While the US government dithers due to Congressional gridlock and the quadrennial electioneering showmanship, there’s some sanity coming from the UK.
Recently, Amazon (and previously, Microsoft) submitted 3rd party certifications to the UK data protection watchdog, ICO.
Here’s what the ICO said (emphasis, mine).
From TheRegister.co.uk:
While the ICO welcomed the CSA’s STAR initiative, which has been operating since the end of last year, it told Out-Law.com that organisations cannot rely on the information available from cloud providers or other external certifications, to ensure their own compliance with UK data protection laws.”The Data Protection Act does not stop the overseas transfer of personal data, but it does require that it is protected adequately wherever it is located and whoever is processing it, this includes if it is being stored in the cloud outside of the UK,” a spokesperson for the ICO said. “While any scheme aimed at ensuring people’s information is adequately protected in line with an organisation’s requirements under the Act is to be welcomed, organisations thinking of using cloud service providers must understand that they are still responsible for the safety of that data. Just because their cloud service provider is registered with such a scheme, does not absolve the organisation who collected the data of their legal responsibilities,” they added.The spokesperson said that the ICO is “currently developing new guidance for UK organisations to explain their legal requirements under the Act when processing and storing personal information in the cloud” and would publish the guidance in the autumn .Two of the biggest issues with cloud services in terms of data protection compliance for organisations are their perceived inability to audit the service provider in order verify compliance and perceived loss of control over the data for which they are responsible.
via Cloudy punters can’t rely on ‘certified’ CSPs for data protection • The Register.