The Article 29 Data Protection Working Party -- which includes representatives of the data protection authorities...
of each of the European Union member states -- recently issued an opinion on cloud computing that could impact U.S. cloud providers. The opinion, published July 2 as Document WP 196, analyzes the applicable data protection laws and obligations for companies providing, or using cloud computing services in the European Economic Area (EEA). It identifies data protection risks that are likely to result from the use of cloud computing services, and provides guidance on how to manage a cloud computing contract.
The most significant aspect of the opinion is its negative evaluation of the ability of Safe Harbor self-certification to meet the requirement of national laws implementing the 1995 EU Data Protection Directive.
While they do not have the force of law, opinions of the Article 29 Working Party have a significant influence over the ways companies operate and the privacy choices they make. Businesses operating in the European Economic Area should keep in mind that the data protection authority of the country, or countries, in which they operate are highly likely to follow the guidance set forth in a Working Party's opinion. Thus, it is important that they operate within the guidelines provided in the opinions and other writings of the Article 29 Data Protection Working Party.
The negative assessment of the viability of Safe Harbor self-certification as a way to meet the adequacy requirement of EEA national data protection laws is likely to slow down the adoption of cloud computing.
Risk analysis and contractual provisions
For businesses and governmental administrations wishing to use cloud computing services, WP 196 recommends the data controller (the data owner) first conduct a comprehensive and thorough risk analysis of the proposed cloud service -- including, in particular, an evaluation of the risk to the data that would be held in the cloud. This due diligence requires actions by the purchaser of the cloud services, as well as cooperation from the providers of the cloud services.
The second part of the opinion provides guidance on the contractual arrangements that regulate the relationship between a data controller and a cloud service provider with respect to data privacy and security. According to WP 196, the contract should provide appropriate transparency with respect to data handling practices. It should also ensure isolation, "intervenability" (the data subject's ability to exercise their rights) and portability of personal data. Appropriate security measures should provide the tools necessary for ensuring availability, integrity and confidentiality.
Cross-border data transfers and Safe Harbor
Because national data protection laws in the European Economic Area create significant barriers to cross-border transfer of data, WP 196 analyzes, at length, how these restrictions affect cloud computing. The opinion casts significant doubts on the ability of Safe Harbor self-certification to meet the data protection requirements in the EEA. It states: "Sole self-certification with Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment. ... [C]ompanies exporting data should not merely rely on the statement of the data importer claiming that he has a Safe Harbor certification. ... [T]he company exporting data should request evidence demonstrating that these principles are complied with. … It might be advisable to complement the commitment of the data importer to the Safe Harbor with additional safeguards, taking into account the specific nature of the cloud."
This negative assessment of the viability of Safe Harbor self-certification as a way to meet the adequacy requirement of EEA national data protection laws is detrimental to the adoption of cloud computing -- it is likely to slow down its adoption in Europe because most cloud providers are U.S.-based. If, as stated in the opinion, the Safe Harbor principles may not guarantee the data exporter the necessary means to ensure that appropriate security safeguards have been applied by a U.S. cloud provider (as may be required under the national data protection laws of the EU Member States), then both U.S. data importers and EEA data exporters may be left with no certainty on how to proceed and more questions about what will satisfy the EEA regulators.
Cloud computing contracts
The recommendations on cloud computing contracts go significantly beyond the current provisions of most cloud service agreements. While the opinion recommends obtaining information about server location and the use or engagement of subcontractors, cloud clients have had significant difficulty obtaining this information and have generally been unable to control the use of subcontractors. While the opinion favors the use of liability provisions, most contracts for cloud services do not include any significant penalties for breach of contract. In existing contracts, a cloud provider's liability is usually limited to direct damages and capped at the amount paid for the services for the few months that preceded an incident (usually two to 12 months). Most cloud contracts also do not address data retention or data disposal. Provisions that address data retention, if any, are frequently limited to granting the cloud provider the right to delete all data within a short time after the end of the relationship.
It's not clear what effect the Working Party's opinion will have on U.S. cloud providers, or the extent to which U.S. cloud providers will adjust their operating terms in order to meet these guidelines. However, if U.S. cloud providers want to continue to attract EU-based clients, they will have to address the recommendations of WP 196, especially those related to cross-border data transfers -- at least in connection with their sales in the European Economic Area. Will they want or be able to keep different sets of terms for their contracts signed in the United States, when many of their clients are global companies who want to sign global deals?
About the author:
Francoise Gilbert focuses on information privacy and security, cloud computing and data governance. She is the managing director of the IT Law Group and serves as the general counsel of the Cloud Security Alliance. She has been named one of the country's top privacy advisors in a recent industry survey and, for several years, has been recognized by Chambers USA and Best Lawyers in America as a leading lawyer in the field of information privacy and security. Gilbert is the author and editor of the two-volume treatise Global Privacy & Security Law, which analyzes the data protection laws of 65 countries on all continents. She serves on the Technical Board of Advisors of the ALI-ABA and co-chairs the PLI Privacy & Security Law Institute. This article only reflects her personal opinion and not that of her clients or the Cloud Security Alliance.