• Ruling may lead to more data centres being established in Ireland and Europe
  • New standards may need to be developed or current ones updated, in order to enable data centres to operate to the highest standards

In response to the European Court of Justice (ECJ) ruling on the "safe harbour" data sharing agreement, NSAI believes that it has the potential to impact on standards in the IT sector.  NSAI CEO Maurice Buckley said this ruling is likely to benefit Europe as it may potentially lead to an increase in the number of data centres on the continent.

“Business or internet commerce won’t grind to a halt because of this ruling, but it is likely to mean the data of EU citizens will now have to be kept within Europe.  Therefore more data centres will need to be established.  NSAI believe it’s vital that new standards are developed and current standards are amended so as to enable data centres to comply with any emerging legislative requirements,” said Mr Buckley.

“NSAI technical experts are members of the relevant international standards bodies and actively contribute to the development of standards in the ICT sector.  As businesses react to this ruling, particularly smaller companies who are less likely to have the in-house ability to manage data with greater sophistication, they may seek to have standards updated or amended, to ensure best practice,” added Mr Buckley.

His comments come as over 60 technology experts from around the world gather in Dublin Castle this week to discuss emerging standards in cloud computing, such as ISO 27018, which was published just last year.  This standard governs the processing of personal data in the cloud.  Advances in technology such as 5G and smart cities will also be discussed as experts look at how new standards will need to be developed or existing ones changed, in order to reflect the vast amounts of data now in circulation, as well as improvements in wireless connectivity.

“Cloud computing is going to be a very powerful innovation engine for future economic growth and therefore it’s crucial that robust international standards are in place to help protect data belonging to both individuals and organisations,” said Mary White, NSAI Manager Standards Business Support.

“But cyber criminals are becoming more sophisticated so it’s incumbent that technical experts who serve on standards committees – the good guys if you will – come together in order to stay one step ahead of the bad guys,” Ms White added.

The European Cybersecurity Coordination Group (CSCG), of which NSAI is a member, are also meeting in Dublin on November 5th and 6th, to discuss developments in the field of IT security, Network and Information Security and Cyber Security.  This group provides strategic advice and recommendations to the European Commission and EU Member States in the area of Cyber Security standardisation.
Most important, the CSCG’s efforts towards harmonisation of Cyber Security in Europe are aimed at strengthening strategically the European digital economy and providing a solid security platform for continued growth in Europe’s Digital Single Market.

Background

NSAI is Ireland’s representative in the international standards system – or ISO (International Organisation for Standardisation).  NSAI standards officers actively contribute to the development of new standards or the revision of existing standards in IT, including cloud computing. 

ISO 27018

The new standard ISO 27018 specifies the roles of a data controller and a data processor in maintaining the security and privacy of personally identifiable information (PII) stored in a public cloud environment.
In contrast to existing information security standards that it builds on (such as ISO 27001 and ISO 27002), ISO 27018 is specifically tailored to cloud computing services.

It sets out best practices for public cloud service providers.  It establishes security guidelines to protect personal data and provides a privacy compliance framework that addresses the key obligations of a data processor under EU data protection laws (as implemented in Ireland through the Data Protection Acts 1988 and 2003).

Any organisation that processes personally identifiable information (PII) through a cloud computing service under a contractual arrangement can be certified under ISO 27018.  All types and sizes of organisations – including public and private companies, government entities and not-for-profit organisations – are eligible.

To qualify for certification under ISO 27018, the applicant provider must agree to be audited by an accredited certification body and must also submit to periodic third-party reviews.

ISO/IEC JTC 1/SC 38 

The committee of technical experts meeting in Dublin this week is known as ISO/IEC JTC 1/SC 38 and was formed in 2009. It was established to address three related areas of technology - Web Services, Service Oriented Architecture (SOA), and Cloud Computing. 

The 29 (participating) members of ISO/IEC JTC 1/SC 38 are: Australia, Austria, Belgium, Brazil, Canada, China, Denmark, Finland, France, Germany, India, Ireland, Israel, Italy, Japan, Republic of Korea, Luxembourg, Netherlands, Poland, Portugal, Russian Federation, Singapore, Slovakia, South Africa, Spain, Sweden, Switzerland, United Kingdom, and United States of America.