International Commercial Law Blog

ISO 27018 sets data protection standards for the cloud

In July 2014, the International Organization for Standardization (“ISO”) and International Electrotechnical Commission (“IEC”) published ISO/IEC 27018 (ISO 27018), a code of practice that sets forth standards and guidelines pertaining to the protection of data consisting of “personally identifiable information” processed by public cloud service providers.

ISO/IEC 27018 is the first International Standard that focuses on protection of personal data in the cloud. Although only a few months old, the new standard should finally give cloud users confidence that their service provider is well-placed to keep data private and secure.

ISO/IEC 27018 specifies certain minimum types of security measures that cloud providers should adopt, if applicable, including encryption and access controls. The cloud standard also requires cloud providers to implement security awareness policies and make relevant staff aware of the potential consequences (for staff, the cloud provider and the customer) of breaching privacy and security rules.

As the first-ever standard that deals with the protection of personal data for the cloud, ISO/IEC 27018 has the following key objectives:

  1. Help cloud service providers that process personally identifiable information to address applicable legal obligations as well as customer expectations
  2. Enable transparency so customers can choose well-governed cloud services
  3. Facilitate the creation of contracts for cloud services
  4. Provide cloud customers with a mechanism to ensure cloud providers’ compliance with legal and other obligation

ISO/IEC 27018 provides a practical basis to induce confidence in the cloud industry. At the same time, the public cloud industry will have clear guidance in order to meet some of the legal and regulatory concerns of its clients.

ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect “personally identifiable information” in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

In particular, ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of “personally identifiable information” which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

ISO/IEC 27018:2014 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as “personally identifiable information” processors via cloud computing under contract to other organizations.

The guidelines in ISO/IEC 27018:2014 might also be relevant to organizations acting as “personally identifiable information” controllers; however, “personally identifiable information” controllers can be subject to additional “personally identifiable information” protection legislation, regulations and obligations, not applying to “personally identifiable information” processors. ISO/IEC 27018:2014 is not intended to cover such additional obligations.

As a guiding principle, ISO/IEC 27018 standards and guidelines facilitate the retention by the cloud service customer of authority to determine the scope of any use and handling of its “personally identifiable information”. The following controls and implementation guidelines set forth in ISO/IEC 27018 as generally applicable to cloud service providers processing “personally identifiable information”:

  1. Customer and end user control rights:
    1. A cloud service customer should have the means to enable the individual to whom “personally identifiable information” relates to access, correct and/or erase such “personally identifiable information”;
    2. “personally identifiable information” should not be processed for any purpose except pursuant to the instructions of the cloud service customer;
    3. “personally identifiable information” should not be used for marketing or advertising purposes without the customer’s consent;
    4. Temporary files and documents associated with “personally identifiable information” processing should be erased or destroyed by a cloud services provider within a specified period;
  2. Restrictions on disclosure to or access of 3rd parties to “personally identifiable information”:
    1. Law enforcement requests for disclosure of “personally identifiable information” must be disclosed to a cloud service customer (unless such disclosure is prohibited by law);
    2. Other requests for disclosure of “personally identifiable information” should be rejected except to the extent authorized by a cloud service customer;
    3. Data relating to disclosures of “personally identifiable information” to third parties should be recorded;
    4. Subcontractors should be disclosed in advance by a “personally identifiable information” processor;
    5. Unauthorized access to “personally identifiable information” or processing equipment or facilities resulting in the loss, disclosure or alteration of “personally identifiable information” should be disclosed to a cloud service customer;
    6. Anyone (including cloud service provider employees) associated with the processing of “personally identifiable information” should be subject to a confidentiality obligation;
  3. Treatment of Media Containing “personally identifiable information”:
    1. A number of additional restrictions should be maintained for information security purposes, with respect to, inter alia, the creation of hard copy materials displaying “personally identifiable information”, data recovery or restoration efforts, “personally identifiable information” stored on transportable media, transmission of “personally identifiable information” over public networks, and user IDs for access to stored “personally identifiable information”.

Cloud computing and International Law related issues

Cloud computing relates to IT services and resources – including infrastructure, platforms and software – which can be provided to customers via the internet, rather than by on-site installations of IT hardware and software (for a technical definition of cloud computing  see National Institute of Standards and Technology).

Cloud computing allow companies to benefit of financial savings, share of costs with the other customers on the same cloud, and efficiency while their IT infrastructure is constantly upgraded and updated by the cloud computing provider.

Notwithstanding such benefits, cloud computing shall be duly considered in light of the risks involved in it such as – among others – security, performance, service availability, contractual remedies and supplier stability.

From an International Law perspective the key difference between traditional IT outsourcing and cloud computing is “where” the data resides or is processed as data may be dispersed across and stored in multiple data centers all over the world. Moreover, the use of a cloud platform can result in multiple copies of such data being stored in different locations. This is true even for a “private cloud” that is run by a single customer.

In fact, corporate customers shall consider that cloud computing is vulnerable to damage or interruption from earthquakes, terrorist attacks, floods, fires, power loss, telecommunications failures, computer viruses, computer denial of service attacks, or other attempts to harm the relevant systems. Data centers may be located in areas with a high risk of major earthquakes or may be subject to break-ins, sabotage, and intentional acts of vandalism, and to potential disruptions if the operators of these facilities have financial difficulties.

Above all, systems are not fully redundant, and disaster recovery planning cannot account for all eventualities.

In addition, cloud computing products and services are highly technical and complex and may contain errors or vulnerabilities. Any errors or vulnerabilities in such products or services, or damage to or failure of such systems, could result in interruptions in the services, which could reduce revenues and profits, or damage the corporate brand. Finally, internet, technology, and media companies own large numbers of patents, copyrights, trademarks, and trade secrets and frequently enter into litigation based on allegations of infringement or other violations of intellectual property rights related to the cloud.

In light of the above, as corporate customer explore cloud computing as IT outsourcing strategy, there are several legal issues that shall be carefully considered. Implications of outsourced data handling, contract terms and conditions, intellectual property rights and proper insurance coverage are among others the key elements to be addressed from an International Law perspective. Therefore, the carry out of a due diligence of the proposed cloud vendor is a crucial risk mitigation step.

Among others, the following key issues shall be addressed:

  • Location: where the data are located at a given time and which law governs the contract and settlement of potential disputes; the customer may or may not be able to control this issue by contract as the applicable law in some jurisdictions can prevent the application of the relevant contractual provisions;
  • Security and Performance: backup, data restoration, disaster recovery, security and service levels applicable; what to do if the data center crashes as a result of an event of “force majeure” or if the Internet crashes or the cloud is hacked? How these risks can be allocated by contract?
  • Legislation and Regulatory (including Privacy): each jurisdiction provide for stringent rules on defence, health, and financial services related information, which directly impact on cloud computing. Stringent regulatory provisions and restrictions concerning the transfer of certain types of data across borders and export or trade restrictions may impact on where data in the cloud can be stored and who can store it or on the transfer itself of the data and applications to and from the cloud;
  • Intellectual Property: IP rights granted to the customer and IP claims against vendor shall be properly assessed and trade secret and attorney-client privileged information protection shall be mitigated by appropriate non-disclosure provisions;
  • Data Retention: there are several legal and tax reasons in each jurisdiction which require corporate customers to retain data longer than cloud vendor may be prepared to do;
  • Insurance related issues.


MDM Studio Legale
Avvocati - Attorneys - Rechstanwälte
Via Santa Radegonda, 11
I-20121 Milan | Italy

T +39 02 36512684
F +39 02 36512731
E Enquiries