For the past eight years, the annual International Computers, Privacy & Data Protection Conference has gathered together expert academics, computer scientists, lawyers, and policymakers to debate the latest legal, regulatory, academic and technological developments in privacy and data protection.
I was honored to be asked this year to contribute some remarks during a panel discussion on “Cross-Border Flows of Personal Information for Financial Services”. My fellow panelists included Jan-Willem Verheijden, Policy Officer at the European Commission; Steve Wood, Head of Policy Delivery at the UK’s Information Commissioner’s Office; and Nohyoung Park, Professor of Law at Korea University.
Taking part in this session gave me the chance to reflect upon how much progress has been made in enabling Microsoft’s enterprise cloud customers in the financial services sector to comply with their sector specific regulations.
The financial services sector is one where obligations are commonly imposed on financial institutions which outsource their data processing. Among other things, these ensure that service providers can undertake processing effectively and to appropriate standards, that they agree to regulatory supervision, and that they will disclose any material changes which could affect the service.
The extent to which financial services companies are able to exploit cloud technology to its full potential has also been the subject of a hot debate. This is of vital importance, because such services can directly impact not only individual citizens’ interests, but also the national interests of any given country’s financial sector.
When Microsoft started tackling our customers’ cloud computing needs, we knew it was crucial to engage with both financial services regulators and with European data protection authorities from the outset.
For instance, last year Microsoft’s enterprise cloud contracts were approved by European data protection authorities, for meeting the high standards set by EU privacy law for transferring data outside the European Economic Area. This milestone was possible through close cooperation and consultation with privacy regulators, which enabled us to implement EU “model clauses”. This now means that, if and when personal data held in Microsoft’s enterprise cloud leaves the European Economic Area, it does so in a manner that is compliant with European law.
Similarly in November 2012, Microsoft came to an agreement with the Dutch National Bank, the Netherlands’ financial services regulator, which enabled our customers to satisfy the regulator as to the fact that they would continue to have effective supervisory authority over the regulated entity, when these entities place their data in Microsoft’s cloud. Since then we’ve developed similar agreements with financial services regulators around the world.
A recurring concern for financial services customers is that regulations require them to have greater control over their cloud operating environment.
To provide customers with this necessary level of oversight, Microsoft has developed a compliance program specifically focused on giving customers the chance to assess controls within their cloud services, to access information and engage directly with Microsoft personnel on how the services are operating, and to be notified of any changes which could impact the provision of their services.
Protecting customer data by tackling the ever-present threat of cybercrime is another core concern for Microsoft.
To thwart cybercriminals’ activities, we work closely with a range of law-enforcement and industry partners, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), the global financial industry’s go-to resource for cyber and physical threat intelligence analysis and sharing. Our work with the FS-ISAC is focused on intelligence sharing, providing vital insights into the global cyber threat landscape affecting the financial services industry, including distributed denial of service attacks and financial botnet attacks. Together we are able to better protect both FS-ISAC’s members and Microsoft customers from cyber-threats.
Above all, there is a need for increased transparency when it comes to cloud computing.
This issue lies at the heart of a case Microsoft is currently fighting in a U.S. court, relating to a request made by U.S. authorities for Microsoft to hand over customer data stored in its servers in Dublin, Ireland. With the backing of industry, media, civil society and European policymakers, Microsoft is challenging the U.S. government’s request.
The case raises important questions about the ability of the U.S. government to issue search warrants for data held outside the U.S., given that the government clearly cannot search homes or business premises abroad. In this way, Microsoft continues to demonstrate its commitment to protect customer data.
Transparency into Microsoft’s cloud services is further enhanced through compliance with ISO 27018 – a new international standard which is the first privacy standard for the cloud. It is built on ISO/IEC 27001, an international information security standard that is widely adopted. ISO 27018 builds on ISO 27001 in a number of important ways, including controls that reflect considerations specifically for processing of personally identifiable information in cloud services. For example, the ISO 27018 controls prohibit the use of customer data for advertising and marketing purposes without the customer’s express consent. ISO 27018 also provides clear standards for cloud service providers for the return, transfer and/or secure disposal of personal information of customers leaving their service and requires the cloud service provider to identify any sub-processor before customers enter into a contract, and inform customers promptly of new sub-processors, to give customers an opportunity to object or terminate their agreement. Microsoft is the first major cloud service provider to receive this certification.
Over the last five years, enterprise cloud services have evolved to keep up with an ever-changing landscape of competitive positioning, customer requirements and legal and regulatory interventions.
Microsoft is committed to working with regulators and other stakeholders to support a regulatory environment for cloud computing in the financial services sector that is both effective and workable. By listening closely to the needs of customers and regulators alike, we can integrate these requirements into the architecture of our cloud services – built on a foundation of trust, transparency and cooperation.