Legal compliance made easy: the legal level concept in ACSmI has been finalized

In a blog post earlier this year we explained how the legal level in ACSmI allows application developers to pre-select Cloud services from the ACSmI registry based on the guarantees for legal compliance offered in the contracts of those CSPs.

The legal level deals with a variety of matters, including :

  • GDPR compliance (different aspects)
  • International transfers outside the EEA
  • Liability
  • Conflict resolution
  • Exit clauses and penalties
  • Data portability/switching
  • The counterparty being a validly registered company
  • (Cloud) certification
  • Adherence to codes of conduct in the sector
  • Confidentiality

The legal level is assigned by a designated legal expert assessing the contractual documents (service contract, SLA, data processing agreement and other relevant documents if any) during the onboarding process of ACSmI.

Thus, rather than having to assess all the contracts with the CSPs, the application developer can simply choose a tier of legal level (1, 2 or 3, 1 being the highest), which best matches the needs of the organization he/she is developing for, whether for in-house use or when developing a product or making (and running, managing) bespoke applications. The guarantees offered by each of those tiers is explained in a legal level white paper has been written to explain the concept in more detail, which can be found as an annex to deliverable D5.4, published on this website here . What is important is that even tier 3 (the lowest tier) offers a minimum compliance level of the CSP. If the minimum standards required for tier 3 are not met (even if only on one aspect), the Cloud services will not be onboarded to the ACSmI registry.

In essence, the legal level is made up of 34 controls, or aspects of legal compliance. Depending on the score a CSP gets on those 34 different aspects, a tier will be assigned. Below, a matrix is presented that shows how this is done. Before consulting that matrix, one should understand that:

  • 8 of the 34 controls are essentially yes/no questions asked to the CSP. They are not verified by the legal expert beyond some desktop research, but are factored into the overall score. This may change as DECIDE is further developed. They are called “simple controls”. and can either be present ( ) or not present ( ). 
  • 26 controls relate to a qualified assessment of the contracts offered by the CSP by a DECIDE legal expert. They are called “layered controls”. These controls relate to legal topics and ensure a minimum level of legal protection and/or safeguards is/are present. If this is not so, no legal level will be assigned, and the service cannot be entered into ACSmI. If the minimum standard is met however, three results are possible: basic legal safeguards present; i.e. the minimum standard was met but nothing more ( ), substantial legal safeguards ( ) or strong legal safeguards ( ). 
  • For a Cloud service to be assigned a certain tier, it needs to meet ALL the criteria for that tier. Scoring less on any control will lead to the Cloud service being downgraded to a lower tier, for which it does match or exceed all criteria. If any of tier 3’s criteria are not met, a Cloud service cannot be onboarded in ACSmI.

This leads to the following matrix:

Control
Legal level tier 3 (basic legal safeguards)
Legal level tier 2 (substantial legal safeguards)
Legal level tier 1 (strong legal safeguards)
Simple controls
Valid company registration
DPO/data protection point of contact
Representative (if relevant)
Data transfer mechanism (if relevant)
Data processing agreement (DPA)
ISO 27001 or equivalent
Cloud certification covering all CCSM objectives
Adherence to Data Portability and Switching Code of Conduct
Adherence to Data Protection Code of Conduct
Layered controls
Assessment of ADR mechanisms (if relevant)
Termination options of CSP’s counterparty
Liability coverage
Force majeure coverage
Data transfer mechanism assessment (if relevant)
DPA scope
Documented instructions only
DPA confidentiality
CSP security A32 GDPR
Sub-processor engagement
Contractual pushdown sub-processor
Sub-processor liability coverage
Data subject request assistance
Counterparty security measures assistance
Data breach notification assistance
DPIA assistance
Deletion or return of data
Compliance information obligation
Audit rights granted
Illegal instructions notification obligation
DPA liability coverage (if relevant)
Termination possibilities DPA (if relevant)
Termination/suspension options CSP
Limitation of unliteral changes by CSP
Confidentiality terms (general)

In this way, DECIDE makes it fairly easy for an application developer to choose a legal tier that matches the business and other requirements the application and the intended user organization has.

Not only does DECIDE make it much easier to select compliance- appropriate Cloud resources, it also helps to keep that selection and the underlying assessment up to date. Specifically, after a service has been endorsed in ACSmI and has been assigned a legal level, the following events will trigger a reassessment:

  • A CSP (substantially) changes its contracts (it will have to notify this under the contract between the entity exploiting ACSmI and the CSP)
  • A CSP makes changes which affect its answers to the questions based on the simple controls (e.g. it loses a certification or adds one (it will have to notify this under the contract between the entity exploiting ACSmI and the CSP)
  • There is an important change in legislation, case law or interpretation, which requires to reassess all or certain contracts. This is monitored by the legal expert.
  • Changes other than in the CSP’s legally relevant situation in specific or in legislation, case law or interpretation which nonetheless has a measurable impact on the controls of the legal level. Events that might qualify are substantive changes in standards, market standards, market expectations, state of the art, etc. If such external factors warrant a re-assessment of the legal level by adding, deleting or changing controls, or by impacting the interpretation to be given to certain controls, this may lead to a re-assessment of the legal level assigned to a given service. Such changes will be identified by the entity exploiting ACSmI and will be implemented with prior notice only, and to all CSPs indiscriminatorily.

In this way, any changes that might impact the compliance level of a CSP and its services will be monitored by ACSmI and be taken into account for any re-deployment, thus ensuring that the assessment of which Cloud services to use in order to meet the compliance needs that were identified by the application developer is always up to date.

For more information about the controls that make up the legal level, the legal level itself or the procedure of assigning it, please refer to the legal level white paper, which can be found as an annex to deliverable D5.4, published on this website here .

The white paper equally contains a proof of concept, use cases, explanation on the contractual framework needed to establish the legal level and remark on sustainability and upscaling for the future.

On top of the legal level, the DECIDE alliance will also offer bespoke services for potential DECIDE users who feel the legal level in itself is not sufficient or sufficiently detailed for their specific needs. This may be done by creating sector or client specific versions of the legal level with more detail, or by having a DECIDE alliance legal expert make a manual pre-selection of appropriate Cloud resources, based on a thorough understanding of the client’s needs, combined with a detailed knowledge of the contractual guarantees offered by all CSPs in the ACSmI directory.