norwegian data protection authority
DESCRIPTION
Norwegian StandardTRANSCRIPT
Norwegian Data Protection Authority
Postal address: Office address: Telephone: Fax: Org. No.: Website:
P.O. Box 8177 Dep Tollbugt 3 +47 22396900 +47 22422350 +47 974761467 www.datatilsynet.no
N-0034 OSLO
Municipality of Moss - Chief Executive
P.O. Box 175
N-1501 Moss
Your reference Our reference (please quote in correspondence) Date
11/01198-4/LON 21 September 2012
Reply - Use of Microsoft Office 365 cloud computing services - Municipality of Moss
Reference is made to the e-mail of 9 November 2011 from the Municipality of Moss and
subsequent correspondence, where the Data Protection Authority was requested to evaluate
the data processor agreement between the municipality and Microsoft regarding use of the
Office 365 cloud computing services.
Background
The Municipality of Moss would like to move parts of its e-mail services to the cloud computing
service Office 365 provided by Microsoft. In connection with this process, the municipality has
engaged the services of the law firm SIMONSEN Advokatfirma DA (SIMONSEN) to carry out a legal
review of the data processor agreement with Microsoft, and the municipality, in cooperation with
Det Norske Veritas (DNV), has also carried out a qualitative risk assessment based on the
municipality's anticipated usage pattern. The Data Protection Authority, the Municipality of Moss
and Microsoft have also held dialogue meetings in order to address relevant issues in further detail.
In this letter, the Data Protection Authority will first comment on the evaluations made by
SIMONSEN regarding the data processor agreement before addressing other issues associated
with use of Office 365.
Comments on SIMONSEN's review of the data processor agreement
1) Purpose of the agreement and types of processing
If an enterprise processes personal data on behalf of another, with the consequence that the first-
mentioned enterprise is considered the latter enterprise's processor, cf. Section 2 no. 5 of the
Personal Data Act, it follows from Section 15 of the Act that the enterprises must enter into a
data processor agreement. It is stated in this section that the agreement must fulfil certain
specific criteria:
2
”No processor may process personal data in any way other than that which is agreed in writing
with the controller. Nor may the data be turned over to another person for storage or
manipulation without such agreement.
It shall also be stated in the agreement with the controller that the processor undertakes to
carry out such security measures as ensue from section 13.”
The municipality has stated that a data processor agreement has been entered into, and
reference is made to Microsoft's Enterprise Enrollment Addendum – Office 365 Data Processing
Agreement (hereinafter ”the Agreement”). In the following, the Data Protection Authority will
review the various requirements stipulated in Section 15, in light of the municipality's account
of the scope of the Agreement.1
Requirement for a written agreement
Firstly, the controller and the processor are obliged to enter into a written agreement
regarding the processing of personal data in question. It follows from the case documents
that this requirement has been complied with.
Limitation of the purpose of the Agreement
Secondly, it follows from Section 15 of the Act that the processor cannot process the personal
data in any way, or for purposes, other than that which is agreed with the controller. This
presupposes that the agreement defines the relevant processing methods and processing
purposes.
This also entails that the processor has to abide by the instructions provided by the controller
regarding the data processing in question, and the processor is limited to the processing
purposes and processing methods which are available to the controller according to the Personal
Data Act.
If the supplier processes personal data in other ways, or for other purposes, than those agreed,
this will entail a breach of the data processor agreement. In addition, the supplier will assume
controller responsibility for any data processing not covered by the Agreement. If so, the
supplier will be liable for compliance with all legal requirements associated with such
processing.2
The municipality has – with reference to Section 1 of the Agreement titled ”Privacy” – provided
an accounted of Microsoft's access to the personal data processed via the service.3
It is stated
that the information is only processed for purposes associated with provision of the Office 365
service. The Agreement also refers to the underlying services covered by Office 365.
1 Simonsen's memo dated 29 September 2011.
2 Whether these legal requirements follow from the Norwegian Personal Data Act will depend on whether the
conditions stipulated in Section 4 of the Personal Data Act have been fulfilled. 3 The nature of the personal data is described in the following manner: ”Customer data”, which according to the
municipality is defined as ”all data, including text, audio or image files distributed to Microsoft using Office 365”.
3
In general, the Data Protection Authority finds that these sections of the Agreement provide an
acceptable description of which personal data are to be processed, in which manner they are to
be processed and for what purposes. Based on this, it is assumed that the required limitation of
purposes pursuant to Section 15 of the Act is fulfilled.
Prohibition against turning information over to others
It follows from Section 1 litera d of the Agreement that Microsoft cannot turn data over to
others without obtaining approval from the municipality. Thus, this issue is in agreement with
Section 15 of the Act.
In addition, it is stated that Microsoft may be obliged to turn information over to ”law
enforcement [authorities]”. The Data Protection Authority assumes that this concerns orders for
disclosure of personal data from jurisdictions other than Norway, for example in connection
with investigation of criminal offences. Conditional upon such an order being legally binding vis-
à-vis the service provider, and the subsequent disclosure of information is not contrary to other
provisions in Norwegian acts and regulations, such disclosure by the service provider for the
above-mentioned processing purposes may take place.
However, the controller should also make sure that the processor will be able to guarantee
that no personal data will be disclosed to law enforcement authorities of any other countries
unless the above-mentioned criteria have been met.4
In addition, the data subjects should be informed of such possible disclosure, cf. the
principles stipulated in Section 19, literas c and e of the Personal Data Act.
2) Clear segregation of the information
Cloud computing services such as Office 365 handle personal data from many different
enterprises, and are to a large degree based on virtualisation technology and logical security
barriers. The personal data legislation requires that personal data linked to different legal
entities be kept properly segregated from each other.
In its assessment, SIMONSEN notes that it is not clearly apparent that the Agreement takes
these requirements into account. The Data Protection Authority is also of the opinion that the
Agreement does not specifically addresses measures linked to segregation of personal data from
different controllers.
However, in connection with the Data Protection Authority's dialogue with Microsoft, reference
was made to the website Office 365 Trust Center5, established for the purpose of informing clients
about protection of privacy and security in connection with Office 365. In this case, specific
4 Cf. Section 3.4.2 no. 13 of the Article 29 Data Protection Working Party's Opinion 05/2012 on Cloud Computing,
cf. also Section 4.1, fifth indent, third bullet point. 5 http://www.microsoft.com/en-us/office365/trust-center.aspx
4
reference was made to the documents Security in Office 365 White Paper6 and Office 365 Security
and Service Continuity Service Description7, and the following is a quote from the latter:
Data isolation: Data storage and processing is logically segregated among customers of the
same service through Active Directory® structure and capabilities specifically developed to help
build, manage, and secure multitenant environments. The multitenant security architecture
ensures that customer data stored in shared Office 365 data centers is not accessible by or
compromised to any other organization. Organizational units (OUs) in Active Directory control
the prevention of unauthorized and unintended information transfer via shared system
resources. Tenants are isolated from one another based on security boundaries, or silos,
enforced logically through Active Directory.
The Data Protection Authority is of the opinion that logical mechanisms for separation of data,
usually together with other security measures, may fulfil the requirements stipulated in the
personal data legislation. However, it is the responsibility of the Municipality of Moss to ensure
that the processor's security measures are efficient and adequate for the processing in question
based on its own risk assessment.
Based on its risk assessment, the Municipality of Moss has informed the Data Protection
Authority that it considers Microsoft's measures to be very good and satisfactory. The Data
Protection Authority will abide by the assessment of the municipality.
3) Data security and audits
Section 13 of the Personal Data Act and Chapter 2 of the Personal Data Regulations have
provisions addressing issues such as risk assessments, implementation and documentation of
security measures as well as security audits of communication partners and suppliers.
Security measures in Office 365 are described in Section 4 of the Agreement on a general level,
and mainly areas covered by the ISO 27002 standard are addressed. In its comments, SIMONSEN
emphasises the importance of carrying out a risk assessment and documenting that the security
measures are adequate, and the Data Protection Authority agree with this.
The Data Protection Authority's basis is that the Municipality of Moss, in cooperation with DNV,
has carried out a risk assessment of Office 365, which the municipality considers to be satisfactory
and good. This assessment points out several risks and measures which the municipality must
evaluate prior to an implementation of the service.
Section 4 of the Agreement has provisions on security audits, and may be
summarised as follows:
6 http://www.microsoft.com/en-us/download/details.aspx?id=26552
7 http://www.microsoft.com/en-us/download/details.aspx?id=13602
5
Microsoft has established a management system for data security based on the ISO
27001 standard, and it is certified compliant with the standard.
There will be at least one annual third party audit according to ISO 27001.
A confidential summary audit report is to be prepared, and the Municipality of Moss will
receive a copy upon request to Microsoft.
On the basis of the summary report, the Municipality of Moss will be able to evaluate
whether the security measures in Office 365 are in accordance with the Agreement and
the requirements of municipality.
The Data Protection Authority bases this on Article 29 Data Protection Working Party's
Opinion 05/2012 on Cloud Computing8, where independent third party audits are addressed
as follows:
Individual audits on data hosted in a multi-party, virtualized server environment may be
impractical technically and can in some instances serve to increase the risks to those physical
and logical network security controls in place. In such cases, a relevant third party audit chosen
by the controller may be deemed to satisfy in lieu of an individual controller’s right to audit.
[...]
In the context of cloud computing, potential customers should look to see whether cloud
services providers can provide a copy of this third party audit certificate or indeed a copy
of the audit report verifying the certification [...].
Although the Article 29 Data Protection Working Party goes a long way towards recognising third
party audits, it will probably be challenging for the Municipality of Moss to determine which parts
of the comprehensive audit report will cover the information it is interested in. As far as the Data
Protection Authority knows, there is currently no summary report available to the Municipality of
Moss, which makes it difficult to determine whether this may be considered a satisfactory
management tool.
It will be up to the Municipality of Moss to follow this up and carry out the necessary
assessments.
Ensuring the supplier complies with the Agreement
It follows from Section 14 of the Personal Data Act on internal control that the controller must
establish planned and systematic measures to ensure compliance with the statutory
requirements. This obligation rests with the controller, not the processor.
This means that issues such as how to process personal data, which procedures to use, and how to
enforce compliance, must be regulated in the agreements between the controller and the
processor. Requirements relating to internal control also cover other duties in addition to data
8 http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-
recommendation/files/2012/wp196_en.pdf
6
security, such as no processing of information for purposes other than those agreed, erasing of
information and use of third countries.
It is the viewpoint of the Data Protection Authority that it is necessary to confirm that the
processor complies with the Agreement through third party audits (unless the controller carries
out audits himself), in the same manner as for data security, ref. Section 3). This is to ensure
that the controller safeguards the requirement for systematic measures to ensure compliance
with the Act.
4) Access control
Section 13 of the Personal Data Act, cf. Sections 2-11, 2-12 and 2-13 of the Personal Data
Regulations, stipulates that measures must be implemented to ensure satisfactory data
security with regard to confidentiality, integrity and accessibility.
As mentioned by SIMONSEN in its assessment, it is stated in Section 1 of the Agreement that
only authorised personnel at Microsoft will be able to process data from the Municipality of
Moss, and that this personnel are bound to secrecy. There are also a range of requirements
relating to access control, authentication and authorisation.
In connection with the Data Protection Authority's dialogue with Microsoft, reference was made to
Office 365 Trust Center for more detailed information, and in particular the document
Administrative Access9. This document has a more detailed classification of various types of
information in the solution and which access levels have been established.
The municipality must assess whether the access control is satisfactory, but the Data Protection
Authority has no further comments regarding this issue.
5) Authorised and unauthorised use
Section 2-8, third subsection and Section 2-14, second subsection of the Personal Data
Regulations stipulate that authorised and unauthorised use of the information system must be
registered. Section 2-16 stipulates that information on such registrations and all other events of
significance for data security must be stored for at least three months.
It is stated in Section 4 of the Agreement that Microsoft is to register information about security
breaches and have this information accessible for a period of at least six months. SIMONSEN
considers the Agreement to be vague and inadequate as regards this issue, and not in agreement
with the requirements stipulated in the personal data legislation. This is also the viewpoint of the
Data Protection Authority.
In connection with the Data Protection Authority's dialogue with Microsoft, reference was made
to the document Standard Response to Request for Information – Security and Privacy10
. This is an
overview showing how Microsoft Online Services (including Office 365) ensures compliance with
9 http://www.microsoft.com/online/legal/v2/?docid=24
10 http://www.microsoft.com/en-us/download/details.aspx?id=26647
7
the requirements related to issues such as security and protection of privacy prepared by the
Cloud Security Alliance (CSA)11
. Reference is made in particular to the following requirements
from CSA (requirement SA-15 in the Cloud Controls Matrix12
):
Audit logs recording privileged user access activities, authorized and unauthorized access
attempts, system exceptions, and data security events shall be retained, complying with
applicable policies and regulations. Audit logs shall be reviewed at least daily and file
integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate
timely detection, investigation by root cause analysis and response to incidents. Physical and
logical user access to audit logs shall be restricted to authorized personnel.
Microsoft goes on to describe its compliance with the requirement as follows:
Access to logs is restricted and defined by policy and logs are reviewed on a regular basis.
“Audit logging” is covered under the ISO 27001 standards, specifically addressed in Annex A,
domain 10.10.1. For more information review of the publicly available ISO standards we are
certified against is suggested.
Based on this description, the Data Protection Authority is still uncertain whether Microsoft
is in compliance with the specific requirements stipulated in Sections 2-8, 2-14 and 2-16 of
the Personal Data Regulations.
6) Transfer of personal data to third countries
Storage and processing in Microsoft's data centres
It follows from Section 29 of the Personal Data Act that personal data may only be transferred
to states that ensure proper processing of the information. In practice, this entails that
transfers to countries other than the member states of the EU and the EEA countries, will be
precluded as a general rule.
There are exceptions, however. The data exporter may issue individual guarantees, for example,
or the EU Commission may decide that certain individual states are safe destinations.13
The municipality has stated that Section 1 litera e of the Agreement allows for transfer of
personal data to Microsoft's data centres in the United States and Europe, but also in other
states.
Transfer to the USA
11
https://cloudsecurityalliance.org/ 12
https://cloudsecurityalliance.org/wp-content/uploads/2011/08/CSA_CCM_v1.2.xlsx 13
Cf. Section 30, second subsection and Section 29 of the Personal Data Act, cf. Section 6-1 of the Personal Data
Regulations, respectively.
8
It follows from Article 1 of the EU Commission's Decision 2000/520/EC of 26 July 2000 that the
Safe Harbor principles ensure an adequate level of protection, to the extent described in Article
25 (1) and (2) of Directive 95/46/EC. It also follows from the same provision that personal data
may be exported from EU/EEA countries to enterprises established in the United States, subject
to the conditions stipulated in this article. Decisions by the EU Commission are binding for
Norway, cf. Section 6-1 of the Personal Data Regulations.
Publicly available information shows that ”Microsoft Corporation and its Controlled U.S.
Subsidiaries” (hereinafter ”Microsoft Corp.”) are certified under the Safe Harbor program.14
Based on the assumption that all relevant data centres in the United States are part of Microsoft
Corp. and thus comprise part of the Safe Harbor certified enterprise, transfer of personal data
from Norway to these data centres will be in compliance with Section 29 of the Personal Data
Act.
Transfer to other third countries
As mentioned above, Microsoft opens for transfer of personal data to data centres other than
those located in the United States and the EEA Area. Such transfer of personal data to countries
other than those mentioned above in Section 5, must be approved in advance by the Data
Protection Authority, on the basis of individual guarantees issued by the controller, cf. Section 30
second subsection of the Personal Data Act.
If the controller and the processor enter into the model agreement included in the annex to
the EU Commission' Decision of 5 February 2010 (2010/87/EU), and this is approved in
advance by the Data Protection Authority, cf. Section 30, second subsection, the information
may be transferred to a third country in pursuance of the Agreement's standard clause 11.
However, such transfers from the data importer to a subcontractor require prior written
approval from the controller:
”The data importer shall not subcontract any of its processing operations performed on
behalf of the data exporter under the Clauses without prior written consent of the data
exporter”
Thus, use of subcontractors requires that the controller (data exporter) in advance issue a written
consent to the processor (data importer). The nature of such consent was discussed by the Article
29 Data Protection Working Party in its opinion on Cloud Computing, where the WP29 stated the
following:
“In the view of the WP29, the processor can subcontract its activities only on the basis of the
consent of the controller, which may be generally given at the beginning of the service with a
clear duty for the processor to inform the controller of any intended changes concerning the
addition or replacement of subcontractors with the controller retaining at all times the
14
http://safeharbor.export.gov/companyinfo.aspx?id=15738
9
possibility to object to such changes or to terminate the contract. There should be a clear
obligation of the cloud provider to name all the subcontractors commissioned.”
The question of whether this approval in advance must be issued specifically in each individual
case, or whether it is sufficient to issue a general consent, has been discussed in further detail
in the WP29's working document WP 176: 15
“Model Clauses 2010/87/EU do not specify this. According to the Working Party, it is up to the
controller to decide if general prior consent would be sufficient or if specific consent is
required for each new sub processing.”
In other words, the controller must make a decision regarding this issue, in light of the following
factors:
“This decision will probably vary depend on the context of the processing, the type of data
(sensitive or not), and the level of involvement of the controller for this type of choice. Some
controllers may decide that a full prior check of the identity of each sub processor is necessary
while others may consider that prior information (clause 5.h), the duty to communicate the
clause (clause 5.j) and the guarantee to have the same level of protection (clause 11.1) are
enough.“
Use of the model agreement 2010/87/EU as a legal basis for transfer of personal data
to subcontractors in third countries, is in line with the provisions of the Personal Data
Act.
For the sake of good order, the Data Protection Authority would like to emphasise the
following: Upon entering into the Agreement, the controller assumes the obligations specified
in clause 4, which includes the following guarantees from the controller:
”to make available to the data subjects upon requests a copy of the Clauses, with the
exception of Appendix 2, and a summary description of the security measures, as well as a
copy of any contract for sub-processing services which has to be made in accordance with
the Clauses [...]”
“that, in the event of sub-processing, the processing activity is carried out in accordance
with clause 11 by a sub-processor providing at least the same level of protection for the
personal data and the rights of data subjects as the data importer under the Clauses”
At the same time, the processor (data importer) who is party to the Agreement,
assumes the obligations that arise from clause 5, for example:
15
”FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU
of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in
third countries under Directive 95/46/EC”, available from
ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp176_en.pdf, see Section II.1 of the document.
10
”to make available to the data subject upon request a copy of the Clauses, or any existing
contract for sub-processing [...]”
“that, in the event of sub-processing, it has previously informed the data
exporter and obtained its prior written consent”
“that the processing services by the sub-processor will be carried out in accordance with
Clause 11”
“to send promptly a copy of any sub-processor agreement it concludes under the clauses
to the data exporter”
The Data Protection Authority also emphasises that certain third countries have been approved as
safe destinations by the EU Commission.16
Relationship between the Agreement and the Office 365 Trust Center
In the ongoing dialogue with the Data Protection Authority, Microsoft has stated that it has
established a ”Microsoft Office 365 Trust Center”. This is a website where Microsoft provides
information on processing of personal data in Office 365, including information on:
”Data Use Limits”
”Administrative Access”
”Geographic Boundaries”
”Third Parties”
”Security, Audits and Certifications”
”Regulatory Compliance”17
The Data Protection Authority assumes that the purpose of the website is to ensure full transparency
vis-à-vis the customers, in keeping with the WP29 recommendations,18
but that the content of the
website does not constitute a part of the agreements addressed above. As the information provided in
the Trust Center cannot be considered information agreed with the controller, the issues addressed
under points 2) and 4) of this letter highlight challenges that result from this.
16
See complete overview at ec.europa.eu/justice/data-
protection/document/internationaltransfers/adequacy/index_en.htm 17
The categories are quoted directly from Microsoft's e-mail of 26 March 2012 to the Data Protection Authority. 18
Opinion 5/2012 on Cloud Computing, Section 3.4.1.1.
11
Right of appeal
The above decisions may be appealed in accordance with the provisions of the Public Administration
Act. Any appeals must be submitted to the Norwegian Data Protection Authority within three weeks
of receipt of this letter. Also note the right of parties to acquaint themselves with the documents in
the case, cf. Section 18 of the Public Administration Act.
Yours faithfully
Helge Veum
Director
Lars-Otto Nymoen Senior
Engineer