Category: Cloud Computing

French CNIL highlights its data protection enforcement priorities for 2022

25. February 2022

Following complaints received, but also on its own initiative, the French data protection supervisory authority Commission Nationale Informatique et Liberté (hereinafter ‘CNIL’) carries out checks, also based on reports of data protection violations. CNIL has published three topics for 2022 on which it will focus in particular. These topics are: commercial prospecting, surveillance tools in the context of teleworking, and cloud services.

With regard to commercial prospecting, CNIL draws particular attention to unsolicited advertising calls, which are a recurring complaint to CNIL in France.

In February 2022, CNIL published a guideline for “commercial management”, which is particularly relevant for commercial canvassing.

Based on this guideline, CNIL will control GDPR compliance. The focus here will be on professionals who resell data.

Regarding the monitoring tools for teleworking, identified as CNIL’s second priority, CNIL aims to assist in balancing the interests of protecting the privacy of workers who have the possibility of home office due to COVID-19 and the legitimate monitoring of activities by informing the rules to be followed for this purpose. CNIL believes that employers need to be more strictly controlled in this regard.

Last but not least, CNIL draws particular attention to the potential data protection breaches regarding the use of cloud computing technologies. Since massive data transfers outside the European Union can be considered here in particular, activities in this area must be monitored more closely. For this purpose, CNIL reserves the right to focus in particular on the frameworks governing the contractual relationships between data controllers and cloud technology providers.

Microsoft informs Azure customers about major vulnerability

31. August 2021

Microsoft notified several thousand customers of its Azure cloud service on Aug. 26, 2021, about a serious security vulnerability that allows unauthorized parties to gain full access to customers’ cloud databases. The vulnerability affects the multi-model NoSQL database CosmosDB, which is one of the cloud service’s key products. Microsoft says it has since closed the gap, but affected customers must take steps themselves to prevent unauthorized access.

As Reuters reports, a research team specializing in security from security firm Wiz discovered the vulnerability in the Azure security infrastructure, which allowed them to gain access to access keys, giving them full access to multiple companies’ databases. The vulnerability was discovered by the researchers on August 9th and reported to Microsoft on August 12th,2021. Wiz later published a blog post explaining the vulnerability. Primary read-write keys allow full access to customer databases. Through a feature called Jupyter Notebook, which was integrated into CosmosDB in 2019, it was possible to gain access to such keys from CosmosDB customers. This made it possible to read, modify and even delete all primary databases. CosmosDB is used by a number of Fortune 500 companies to manage massive amounts of data from around the world in near real-time.

According to Microsoft, the vulnerability was fixed immediately, and no evidence was found that anyone other than Wiz had accessed customer data. Still, Microsoft itself cannot change access keys, so affected customers were emailed on Aug. 26 to change their keys. However, the problem may have affected customers who were not notified. Microsoft has told Wiz that it will pay out $40,000 for reporting the vulnerability.

If you have received a notice from Microsoft and one of your databases is affected that contains personal data, you must assess whether you are required to report this incident to the relevant data protection supervisory authority within 72 hours in accordance with Article 33 of the GDPR. If you believe your organization may be impacted by ChaosDB, please follow the steps described by Wiz in this blog post for detailed instructions on how to protect your environment.

This incident marks the third major security incident involving Microsoft products within 12 months, following the so-called “SolarWinds” hack in December 2020 (please see our blog post) and a large-scale hack of Microsoft Exchange in March 2021 (please see our blog post).

EDPS investigating EU institutions’ use of US cloud services

2. June 2021

The European Data Protection Supervisor (“EDPS”) announced on May 27th, 2021, that it has opened an investigation into the use of Microsoft’s Azure and Amazon’s AWS by EU institutions and has begun an audit of the European Commission’s use of Microsoft Office 365. The EDPS is the EU.s data protection authority.

The EDPS is the independent supervisory authority responsible for monitoring the processing of personal data by EU institutions and bodies.

Both investigations are a consequence of the Schrems II ruling of the Court of Justice of the European Union (“CJEU”) on June 16th, 2020 (please see our blog post). The CJEU ruled that U.S. its intense surveillance practices do not comply with the GDPR’s data protection standards. Accordingly, personal data of EU citizens may not be processed in the U.S. solely on the basis of the protection provided by so-called standard contractual clauses. Controllers, in cooperation with data importers, must examine and adapt additional measures on a case-by-case basis to ensure a level of data protection equivalent to the GDPR.

The investigations will examine whether EU institutions are complying with data protection rules and the Schrems II ruling.

Wojciech Wiewiórowski, EDPS head, is quoted in the EDPS announcement:

I am aware that the “Cloud II contracts” were signed in early 2020 before the “Schrems II” judgement and that both Amazon and Microsoft have announced new measures with the aim to align themselves with the judgement. Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.

If the EDPS finds that Cloud II contracts do not comply with the Schrems II ruling, this could force EU institutions to switch to alternative cloud providers based in the EU in the future, as the EDPS has stated that he wants EU institutions to lead by example.

75.4% of Cloud Apps are not compliant with GDPR

18. July 2016

According to the Netskope Cloud Report from June 2016, almost 75.4% of the cloud apps are not compliant with the GDPR. The main reason for this incompliance is the lack of awareness that most organizations have about the amount of cloud apps being used at the company.

The compliance evaluation was based on eight aspects of the GDPR: geographic requirements, data retention, data privacy, terms of data ownership, data protection, data processing agreement, auditing and certifications.

Compliance with the GDPR involves not only that customers as data controllers implement the provisions of the GDPR accordingly, but also that cloud apps vendors (as data controllers) are also compliant. This compliance requirement of the data processor is one of the new requirements that the GDPR imposes. Data processors are also subject to strict data processing requirements and are liable for breach of their obligations. This way, customers are liable for the use they make of the cloud apps and cloud vendors are liable for inherent security and enterprise-readiness.

The report reveals that the main incompliances relate to the data export requirements after termination of service, to excessively long retention periods and to data ownership terms. Moreover, malware also represents an increasing problem regarding cloud apps.

Upon the entry into force of the GDPR, companies shall be able to

  • Identify existing cloud apps in their organization and analyze the risks involved
  • Identify cloud apps storing sensitive data
  • Adopt measures in order to be compliant according to the eight main aspects mentioned above
  • Identify cyber threats and implement adequate measures to safeguard personal data