Norwegian Data Protection Authority

Norwegian Data Protection Authority

Postal address: Office address: Telephone: Fax: Org. No.: Website:

P.O. Box 8177 Dep Tollbugt 3 +47 22396900 +47 22422350 +47 974761467 www.datatilsynet.no

N-0034 OSLO

Municipality of Moss - Chief Executive

P.O. Box 175

N-1501 Moss

Your reference Our reference (please quote in correspondence) Date

11/01198-4/LON 21 September 2012

Reply - Use of Microsoft Office 365 cloud computing services - Municipality of Moss

Reference is made to the e-mail of 9 November 2011 from the Municipality of Moss and

subsequent correspondence, where the Data Protection Authority was requested to evaluate

the data processor agreement between the municipality and Microsoft regarding use of the

Office 365 cloud computing services.

Background

The Municipality of Moss would like to move parts of its e-mail services to the cloud computing

service Office 365 provided by Microsoft. In connection with this process, the municipality has

engaged the services of the law firm SIMONSEN Advokatfirma DA (SIMONSEN) to carry out a legal

review of the data processor agreement with Microsoft, and the municipality, in cooperation with

Det Norske Veritas (DNV), has also carried out a qualitative risk assessment based on the

municipality's anticipated usage pattern. The Data Protection Authority, the Municipality of Moss

and Microsoft have also held dialogue meetings in order to address relevant issues in further detail.

In this letter, the Data Protection Authority will first comment on the evaluations made by

SIMONSEN regarding the data processor agreement before addressing other issues associated

with use of Office 365.

Comments on SIMONSEN's review of the data processor agreement

1) Purpose of the agreement and types of processing

If an enterprise processes personal data on behalf of another, with the consequence that the first-

mentioned enterprise is considered the latter enterprise's processor, cf. Section 2 no. 5 of the

Personal Data Act, it follows from Section 15 of the Act that the enterprises must enter into a

data processor agreement. It is stated in this section that the agreement must fulfil certain

specific criteria:

2

”No processor may process personal data in any way other than that which is agreed in writing

with the controller. Nor may the data be turned over to another person for storage or

manipulation without such agreement.

It shall also be stated in the agreement with the controller that the processor undertakes to

carry out such security measures as ensue from section 13.”

The municipality has stated that a data processor agreement has been entered into, and

reference is made to Microsoft's Enterprise Enrollment Addendum – Office 365 Data Processing

Agreement (hereinafter ”the Agreement”). In the following, the Data Protection Authority will

review the various requirements stipulated in Section 15, in light of the municipality's account

of the scope of the Agreement.1

Requirement for a written agreement

Firstly, the controller and the processor are obliged to enter into a written agreement

regarding the processing of personal data in question. It follows from the case documents

that this requirement has been complied with.

Limitation of the purpose of the Agreement

Secondly, it follows from Section 15 of the Act that the processor cannot process the personal

data in any way, or for purposes, other than that which is agreed with the controller. This

presupposes that the agreement defines the relevant processing methods and processing

purposes.

This also entails that the processor has to abide by the instructions provided by the controller

regarding the data processing in question, and the processor is limited to the processing

purposes and processing methods which are available to the controller according to the Personal

Data Act.

If the supplier processes personal data in other ways, or for other purposes, than those agreed,

this will entail a breach of the data processor agreement. In addition, the supplier will assume

controller responsibility for any data processing not covered by the Agreement. If so, the

supplier will be liable for compliance with all legal requirements associated with such

processing.2

The municipality has – with reference to Section 1 of the Agreement titled ”Privacy” – provided

an accounted of Microsoft's access to the personal data processed via the service.3

It is stated

that the information is only processed for purposes associated with provision of the Office 365

service. The Agreement also refers to the underlying services covered by Office 365.

1 Simonsen's memo dated 29 September 2011.

2 Whether these legal requirements follow from the Norwegian Personal Data Act will depend on whether the

conditions stipulated in Section 4 of the Personal Data Act have been fulfilled. 3 The nature of the personal data is described in the following manner: ”Customer data”, which according to the

municipality is defined as ”all data, including text, audio or image files distributed to Microsoft using Office 365”.

3

In general, the Data Protection Authority finds that these sections of the Agreement provide an

acceptable description of which personal data are to be processed, in which manner they are to

be processed and for what purposes. Based on this, it is assumed that the required limitation of

purposes pursuant to Section 15 of the Act is fulfilled.

Prohibition against turning information over to others

It follows from Section 1 litera d of the Agreement that Microsoft cannot turn data over to

others without obtaining approval from the municipality. Thus, this issue is in agreement with

Section 15 of the Act.

In addition, it is stated that Microsoft may be obliged to turn information over to ”law

enforcement [authorities]”. The Data Protection Authority assumes that this concerns orders for

disclosure of personal data from jurisdictions other than Norway, for example in connection

with investigation of criminal offences. Conditional upon such an order being legally binding vis-

à-vis the service provider, and the subsequent disclosure of information is not contrary to other

provisions in Norwegian acts and regulations, such disclosure by the service provider for the

above-mentioned processing purposes may take place.

However, the controller should also make sure that the processor will be able to guarantee

that no personal data will be disclosed to law enforcement authorities of any other countries

unless the above-mentioned criteria have been met.4

In addition, the data subjects should be informed of such possible disclosure, cf. the

principles stipulated in Section 19, literas c and e of the Personal Data Act.

2) Clear segregation of the information

Cloud computing services such as Office 365 handle personal data from many different

enterprises, and are to a large degree based on virtualisation technology and logical security

barriers. The personal data legislation requires that personal data linked to different legal

entities be kept properly segregated from each other.

In its assessment, SIMONSEN notes that it is not clearly apparent that the Agreement takes

these requirements into account. The Data Protection Authority is also of the opinion that the

Agreement does not specifically addresses measures linked to segregation of personal data from

different controllers.

However, in connection with the Data Protection Authority's dialogue with Microsoft, reference

was made to the website Office 365 Trust Center5, established for the purpose of informing clients

about protection of privacy and security in connection with Office 365. In this case, specific

4 Cf. Section 3.4.2 no. 13 of the Article 29 Data Protection Working Party's Opinion 05/2012 on Cloud Computing,

cf. also Section 4.1, fifth indent, third bullet point. 5 http://www.microsoft.com/en-us/office365/trust-center.aspx

4

reference was made to the documents Security in Office 365 White Paper6 and Office 365 Security

and Service Continuity Service Description7, and the following is a quote from the latter:

Data isolation: Data storage and processing is logically segregated among customers of the

same service through Active Directory® structure and capabilities specifically developed to help

build, manage, and secure multitenant environments. The multitenant security architecture

ensures that customer data stored in shared Office 365 data centers is not accessible by or

compromised to any other organization. Organizational units (OUs) in Active Directory control

the prevention of unauthorized and unintended information transfer via shared system

resources. Tenants are isolated from one another based on security boundaries, or silos,

enforced logically through Active Directory.

The Data Protection Authority is of the opinion that logical mechanisms for separation of data,

usually together with other security measures, may fulfil the requirements stipulated in the

personal data legislation. However, it is the responsibility of the Municipality of Moss to ensure

that the processor's security measures are efficient and adequate for the processing in question

based on its own risk assessment.

Based on its risk assessment, the Municipality of Moss has informed the Data Protection

Authority that it considers Microsoft's measures to be very good and satisfactory. The Data

Protection Authority will abide by the assessment of the municipality.

3) Data security and audits

Section 13 of the Personal Data Act and Chapter 2 of the Personal Data Regulations have

provisions addressing issues such as risk assessments, implementation and documentation of

security measures as well as security audits of communication partners and suppliers.

Security measures in Office 365 are described in Section 4 of the Agreement on a general level,

and mainly areas covered by the ISO 27002 standard are addressed. In its comments, SIMONSEN

emphasises the importance of carrying out a risk assessment and documenting that the security

measures are adequate, and the Data Protection Authority agree with this.

The Data Protection Authority's basis is that the Municipality of Moss, in cooperation with DNV,

has carried out a risk assessment of Office 365, which the municipality considers to be satisfactory

and good. This assessment points out several risks and measures which the municipality must

evaluate prior to an implementation of the service.

Section 4 of the Agreement has provisions on security audits, and may be

summarised as follows:

6 http://www.microsoft.com/en-us/download/details.aspx?id=26552


5

Microsoft has established a management system for data security based on the ISO

27001 standard, and it is certified compliant with the standard.

There will be at least one annual third party audit according to ISO 27001.

A confidential summary audit report is to be prepared, and the Municipality of Moss will

receive a copy upon request to Microsoft.

On the basis of the summary report, the Municipality of Moss will be able to evaluate

whether the security measures in Office 365 are in accordance with the Agreement and

the requirements of municipality.

The Data Protection Authority bases this on Article 29 Data Protection Working Party's

Opinion 05/2012 on Cloud Computing8, where independent third party audits are addressed

as follows:

Individual audits on data hosted in a multi-party, virtualized server environment may be

impractical technically and can in some instances serve to increase the risks to those physical

and logical network security controls in place. In such cases, a relevant third party audit chosen

by the controller may be deemed to satisfy in lieu of an individual controller’s right to audit.

[...]

In the context of cloud computing, potential customers should look to see whether cloud

services providers can provide a copy of this third party audit certificate or indeed a copy

of the audit report verifying the certification [...].

Although the Article 29 Data Protection Working Party goes a long way towards recognising third

party audits, it will probably be challenging for the Municipality of Moss to determine which parts

of the comprehensive audit report will cover the information it is interested in. As far as the Data

Protection Authority knows, there is currently no summary report available to the Municipality of

Moss, which makes it difficult to determine whether this may be considered a satisfactory

management tool.

It will be up to the Municipality of Moss to follow this up and carry out the necessary

assessments.

Ensuring the supplier complies with the Agreement

It follows from Section 14 of the Personal Data Act on internal control that the controller must

establish planned and systematic measures to ensure compliance with the statutory

requirements. This obligation rests with the controller, not the processor.

This means that issues such as how to process personal data, which procedures to use, and how to

enforce compliance, must be regulated in the agreements between the controller and the

processor. Requirements relating to internal control also cover other duties in addition to data

8 http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-

recommendation/files/2012/wp196_en.pdf

6

security, such as no processing of information for purposes other than those agreed, erasing of

information and use of third countries.

It is the viewpoint of the Data Protection Authority that it is necessary to confirm that the

processor complies with the Agreement through third party audits (unless the controller carries

out audits himself), in the same manner as for data security, ref. Section 3). This is to ensure

that the controller safeguards the requirement for systematic measures to ensure compliance

with the Act.

4) Access control

Section 13 of the Personal Data Act, cf. Sections 2-11, 2-12 and 2-13 of the Personal Data

Regulations, stipulates that measures must be implemented to ensure satisfactory data

security with regard to confidentiality, integrity and accessibility.

As mentioned by SIMONSEN in its assessment, it is stated in Section 1 of the Agreement that

only authorised personnel at Microsoft will be able to process data from the Municipality of

Moss, and that this personnel are bound to secrecy. There are also a range of requirements

relating to access control, authentication and authorisation.

In connection with the Data Protection Authority's dialogue with Microsoft, reference was made to

Office 365 Trust Center for more detailed information, and in particular the document

Administrative Access9. This document has a more detailed classification of various types of

information in the solution and which access levels have been established.

The municipality must assess whether the access control is satisfactory, but the Data Protection

Authority has no further comments regarding this issue.

5) Authorised and unauthorised use

Section 2-8, third subsection and Section 2-14, second subsection of the Personal Data

Regulations stipulate that authorised and unauthorised use of the information system must be

registered. Section 2-16 stipulates that information on such registrations and all other events of

significance for data security must be stored for at least three months.

It is stated in Section 4 of the Agreement that Microsoft is to register information about security

breaches and have this information accessible for a period of at least six months. SIMONSEN

considers the Agreement to be vague and inadequate as regards this issue, and not in agreement

with the requirements stipulated in the personal data legislation. This is also the viewpoint of the

Data Protection Authority.

In connection with the Data Protection Authority's dialogue with Microsoft, reference was made

to the document Standard Response to Request for Information – Security and Privacy10

. This is an

overview showing how Microsoft Online Services (including Office 365) ensures compliance with

9 http://www.microsoft.com/online/legal/v2/?docid=24


7

the requirements related to issues such as security and protection of privacy prepared by the

Cloud Security Alliance (CSA)11

. Reference is made in particular to the following requirements

from CSA (requirement SA-15 in the Cloud Controls Matrix12

):

Audit logs recording privileged user access activities, authorized and unauthorized access

attempts, system exceptions, and data security events shall be retained, complying with

applicable policies and regulations. Audit logs shall be reviewed at least daily and file

integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate

timely detection, investigation by root cause analysis and response to incidents. Physical and

logical user access to audit logs shall be restricted to authorized personnel.

Microsoft goes on to describe its compliance with the requirement as follows:

Access to logs is restricted and defined by policy and logs are reviewed on a regular basis.

“Audit logging” is covered under the ISO 27001 standards, specifically addressed in Annex A,

domain 10.10.1. For more information review of the publicly available ISO standards we are

certified against is suggested.

Based on this description, the Data Protection Authority is still uncertain whether Microsoft

is in compliance with the specific requirements stipulated in Sections 2-8, 2-14 and 2-16 of

the Personal Data Regulations.

6) Transfer of personal data to third countries

Storage and processing in Microsoft's data centres

It follows from Section 29 of the Personal Data Act that personal data may only be transferred

to states that ensure proper processing of the information. In practice, this entails that

transfers to countries other than the member states of the EU and the EEA countries, will be

precluded as a general rule.

There are exceptions, however. The data exporter may issue individual guarantees, for example,

or the EU Commission may decide that certain individual states are safe destinations.13

The municipality has stated that Section 1 litera e of the Agreement allows for transfer of

personal data to Microsoft's data centres in the United States and Europe, but also in other

states.

Transfer to the USA

11

https://cloudsecurityalliance.org/ 12

https://cloudsecurityalliance.org/wp-content/uploads/2011/08/CSA_CCM_v1.2.xlsx 13

Cf. Section 30, second subsection and Section 29 of the Personal Data Act, cf. Section 6-1 of the Personal Data

Regulations, respectively.

8

It follows from Article 1 of the EU Commission's Decision 2000/520/EC of 26 July 2000 that the

Safe Harbor principles ensure an adequate level of protection, to the extent described in Article

25 (1) and (2) of Directive 95/46/EC. It also follows from the same provision that personal data

may be exported from EU/EEA countries to enterprises established in the United States, subject

to the conditions stipulated in this article. Decisions by the EU Commission are binding for

Norway, cf. Section 6-1 of the Personal Data Regulations.

Publicly available information shows that ”Microsoft Corporation and its Controlled U.S.

Subsidiaries” (hereinafter ”Microsoft Corp.”) are certified under the Safe Harbor program.14

Based on the assumption that all relevant data centres in the United States are part of Microsoft

Corp. and thus comprise part of the Safe Harbor certified enterprise, transfer of personal data

from Norway to these data centres will be in compliance with Section 29 of the Personal Data

Act.

Transfer to other third countries

As mentioned above, Microsoft opens for transfer of personal data to data centres other than

those located in the United States and the EEA Area. Such transfer of personal data to countries

other than those mentioned above in Section 5, must be approved in advance by the Data

Protection Authority, on the basis of individual guarantees issued by the controller, cf. Section 30

second subsection of the Personal Data Act.

If the controller and the processor enter into the model agreement included in the annex to

the EU Commission' Decision of 5 February 2010 (2010/87/EU), and this is approved in

advance by the Data Protection Authority, cf. Section 30, second subsection, the information

may be transferred to a third country in pursuance of the Agreement's standard clause 11.

However, such transfers from the data importer to a subcontractor require prior written

approval from the controller:

”The data importer shall not subcontract any of its processing operations performed on

behalf of the data exporter under the Clauses without prior written consent of the data

exporter”

Thus, use of subcontractors requires that the controller (data exporter) in advance issue a written

consent to the processor (data importer). The nature of such consent was discussed by the Article

29 Data Protection Working Party in its opinion on Cloud Computing, where the WP29 stated the

following:

“In the view of the WP29, the processor can subcontract its activities only on the basis of the

consent of the controller, which may be generally given at the beginning of the service with a

clear duty for the processor to inform the controller of any intended changes concerning the

addition or replacement of subcontractors with the controller retaining at all times the

14

http://safeharbor.export.gov/companyinfo.aspx?id=15738

9

possibility to object to such changes or to terminate the contract. There should be a clear

obligation of the cloud provider to name all the subcontractors commissioned.”

The question of whether this approval in advance must be issued specifically in each individual

case, or whether it is sufficient to issue a general consent, has been discussed in further detail

in the WP29's working document WP 176: 15

“Model Clauses 2010/87/EU do not specify this. According to the Working Party, it is up to the

controller to decide if general prior consent would be sufficient or if specific consent is

required for each new sub processing.”

In other words, the controller must make a decision regarding this issue, in light of the following

factors:

“This decision will probably vary depend on the context of the processing, the type of data

(sensitive or not), and the level of involvement of the controller for this type of choice. Some

controllers may decide that a full prior check of the identity of each sub processor is necessary

while others may consider that prior information (clause 5.h), the duty to communicate the

clause (clause 5.j) and the guarantee to have the same level of protection (clause 11.1) are

enough.“

Use of the model agreement 2010/87/EU as a legal basis for transfer of personal data

to subcontractors in third countries, is in line with the provisions of the Personal Data

Act.

For the sake of good order, the Data Protection Authority would like to emphasise the

following: Upon entering into the Agreement, the controller assumes the obligations specified

in clause 4, which includes the following guarantees from the controller:

”to make available to the data subjects upon requests a copy of the Clauses, with the

exception of Appendix 2, and a summary description of the security measures, as well as a

copy of any contract for sub-processing services which has to be made in accordance with

the Clauses [...]”

“that, in the event of sub-processing, the processing activity is carried out in accordance

with clause 11 by a sub-processor providing at least the same level of protection for the

personal data and the rights of data subjects as the data importer under the Clauses”

At the same time, the processor (data importer) who is party to the Agreement,

assumes the obligations that arise from clause 5, for example:

15

”FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU

of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in

third countries under Directive 95/46/EC”, available from

ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp176_en.pdf, see Section II.1 of the document.

10

”to make available to the data subject upon request a copy of the Clauses, or any existing

contract for sub-processing [...]”

“that, in the event of sub-processing, it has previously informed the data

exporter and obtained its prior written consent”

“that the processing services by the sub-processor will be carried out in accordance with

Clause 11”

“to send promptly a copy of any sub-processor agreement it concludes under the clauses

to the data exporter”

The Data Protection Authority also emphasises that certain third countries have been approved as

safe destinations by the EU Commission.16

Relationship between the Agreement and the Office 365 Trust Center

In the ongoing dialogue with the Data Protection Authority, Microsoft has stated that it has

established a ”Microsoft Office 365 Trust Center”. This is a website where Microsoft provides

information on processing of personal data in Office 365, including information on:

”Data Use Limits”

”Administrative Access”

”Geographic Boundaries”

”Third Parties”

”Security, Audits and Certifications”

”Regulatory Compliance”17

The Data Protection Authority assumes that the purpose of the website is to ensure full transparency

vis-à-vis the customers, in keeping with the WP29 recommendations,18

but that the content of the

website does not constitute a part of the agreements addressed above. As the information provided in

the Trust Center cannot be considered information agreed with the controller, the issues addressed

under points 2) and 4) of this letter highlight challenges that result from this.

16

See complete overview at ec.europa.eu/justice/data-

protection/document/internationaltransfers/adequacy/index_en.htm 17

The categories are quoted directly from Microsoft's e-mail of 26 March 2012 to the Data Protection Authority. 18

Opinion 5/2012 on Cloud Computing, Section 3.4.1.1.

11

Right of appeal

The above decisions may be appealed in accordance with the provisions of the Public Administration

Act. Any appeals must be submitted to the Norwegian Data Protection Authority within three weeks

of receipt of this letter. Also note the right of parties to acquaint themselves with the documents in

the case, cf. Section 18 of the Public Administration Act.

Yours faithfully

Helge Veum

Director

Lars-Otto Nymoen Senior

Engineer

Norwegian Data Protection Authority

Documents

Transcript of Norwegian Data Protection Authority