On Monday 16 January 2015 Microsoft announced that they had adopted the first international Cloud privacy standard.
The standard in question is ISO/IEC 27018, the code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
A ZDNet article entitled “Microsoft adopts international cloud privacy standard” was published yesterday which provided Microsoft’s summary of this development:
… under the standard, enterprise customers will have control of their data; will be informed of what’s happening with their data, including whether there are any returns, transfers, or deletion of their personal information; and will be protected with “strong security” by ensuring that any people processing personally identifiable information will be subject to a confidentiality obligation.
At the same time, Microsoft has ensured that it will not use any data for advertising purposes, and that it will inform its customers if their data is accessed by the government.
Other news announcements included:
- Microsoft Azure is first major cloud provider to adopt ISO 27018 privacy standard, Ms Smith, Network World, 16 February 2015
- Microsoft beats rivals to certify under new public cloud security standard, Business Cloud News, 17 February 2015
- Microsoft becomes first vendor to adopt latest international cloud privacy standard, James Bourne, Cloudtech, 17 February 2015
The latter article highlights one limitation of the standard: “Microsoft added the new standard forces them to inform users about government access to data, unless the disclosure is prohibited by law“. This seems to suggest that if the UK Government requests data held by Microsoft in their Cloud service conformance with the standard will require them publicise such disclosure; however this would not be the case in the US where such disclosure is seemingly prohibited by law.
Andrew Cormack, in a post on Janet’s Regulatory Developments blog pointed out that Microsoft’s new ISO/IEC 27018 standard covers “their Azure, Office365 and Intune cloud services“. This should be a pleasing development for institutions which are making use of Microsoft’s Cloud services. But here does this leave Google, Amazon and other major Cloud services?