.

Article 87 of the Italian Decree Law No. 69 of 21 June 2013 reintroduced the mandatory mediation for cross-border and domestic disputes, which had been covered by Italian Legislative Decree No. 28 of 4 March 2010.

The mediation procedure includes disputes on insurance matters (with the exception of motor third party liability litigation), medical and hospital liability.

Furthermore, among other changes it has been introduced Section 185 bis into the Italian Code of Civil Procedure, which requires the Court to “(…) formulate a proposal for amicable settlement or arrangement to the parties (…)”, also specifying that “(…) the rejection of the proposal made by the Court, without a justified reason, shall constitute conduct that may be considered (…) for the purposes of the ruling”.

The new provisions concerning the mandatory mediation shall enter into force on 21 September 2013.

The Italian mandatory mediation procedure of cross-border and domestic disputes is effective as of 20 March 2011

By Legislative Decree No. 28 dated 4 March 2010 (the “Decree”), the European Mediation Directive 2008/52/EC (the Directive) has been implemented in Italy. The Directive is part of a European-wide initiative to promote and regulate the development of mediation throughout the EU. The Directive itself should apply only to mediation in cross-border disputes, but nothing should prevent Member States from applying such provisions also to internal mediation processes.

The mediation procedures introduced by the Decree, which covers both cross-border and domestic disputes, only apply to claims/rights which can be freely disposed of by the relevant parties (“Diritti Disponibili”) as opposed to rights which cannot be freely disposed of by the relevant individuals (e.g.: Italian family law).

The Decree has introduced two kinds of mediation procedure:

  • a mandatory procedure which applies to any possible litigation in relation to insurance, banking and financial agreements as well as other matters such as joint ownership, property rights, division of assets, hereditary and family law, leases in general, gratuitous loans, leases of going concern, compensation for damages due to car/nautical accidents, medical liability or defamation/libel; and
  • a non-mandatory procedure which applies to any civil and commercial litigation regarding matters other than those listed above.

The mandatory mediation procedure is effective as of 20 March 2011 except for any possible litigation in relation to joint ownership and compensation for damages due to car/nautical accidents which will be effective as of 20 March 2012.

The procedure is mandatory in the sense that from such date all plaintiffs prior to bringing legal proceedings shall have to try to settle disputes falling within this “mandatory” category by mediation. Legal advisers to the relevant parties shall also have a duty to inform their clients about mediation and are under obligation to try to resolve disputes by way of mediation.

The mediation procedures established under the Decree may be brought before any of the mediation organisations mentioned in Article 16 of the Decree and the applicable procedure shall follow the rules applied by the body chosen by the parties.

However, where there are alternative mediation procedures available, the plaintiffs will have the option to use either the procedure as set out in the Decree or the alternatives. Two alternative mediation procedures are currently in force in Italy, which can be used instead of the mediation procedure under the Decree in relation to certain banking and financial disputes (see Legislative Decree No. 179 dated 8 October 2007 and art. 128 bis of the Italian Banking Law).

The European Court of Justice, in its Judgment in joined cases C-317/08, C-318/08, C-319/08, and C-320/08 for a preliminary ruling issued on 18 March 2010, held that EU directives and general principles do not preclude national legislation which imposes prior implementation of an out-of-court settlement procedure, provided that that procedure does not result in a decision which is binding on the parties, that it does not cause a substantial delay for the purposes of bringing legal proceedings, that it suspends the period for the time-barring of claims and that it does not give rise to costs – or gives rise to very low costs – for the parties, and only if electronic means is not the only means by which the settlement procedure may be accessed and interim measures are possible in exceptional cases where the urgency of the situation so requires.

The rule of unisex premiums and benefits will apply with effect from 21 December 2012

Directive 2004/113/EC prohibits all discrimination based on sex in the access to and supply of goods and services. Thus, in principle, the Directive prohibits the use of gender as a factor in the calculation of insurance premiums and benefits in relation to insurance contracts entered into after 21 December 2007.

By way of derogation, however, the Directive provides that Member States may, as from that date, permit exemptions from the rule of unisex premiums and benefits, so long as they can ensure that the underlying actuarial and statistical data on which the calculations are based are reliable, regularly updated and available to the public. Member States may allow such an exemption only if the unisex rule has not already been applied by national legislation. Five years after the transposition of the Directive into national law (i.e.: 21 December 2012) Member States must re-examine the justification for those exemptions, taking into account the most recent actuarial and statistical data and a report to be submitted by the Commission three years after the date of transposition of the Directive.

In its Judgment in Case C-236/09 Association belge des Consommateurs Test-Achats ASBL and Others v Conseil des ministres, the European Court of Justice first points out that equality between men and women is a fundamental principle of the European Union. Reference is made to Articles 21 and 23 of the Charter of Fundamental Rights of the European Union which prohibit any discrimination on grounds of sex and require equality between men and women to be ensured in all areas and to Article 2 of the Treaty establishing the European Community which provides that promoting such equality is one of the Community’s essential tasks. Similarly, Article 3(2) of the Treaty requires the Community to aim to eliminate inequalities and to promote equality between men and women in all its activities.

In the progressive achievement of that equality, it is for the EU legislature to determine, having regard to the development of economic and social conditions within the European Union, precisely when action must be taken. Thus it was – the Court states – that the EU legislature provided in the Directive that the differences in premiums and benefits arising from the use of sex as a factor in the calculation thereof must be abolished by 21 December 2007 at the latest. However, as the use of actuarial factors related to sex was widespread in the provision of insurance services at the time when the Directive was adopted, it was permissible for the legislature to implement the rule of unisex premiums and benefits gradually, with appropriate transitional periods.

In that regard, the Court notes that the Directive derogates from the general rule of unisex premiums and benefits established by the Directive, by granting Member States the option of deciding, before 21 December 2007, to permit proportionate differences in individuals’ premiums and benefits where, on the basis of relevant and accurate actuarial and statistical data, sex is used as a determining factor in the assessment of risks.

Any decision to make use of that option is to be reviewed five years after 21 December 2007, account being taken of a Commission report, but, ultimately, given that the Directive is silent as to the length of time during which those differences may continue to be applied, Member States which have made use of the option are permitted to allow insurers to apply the unequal treatment without any temporal limitation.

Accordingly, the Court states, there is a risk that EU law may permit the derogation from the equal treatment of men and women, provided for by the Directive, to persist indefinitely. A provision which thus enables the Member States in question to maintain without temporal limitation an exemption from the rule of unisex premiums and benefits works against the achievement of the objective of equal treatment between men and women and must be considered to be invalid upon the expiry of an appropriate transitional period.

Consequently, the Court rules that, in the insurance services sector, the derogation from the general rule of unisex premiums and benefits is invalid with effect from 21 December 2012.

New ISVAP Regulation No 35 2010 on transparency and advertising of insurance products

On 26 May 2010 ISVAP, the Italian insurance regulator, following a two-stage consultation process which began a couple of years ago, published Regulation No 35 (the “Regulation”) on the disclosure duties of insurance undertakings (with particular reference to pre-contractual information to proposed insured) and the advertisement of insurance products.

The Regulation shall apply to undertakings operating in the Italian market both under the freedom of establishment as set out in Article 49 of the Treaty and under the freedom to provide cross border services as set out in Article 56 of the Treaty.

The main purpose of the Regulation, which will come into force on 1 December 2010, is to strengthen the transparency and clarity of documents used in the offer of insurance products. The Regulation does not apply to reinsurance.

For the purpose of consolidating the duties of transparency and disclosure for insurance undertakings, ISVAP has introduced the obligation to deliver to the policyholders an information booklet (“fascicolo informativo“) containing all general and special terms and conditions applicable to the insurance contract, the proposal form and a information notice (“nota informativa“).

In detail, the information booklet shall include:

  • a cover;
  • an information notice, which shall be drafted in accordance with the forms attached to the Regulation and provide more information to the insured than is required at present;
  • a glossary;
  • general terms and conditions; and
  • the proposal form, if any.

With regards to the information notice, ISVAP has developed new and more detailed schemes which shall include specific “warnings” concerning inter alia exclusions, limits and deductibles of the cover making references to each article of the terms and conditions of policy. For this reason it will be necessary to prepare an information notice for each single product which contains the information requested by ISVAP and the specific references to the related terms and conditions.

The Regulation includes prescribed forms of pre-contract information notice which are dependent upon class of business. These are:

  • annex 6 (non-life insurance);
  • annex 7 (accident insurance );
  • annex 8 (health insurance).

The purpose of the Information Notice is to enable the proposed insured to “come to a reasoned conclusion concerning contractual rights and obligations”, as set forth in article 185 of the Code of Private Insurance Code (the “Code”).

Since these forms are standard forms they cannot cover all specific aspects of all insurance contracts. Accordingly, each undertaking shall need to supplement them with additional clauses to ensure that the information notice meets the Regulation’s requirements.

Particular attention shall be given to those provisions regarding “policyholders’ and insureds’ burdens and obligations, nullity, time-limits, exclusions, suspension and limitation of the guarantee, subrogation” which shall be highlighted in accordance to Section 166 of the Code, as implemented by the Regulation.

Moreover, the Regulation requires that the terms and conditions specify the policyholders’ premium payment obligations and highlight the risk that false or incomplete pre-contractual statements or representations by the policyholder may prejudice their right to performance of the contract.

In all cases, pursuant to Section 166 of the Code, the obligation to highlight the clauses mentioned above regarding the information notice shall also apply to any other part of the information booklet including the terms and conditions of policy and any other documents delivered to the policyholder prior to on or after inception of the policy.

Finally, a declaration of the contracting party confirming delivery of the information booklet shall be always included into the policy pursuant to Section 32.2 of the Regulation.

The obligations of disclosing the Information Booklet shall apply to all new insurance contracts concluded on or after 1 December 2010.

PUBLISHER

MDM Studio Legale
Avvocati - Attorneys - Rechstanwälte
Via Santa Radegonda, 11
I-20121 Milan | Italy

T +39 02 36512684
F +39 02 36512731
E Enquiries
W www.mdmlex.com