3 Cloud computing and legislative challenges
An interministerial working group has reviewed laws and regulations and assessed which legislation poses challenges for using cloud computing. The working group has also proposed possible amendments. The motivation behind this work has been to maintain protection of personal data, sound security, and preservation of important documents for posterity. The working group has weighed the intention of current legislation against today’s technological reality, and has considered whether it is possible to uphold this intention and at the same time allow the potential of cloud technology to be exploited.
When current legislation is weighed against cloud computing, the main question that emerges is how to regulate where data can be stored. No existing regulations explicitly regulate the use of technology on which cloud services are based, but by setting requirements that data be stored inside a specific geographical area, laws and regulations can impose limits on use of the public cloud.
There are two important laws – in addition to the Security Act – that clearly impose requirements on where data must be stored: the Archives Act and the Bookkeeping Act.16 The Personal Data Act also imposes requirements on data storage and processing, but these are less restrictive regarding which countries personal data may be stored or processed in.
Public Archives Act
Public bodies are obligated to hold archives that are designed in such a way as to ensure that documents be secured as information sources now and for posterity; cf. Public Archives Act, section 6. Public bodies must therefore set requirements to cloud service providers regarding availability, confidentiality and integrity (see chapter 4 for further discussion on the terms and conditions for use of cloud computing in the public sector).
Section 9(b) of the Public Archives Act states that archive material may not be «sent out of the country». Consequently, storage of archives in a cloud service using servers located outside Norway is in violation of the Act, even if an enterprise has deemed the nature of the archive content to be such that it can be stored abroad. The Director-General of the National Archives may give special consent to such storage. This follows from section 9(b) of the Public Archives Act.
The Public Archives Act and pertinent regulations do not regulate the use of cloud services for private individuals, organisations or enterprises. The Director-General of the National Archives may stipulate that private legal entities with public-sector affiliation comply with the Regulations relating to the Public Archives; cf. Public Archives Act, sections 19 and 20.
The Ministry of Culture has begun work on revising the Regulations pursuant to the Archives Act and will consider the need for amendments to the Public Archives Act. One of the intentions behind this work is to adapt archiving regulations to digitisation. In connection with this work, the ministry will consider the need for revision to allow public bodies to use cloud services with servers located outside Norway for archiving purposes.
The Director-General of the National Archives is also considering what requirements should be set in order to grant special consent to storing archives in cloud services located outside Norway. The Director-General of the National Archives aims to complete this work during spring 2016.
The Bookkeeping Act used to be one of the laws that posed the most obstacles to digitisation for business and industry because it restricted the physical storage of accounting records. Following its amendment, most accounting material may now be stored digitally. Because accounting and invoice processing are well suited as cloud services, requirements for storage of bookkeeping data deserve particular attention.
The current Bookkeeping Act states that enterprises with a bookkeeping obligation may «store electronically accounting material in another EEA country if an agreement or pact with that country ensures Norwegian tax authorities satisfactory access to accounting information during the storage period and if such storage does not impede effective Norwegian police investigation». The regulations pertaining to the act state that only the Nordic countries currently satisfy these requirements. Enterprises may therefore store their accounting data in a cloud service based in the Nordic countries, subject to notifying the Norwegian Tax Administration accordingly. It can be difficult to find public cloud service providers that can guarantee storage in the Nordic countries. This creates insecurity, particularly for small enterprises who know they can reduce their costs by using cloud services for accounting and invoice processing.
It is possible to apply for an exemption to store data in other countries. Such exemptions are regularly granted for storing information abroad as part of a common accounting solution within a group company or similar amalgamated entities. The condition is that they must have electronic access to the accounting data from Norway.
The purpose of the storage requirement is to give the Norwegian Tax Administration access to bookkeeping data for inspections. Accordingly, an enterprise wishing to use cloud services for processing or storing data outside the Nordic region may do so as long as a copy of the accounting data is transferred to Norway or another approved country as soon as possible and no later than seven months after the end of the financial year.
The Government will monitor future EU initiatives in this area and consider introducing measures that satisfy legal requirements to ensure Norwegian national authorities access to the information in such a way as to allow for storage in more countries than is allowed at present.
The EU and the Digital Single Market
Other countries have similar rules as Norway with regards to accounting data. In May 2015 the European Commission launched its Digital Single Market (DSM) Strategy. Initiatives to address restrictions on the free flow of data inside the EEA and unnecessary restrictions on data storage and processing represent a key element in the DSM strategy. Accounting and bookkeeping data are identified as an area that often sets requirements for storage inside the respective countries.
The purpose of the Security Act is to counteract threats against the sovereignty and security of the state and other vital national security interests. The Act should also help provide legal protection to individuals and ensure confidence in and control of the security services. The Act applies to administrative bodies and to enterprises supplying classified equipment and services to administrative bodies.
The requirements set out in the Security Act and Protection Instruction regulating how information systems are administrated make it inexpedient to store such information with foreign service providers. The Norwegian National Security Authority (NSM) is the only body that can approve and give permission to use such services for classified documents. NSM must approve all information systems that should process, store or transmit classified information. Electronic documents that are subject to the Protection Instruction must be processed in the same way as classified documents under the Security Act.
The Government has appointed a commission to propose a new legal basis for preventive national security (Security Commission). The recommendations put forward by the commission should ensure that new legislation takes into account technology developments, demographic developments and changes in the security situation. The commission will submit its report in autumn 2016.
Data protection and confidentiality
One area of uncertainty, though where regulations do not pose particular obstacles to using cloud services, is the storage of personal data. Nonetheless, regulation of this area sets important conditions for the use of services in the public cloud.
The Personal Data Act stipulates that personal data «may only be transferred to countries which ensure an adequate level of protection of the data». Consequently, personal data cannot simply be transferred to countries outside the EEA. However, some exceptions apply, one of them being that individual transfers may be approved in advance by the Norwegian Data Protection Authority, and provided the agreement with the data processor is based on the EU’s model clauses, this will constitute a legal basis for transferring data. Moreover, some countries outside the EU, such as Canada, Australia and Switzerland, are already approved by the EU as secure recipient countries. Previously it was also permitted to transfer data to enterprises in the United States that were certified under the Safe Harbour scheme. The European Court of Justice declared the scheme invalid in autumn 2015, but a new scheme is expected to replace it: the EU-US Privacy Shield (see text box).
In the wake of this ruling, a number of considerations have had to be taken into account when entering into agreements involving the transfer of data to the United States. Until a new framework is in place, enterprises must use contracts that cover the EU’s model clauses for personal data and notify the Norwegian Data Protection Authority.
EU–US Privacy Shield
The EU–US Privacy Shield is a framework designed to protect the rights of EU citizens when personal data pertaining to them is transferred to enterprises in the United States. The new framework will place more stringent requirements on enterprises to protect personal data. Furthermore, US authorities will be required to monitor and enforce the framework.
There must be clear rules for and oversight of when US authorities may access data that is transferred to the United States under the new framework. This was one of the areas which, according to the European Court of Justice, was inadequately protected under the Safe Harbour framework.
Source: European Commission press release: EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield, 2 February 2016.
Many enterprises wonder if they must take the Snowden revelations into account when considering the use of cloud computing. Despite the debate fuelled by Edward Snowden’s disclosures, no changes have been made to Norwegian legislation or practice relating to the processing or storage of personal data or other data subject to confidentiality obligations. A country can determine its own regulations for how, for example, security authorities may gain access to data to combat terrorism or crime. Challenges arise when different countries making extensive use of data exchange have different views of what is acceptable when it comes to the right to monitor data and communication. These challenges need to be resolved at an international level.
New data protection regulation for the EU
For a long time now the EU has been working on introducing new legislation for processing personal data. The current Directive on Privacy and Electronic Communications applies inside the EEA. Because the Directive has been implemented in different ways in different countries, adapting to it proves difficult for enterprises operating in multiple countries, as cloud service providers often do.
Unlike a directive, a general data protection regulation would automatically become law in all EU member states, and likely also be incorporated into the EEA Agreement.
The EU member states have now reached agreement on the content of the new regulation. The issues in the regulation most relevant to cloud computing are presented below:
- Previously, the data controller was held responsible if data was lost, illegally accessed, etc. Under the new regulation, this responsibility will be shared between the data controller and the data processor. This means that more onus is placed on the cloud service provider as data processor.
- The right to transfer personal data between service providers will be established (the right to portability). In principle, this right applies to consumers, but since a growing number of service providers must develop mechanisms to manage this, it will likely also affect the commercial market.
- Customers – both consumers and enterprises (and any enterprise customers who are affected) – must be notified of data breaches or loss as soon as possible.
- Data may be transferred outside the EU provided the rules adopted by the European Commission are complied with.
- The regulation applies to all enterprises based in the EEA. It also applies for enterprises that process personal data pertaining to EEA citizens as the result of providing goods and services in the EEA, regardless of where those enterprises are based.
- It will become more important for all enterprises administrating personal data to comply with this legislation. Non-compliance with regulations may result in penalties of up to 4 per cent of worldwide turnover.
The regulation is expected to apply from 2018.
Duty of confidentiality
According to the Public Administration Act, any party who «performs services or work for an administrative body» is obligated to keep confidential all information concerning personal matters and business-related information that must be kept secret for competitive reasons. If a public sector enterprise enters into an agreement with a private company to process or store data, the duty of confidentiality will also apply to any employees in the company who are made privy to confidential information. It is important to ensure that the duty of confidentiality be incorporated into agreements with service providers who use subcontractors.
The eGovernment Regulations state that the risk of illegal access by means of electronic communications must «be prevented in a satisfactory manner». The Regulations also state that «the administrative body must provide information about how confidential information and personal data are secured while being processed by the administrative body». This applies to the use of ICT in general, not specifically to the use of cloud services.
There is a need to oversee the ICT systems used by enterprises in many different sectors. Many supervisory authorities therefore conduct on-site supervision within their areas of responsibility. Enterprises using cloud services will find it difficult to meet supervisory requirements for physical control of their ICT systems. For example, most cloud service providers want to limit the number of persons admitted to their data centres because unauthorised persons pose a security threat.
Security requirements for ICT systems and infrastructure can also make it difficult for enterprises to decide whether or not to use cloud services. Statutory security requirements for ICT systems in different sectors are often complicated. For enterprises subject to regulations that apply in different sectors (such as enterprises providing both energy and communication services), the lack of harmonisation of requirements between sectors poses a challenge. This often emerges in connection with supervision and in the way in which supervisory authorities practice their respective regulations.
The Government will undertake a general examination of the supervisory function in multiple sectors in order to review issues relating to increased use of cloud services. On-site supervision, cross-border supervision, and system security requirements are issues which many supervisory authorities have to address and where there is a need to establish a common practice. A key question involves the use of third-party audits and how to ensure that enterprises conducting such audits are fully independent.
Measure: Eliminate uncertainty caused by unclear legislation regarding the use of cloud services
The Government will:
- Revise the Regulations pursuant to the Public Archives Act and, where appropriate, the Public Archives Act, to better adapt archiving regulations to digitisation. Among other things, it will consider the need for revision to allow public bodies to use cloud services with servers located outside Norway for archiving purposes.
- Assess the possibilities for expanding the number of countries where bookkeeping data can be stored legally outside Norway. Important measures in this area are already under way in the EU, and Norway will monitor developments closely.
- Harmonise supervisory practices as far as possible, so that enterprises do not encounter conflicting requirements regarding cloud computing from different supervisory authorities.
- Contribute to the EU's work on establishing common criteria (standards, certification schemes, etc.) for cloud computing.