International Commercial Law Blog

ISO 27018 sets data protection standards for the cloud

In July 2014, the International Organization for Standardization (“ISO”) and International Electrotechnical Commission (“IEC”) published ISO/IEC 27018 (ISO 27018), a code of practice that sets forth standards and guidelines pertaining to the protection of data consisting of “personally identifiable information” processed by public cloud service providers.

ISO/IEC 27018 is the first International Standard that focuses on protection of personal data in the cloud. Although only a few months old, the new standard should finally give cloud users confidence that their service provider is well-placed to keep data private and secure.

ISO/IEC 27018 specifies certain minimum types of security measures that cloud providers should adopt, if applicable, including encryption and access controls. The cloud standard also requires cloud providers to implement security awareness policies and make relevant staff aware of the potential consequences (for staff, the cloud provider and the customer) of breaching privacy and security rules.

As the first-ever standard that deals with the protection of personal data for the cloud, ISO/IEC 27018 has the following key objectives:

  1. Help cloud service providers that process personally identifiable information to address applicable legal obligations as well as customer expectations
  2. Enable transparency so customers can choose well-governed cloud services
  3. Facilitate the creation of contracts for cloud services
  4. Provide cloud customers with a mechanism to ensure cloud providers’ compliance with legal and other obligation

ISO/IEC 27018 provides a practical basis to induce confidence in the cloud industry. At the same time, the public cloud industry will have clear guidance in order to meet some of the legal and regulatory concerns of its clients.

ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect “personally identifiable information” in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

In particular, ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of “personally identifiable information” which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

ISO/IEC 27018:2014 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as “personally identifiable information” processors via cloud computing under contract to other organizations.

The guidelines in ISO/IEC 27018:2014 might also be relevant to organizations acting as “personally identifiable information” controllers; however, “personally identifiable information” controllers can be subject to additional “personally identifiable information” protection legislation, regulations and obligations, not applying to “personally identifiable information” processors. ISO/IEC 27018:2014 is not intended to cover such additional obligations.

As a guiding principle, ISO/IEC 27018 standards and guidelines facilitate the retention by the cloud service customer of authority to determine the scope of any use and handling of its “personally identifiable information”. The following controls and implementation guidelines set forth in ISO/IEC 27018 as generally applicable to cloud service providers processing “personally identifiable information”:

  1. Customer and end user control rights:
    1. A cloud service customer should have the means to enable the individual to whom “personally identifiable information” relates to access, correct and/or erase such “personally identifiable information”;
    2. “personally identifiable information” should not be processed for any purpose except pursuant to the instructions of the cloud service customer;
    3. “personally identifiable information” should not be used for marketing or advertising purposes without the customer’s consent;
    4. Temporary files and documents associated with “personally identifiable information” processing should be erased or destroyed by a cloud services provider within a specified period;
  2. Restrictions on disclosure to or access of 3rd parties to “personally identifiable information”:
    1. Law enforcement requests for disclosure of “personally identifiable information” must be disclosed to a cloud service customer (unless such disclosure is prohibited by law);
    2. Other requests for disclosure of “personally identifiable information” should be rejected except to the extent authorized by a cloud service customer;
    3. Data relating to disclosures of “personally identifiable information” to third parties should be recorded;
    4. Subcontractors should be disclosed in advance by a “personally identifiable information” processor;
    5. Unauthorized access to “personally identifiable information” or processing equipment or facilities resulting in the loss, disclosure or alteration of “personally identifiable information” should be disclosed to a cloud service customer;
    6. Anyone (including cloud service provider employees) associated with the processing of “personally identifiable information” should be subject to a confidentiality obligation;
  3. Treatment of Media Containing “personally identifiable information”:
    1. A number of additional restrictions should be maintained for information security purposes, with respect to, inter alia, the creation of hard copy materials displaying “personally identifiable information”, data recovery or restoration efforts, “personally identifiable information” stored on transportable media, transmission of “personally identifiable information” over public networks, and user IDs for access to stored “personally identifiable information”.

ICC releases revised International Code of Direct Selling

Since 1937, when the first Code of Advertising Practice was issued, ICC has produced, and successively revised, global sets of ethical rules, covering all main marketing disciplines. The ICC Code of Direct Selling forms part of that comprehensive ICC normative system.

In 2006 many of the marketing codes were consolidated into one document, the Consolidated ICC Code of Advertising and Marketing Communication Practice, revised in 2011. As direct selling is primarily a method of distribution, the Direct Selling Code remains a stand-alone document; however, by reference it is clearly linked to the Consolidated Code, which is the recognized global reference point for responsible marketing communications.

The ICC Code of Direct Selling was first published in 1978 and followed the already then well-established ICC policy of promoting high standards of ethics in marketing via self-regulatory codes, intended to complement the existing frameworks of national and international law.

Like its predecessor (2007), this edition has been developed in close co-operation with the World Federation of Direct Selling Associations (WFDSA). That has ensured the Code is based on the best available expertise, and kept apace with changes in practice and direct selling techniques. The WFDSA has also adopted a world code of conduct applicable exclusively to members of direct selling associations. There is conformity in substance between the ICC Code and the industry code. The ICC Code is to be followed by all involved in direct selling.

Direct selling, as defined by the ICC Code, “refers to the selling of products directly to consumers, generally in their homes or the homes of others, at their workplace and other places away from permanent retail locations, where the direct seller may explain or demonstrate products.

The Direct Selling Code is an instrument for self-discipline, but may also be used by the courts as a reference document within the framework of applicable legislation. The ICC Code is also able to fill in the gap in countries which have not created direct selling laws.

The Direct Selling Code spells out responsible conduct towards consumers, such as the credo not to exploit a consumer’s age, that product demonstrations should be complete with regard to price and also covers recruitment practices in the direct selling industry.

Recent changes include a section on referral selling stipulating that consumers should not be induced to make a purchase based on the assumption of a reduced price for customer referrals. The ICC Code also requires that direct selling companies communicate the contents of the Code with their direct sellers and that compliance with the standards of the Code should be a condition for membership in the company’s distribution system. In keeping with the principle of truthfulness, the ICC Code specifies that “descriptions, claims, illustrations or other elements relating to verifiable facts should be capable of substantiation.

See the ICC International Code of Direct Selling

See the Consolidated ICC Code of Advertising and Marketing Communications Practice

New edition of UNIDROIT Principles of International Commercial Contracts adopted

The Governing Council of UNIDROIT at its 90th session formally adopted on 10 May 2011 the third edition of the Principles of International Commercial Contracts (“UNIDROIT Principles 2010″).

The UNIDROIT Principles 2010 contain new provisions on restitution, illegality, plurality of obligors and obligees, and conditions, while with respect to the text of the 2004 edition the only significant changes made relate to the Comments to Article 1.4.

The new edition of the UNIDROIT Principles consists of 211 Articles (as opposed to the 120 Articles of the 1994 edition and the 185 Articles of the 2004 edition) structured as follows: Preamble (unchanged); Chapter 1: General provisions (unchanged); Chapter 2, Section 1: Formation (unchanged), Section 2: Authority of agents (unchanged); Chapter 3, Section 1: General provisions (containing former Articles 3.1 (amended), 3.2, 3.3 and 3.19 (amended)), Section 2: Ground for avoidance (containing former Articles 3.4 to 3.16, 3.17 (amended), 3.18 and 3.20, and a new Article 3.2.15), Section 3: Illegality (new); Chapter 4: Interpretation (unchanged); Chapter 5, Section 1: Content (unchanged), Section 2: Third Party Rights (unchanged), Section 3: Conditions (new); Chapter 6, Section 1: Performance in general (unchanged), Section 2: Hardship (unchanged); Chapter 7, Section 1: Non-performance in general (unchanged), Section 2: Right to performance (unchanged), Section 3: Termination (containing former Articles 7.3.1 to 7.3.5, 7.3.6 (amended) and a new Article 7.3.7), Section 4: Damages (unchanged); Chapter 8: Set-off (unchanged); Chapter 9, Section 1: Assignment of rights (unchanged), Section 2: Transfer of obligations (unchanged), Section 3: Assignment of contracts (unchanged); Chapter 10: Limitation periods (unchanged); Chapter 11, Section 1: Plurality of obligors (new), Section 2: Plurality of obligees (new).

PUBLISHER

MDM Studio Legale
Avvocati - Attorneys - Rechstanwälte
Via Santa Radegonda, 11
I-20121 Milan | Italy

T +39 02 36512684
F +39 02 36512731
E Enquiries
W www.mdmlex.com