Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.

 Skip to Content

Newly-Adopted Privacy Standards for Cloud Service Providers
December 22, 2014

The International Standards Organization’s new cloud standard, ISO 27018, strives to ensure that public cloud service providers (such as Amazon, Google, and Rackspace) “offer suitable information security controls to protect the privacy of their customers’ clients” by securing the personally identifiable information (PII) entrusted to them. The new standard, adopted by ISO and the International Electrotechnical Commission in August, is voluntary. It is expected to be followed by ISO 27017, which will cover non-privacy information security aspects of cloud computing.

According to the ISO, the new standard is intended as “a reference for selecting PII protection controls within the process of implementing a cloud computing information security management system ….” Broadly, ISO 27018 addresses the questions of confidentiality and security of the customer’s personal information and the prevention of its unauthorized use.

To be certified under ISO 27018, a cloud service provider must pass an initial audit by an accredited certification entity (and be subject to periodic reviews). Certification’s aim is to achieve full transparency between the cloud service provider and its customer, and to enable the customer to select a provider that has satisfied its legal and regulatory obligations and demonstrated this to the certification body.

Among the new ISO 27018 standards is the requirement that all personal information be processed pursuant to the customer’s instructions; the prohibition against demanding consent to use customer’s information for marketing and advertising purposes as a condition of providing cloud service; restrictions on the disclosure of information to third parties; implementation of policies for the return or disposal of personal data; and disclosure of any sub-processors and possible locations where personal information may be stored or processed before entering into a service contract.

In this age of data privacy concerns, ISO 27018 certification may be an important criteria for many customers who are selecting a public cloud service provider for the first time, or determining whether to switch providers.
Related Practices
Technology Cybersecurity and Privacy Intellectual Property
Related Industries
Technology
©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.