Google's new privacy policy (and its plans to create user profiles across multiple online services) has drawn fire from European data protection authorities. Online and mobile retailers and service providers should take account of a renewed emphasis on transparency and proportionality in collecting data about users.
Yesterday the National Institute of Standards and Technology announced "the final release of Special Publication 800-145, The NIST Definition of Cloud Computing." NIST's definition of Cloud Computing has been very influential in setting tent pegs in the ground to cabin the scope and discussion of the often nebulous definition of cloud computing.
In the next in our series of free webinars on cloud computing, Information Law Group Attorney Richard Santalesa examines implications arising from NIST's "Guidelines on Security and Privacy in Public Cloud Computing," with a focus on the legal considerations any team tasked with implementation of security best practices will need to grapple with.To register for this free one hour webinar on May 24 at 12pm ET, visit - http://bit.ly/kyRdku
The UK Information Commissioner's Office announces new rules for website cookies, which will normally require explicit user consent.
I hope you will tune in Monday, January 31, 2011, 8-9 am Pacific (11-12 Eastern), to Privacy Piracy, audio streaming on www.kuci.org (or locally in Southern California on KUCI 88.9 FM in Irvine, CA). Mari Frank will interview me on hot topics in information law and compliance.
Earlier today, the European Commission released documents setting out the road map for revision of the European data protection rules, including the EU Data Protection Directive 95/46/EC. The strategy is based on the Commission's position that an individual's ability to control his or her information, have access to the information, and modify or delete the information are "essential rights that have to be guaranteed in today's digital world." The Commission set out a strategy on how to protect personal data while reducing barriers for businesses and ensuring free flow of personal data within the European Union.
Needless to say, due in part to our numerous writings on the legal ramifications of Cloud computing, the InfoLawGroup lawyers have been involved in much Cloud computing contract drafting and negotiating, on both the customer and service provider side. As a result, we have seen a lot in terms of negotiating tactics, difficult contract terms and parties taking a hard line on certain provisions. During the course of our work, especially on the customer side, we have seen certain "roadblocks" consistently appear which make it very difficult for organizations to analyze and understand the legal risks associated with Cloud computing, and in some instances can result in a willing customer walking away from a deal. Talking through some of these issues, InfoLawGroup thought it might be a good idea to create a very basic "Bill of Rights" to serve as the foundation of a cloud relationship, and allow for more transparency and enable a better understanding of potential legal risks associated with the cloud.
German state data protection authorities have recently criticized both cloud computing and the EU-US Safe Harbor Framework. From some of the reactions, you would think that both are in imminent danger of a European crackdown. That's not likely, but the comments reflect some concerns with recent trends in outsourcing and transborder data flows that multinationals would be well advised to address in their planning and operations.
This blogpost is the third (and final) in our series analyzing the terms of Google's and Computer Science Corporation's ("CSC") cloud contracts with the City of Los Angeles. In Part One, we looked at the information security, privacy and confidentiality obligations Google and CSC agreed to. In Part Two, the focus was on terms related to compliance with privacy and security laws, audit and enforcement of security obligations, incident response, and geographic processing limitations, and termination rights under the contracts. In Part Three, we analyze what might be the most important data security/privacy-related terms of a Cloud contract (or any contract for that matter), the risk of loss terms. This is a very long post looking at very complex and interrelated contract terms. If you have any questions feel free to email me at dnavetta@infolawgroup.com
A new set of EU standard contract clauses ("SCCs" or "model contracts") for processing European personal data abroad came into effect on May 15, 2010. Taken together with a recent opinion by the official EU "Article 29" working group on the concepts of "controller" and "processor" under the EU Data Protection Directive, this development suggests that it is time to review arrangements for business process outsourcing, software as a service (SaaS), cloud computing, and even interaffiliate support services, when they involve storing or processing personal data from Europe in the United States, India, and other common outsourcing locations.
Social networking entails some risks and responsibilities. It may implicate privacy and labor law, confidentiality and nondisclosure agreements, advertising regulations, defamation, and other legal regimes, across borders in a global medium. Users, and their employers, need to be aware of these risks and responsibilities in deciding how to make best use of social media.
It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data.
The European Court of Justice rules that Google is not liable for automated keyword advertising based on brand names. Advertisers, however, may be liable under trademark and fair competition laws if the ads misleadingly suggest that they link to the trademark owner.