Archive for the ‘Article 29 Working Party’ Category

« Older Entries

BCR for processors get EU regulators’ vital endorsement

avatar Posted on May 1st, 2013 by Eduardo Ustaran

The fact that with everything that is going on in the world of data protection right now, the Article 29 Working Party has devoted a thorough 19 page explanatory document to clarifying and endorsing the role of BCR for Processors or “Binding Safe Processor Rules” is very telling. It is nearly 10 years since BCR was conceived and whilst the approval process is not precisely a walk in the park, much has been achieved in terms of its status, simplification and even international recognition. However, the idea of applying the same approach to an international group of vendors or to cloud service providers is still quite novel.

The prospect of the forthcoming EU data protection framework specifically recognising both flavours of BCR is obviously encouraging but right now, the support provided by the Working Party is invaluable. The benefits of BSPR are well documented – easier contractual arrangements for customers and suppliers, one stop shop in terms of data transfers compliance for cloud customers, no need for cumbersome model clauses… It sounds like a much needed panacea to overcome the tough EU restrictions on international data transfers affecting global outsourcing and data processing operations. But as in the early days of the traditional BCR, potential suitors need to know that the idea is workable and regulators will value the efforts made to achieve safe processor status.

Those who were already familiar with the previous opinions by the Working Party on BSPR – in particular WP195 – will not find the content of the new opinion particularly surprising. However, there are very useful and reassuring pointers in there, as highlighted by the following key statements and clarifications:

*    The outsourcing industry has been constant in its request for a new legal instrument that would allow for a global approach to data protection in the outsourcing business and officially recognise internal rules organisations may have implemented.

*    That kind of legal instrument would provide an efficient way to frame massive transfers made by a processor to subprocessors which part of the same organisation acting on behalf and under the instructions of a controller.

*    BCR for processors should be understood as adequate safeguards provided by the processor to the controller allowing the latter to comply with applicable EU data protection law.

*    However, BCR for processors do not aim to shift controllers’ duties to processors.

*    A processor’s organisation that have implemented BCR for processors will not need to sign contracts to frame transfers with each of the sub-processors part of its organisation as BCR for processors adduce safeguards to data transferred and processed on behalf and under the instructions of a controller.

*    BCR for processors already “approved” at EU level will be referred by the controller as the appropriate safeguards proposed for the international transfers.

*    Updates to the BCR for processors or to the list of the members of the BCR are possible without having to re-apply before the data protection authorities.

So in summary, and despite the detailed requirements that must be met, the overall approach of the Working Party is very “can do” and pragmatic. To finish things off in a collaborative manner, the Working Party points out at the end of the document that further input from interested circles and experts on the basis of the experience obtained will be welcomed. Keep it up!

 

Posted in Article 29 Working Party, Binding Corporate Rules, Binding Safe Processor Rules

What will happen to Safe Harbor?

avatar Posted on April 27th, 2013 by Eduardo Ustaran

As data protection-related political dramas go, the debate about the suitability and future viability of Safe Harbor is right at the top. The truth is that even when the concept was first floated by the US Department of Commerce as a self-regulatory mechanism to enable personal data transfers between the EU and the USA, and avert the threat of a trade war, it was clear that the idea would prove controversial. The fact that an agreement was finally reached between the US Government and the European Commission after several years of negotiations did not settle the matter, and European data protection authorities have traditionally been more or less publicly critical of the arrangement. The level of discomfort with Safe Harbor as an adequate mechanism in accordance with European standards was made patently obvious in the Article 29 Working Party Opinion on cloud computing of 2012, which argued that sole self-certification with Safe Harbor would not be sufficient to protect personal data in a cloud environment.

The Department of Commerce has now issued its own clarifications in response to the concerns raised by the Working Party Opinion. Understandably, the Department of Commerce makes a fierce defence of Safe Harbor as an officially recognised mechanism, which was approved by the European Commission and cannot be dismissed by the EU regulators. That is and will always be correct. Whilst the clarifications do not go into the detail of the Working Party Opinion, they certainly confirm that as far as data transfers are concerned, a Safe Harbor certification provides a public guarantee of adequate protection under the scrutiny of the Federal Trade Commission.

Such robust remarks will be music to the ears of those US cloud computing service providers that have chosen to rely on Safe Harbor to show their European compliance credentials. But the debate is far from over. The European regulators are unlikely to change their mind any time soon and if their enforcement powers increase and allow them to go after cloud service providers directly (rather than their customers) as intended by the draft Data Protection Regulation, they will be keen to put those powers into practice. In addition, we are at least a year away from the new EU data protection legal framework being agreed but some of the stakeholders are using the opportunity of a new law to reopen the validity of Safe Harbor adding to the sense of uncertainty about its future.

If I were to make a prediction about what will happen to Safe Harbor, I would say that the chances of Safe Harbor disappearing altogether are nil. However, it is very likely that the European Commission will be forced to reopen the discussions about the content of the Safe Harbor Principles in an attempt to bring them closer to the requirements of the new EU framework and indeed Binding Corporate Rules. That may actually be a good outcome for everyone because it will help the US Government assert its position that Safe Harbor matches the desired privacy standards – particularly if some tweaks are eventually introduced to incorporate new elements of the EU framework – and it may address for once and for all the perennial concerns of the EU regulators.

 

Posted in Article 29 Working Party, Binding Corporate Rules, Cloud computing, Legislative reform

Designing privacy for mobile apps

avatar Posted on March 16th, 2013 by Phil Lee

My phone is my best friend.  I carry it everywhere with me, and entrust it with vast amounts of my personal information, for the most part with little idea about who has access to that information, what they use it for, or where it goes.  And what’s more, I’m not alone.  There are some 6 billion mobile phone subscribers out there, and I’m willing to bet that most – if not all of them – are every bit as unaware of their mobile data uses as me.

So it’s hardly surprising that the Article 29 Working Party has weighed in on the issue with an “opinion on apps on smart devices” (available here).  The Working Party splits its recommendations across the four key players in the mobile ecosystem (app developers, OS and device manufacturers, app stores and third parties such as ad networks and analytics providers), with app developers receiving the bulk of the attention.

Working Party recommendations

Much of the Working Party’s recommendations don’t come as a great surprise: provide mobile users with meaningful transparency, avoid data usage creep (data collected for one purpose shouldn’t be used for other purposes), minimise the data collected, and provide robust security.  But other recommendations will raise eyebrows, including that:

(*)  the Working Party doesn’t meaningfully distinguish between the roles of an app publisher and an app developer – mostly treating them as one and the same.  So, the ten man design agency engaged by Global Brand plc to build it a whizzy new mobile app is effectively treated as having the same compliance responsibilities as Global Brand, even though it will ultimately be Global Brand who publicly releases the app and exploits the data collected through it;

(*)  the Working Party considers EU data protection law to apply whenever a data collecting app is released into the European market, regardless of where the app developer itself is located globally.  So developers who are based outside of Europe but who enjoy global release of their app on Apple’s App Store or Google Play may unwittingly find themselves subjected to EU data protection requirements;

(*)  the Working Party takes the view that device identifiers like UDID, IMEI and IMSI numbers all qualify as personal data, and so should be afforded the full protection of European data protection law.  This has a particular impact on the mobile ad industry, who typically collect these numbers for ad serving and ad tracking purposes, but aim to mitigate regulatory exposure by carefully avoiding collection of “real world” identifiers;

(*)  the Working Party places a heavy emphasis on the need for user opt-in consent, and does not address situations where the very nature of the app may make it so obvious to the user what information the app will collect as to make consent unnecessary (or implied through user download); and

(*)  the Working Party does not address the issue of data exports.  Most apps are powered by cloud-based functionality and supported by global service providers meaning that, perhaps more than in any other context, the shortfalls of common data export solutions like model clauses and safe harbor become very apparent.

Designing for privacy
Mobile privacy is hard.  In her guidance on mobile apps, the California Attorney-General rightly acknowledged that: “Protecting consumer privacy is a team sport. The decisions and actions of many players, operating individually and jointly, determine privacy outcomes for users. Hardware manufacturers, operating system developers, mobile telecommunications carriers, advertising networks, and mobile app developers all play a part, and their collaboration is crucial to enabling consumers to enjoy mobile apps without having to sacrifice their privacy.
Building mobile apps that are truly privacy compliant requires a privacy by design approach from the outset.  But, for any mobile app build, there are some top tips that developers should be aware of:
  1. Always, always have a privacy policy.  The poor privacy policy has been much maligned in recent years but, whether or not it’s the best way to tell people what you do with their information (it’s not), it still remains an expected standard.  App developers need to make sure they have a privacy policy that accurately reflects how they will use and protect individuals’ personal information and make this available both prior to download (e.g. published on the app store download page) and in-app.  Not having this is a sure fire way to fall foul of privacy authorities – as evidenced in the ongoing Delta Airlines case.
  2. Surprise minimisation.  The Working Party emphasises the need for user consents and, in certain contexts, consent will of course be appropriate (e.g. when accessing real-time GPS data).  But, to my mind, the better standard is that proposed by the California Attorney-General of “surprise minimisation”, which she explains as the use of “enhanced measures to alert users and give them control over data practices that are not related to an app’s basic functionality or that involve sensitive information.” Just-in-time privacy notices combined with meaningful user controls are the way forward.
  3. Release “free” and “premium” versions.  The Working Party says that individuals must have real choice over whether or not apps collect personal information about them.  However, developers will commonly complain that real choice simply isn’t an option – if they’re going to provide an app for free, then they need to collect and monitise data through it (e.g. through in-app targeted advertising).  An obvious solution is to release two versions of the app – one for “free” that is funded by exploiting user data and one that is paid for, but which only collects user data necessary to operate the app.  That way, users that don’t want to have their data monitised can choose to download the paid for “premium” version instead – in other words, they have choice;
  4. Provide privacy menu settings.   It’s suprising how relatively few apps offer this, but privacy settings should be built into app menus as a matter of course – for example, offering users the ability to delete app usage histories, turn off social networking integration, restrict location data use etc.  Empowered users are happy users, and happy users means happy regulators; and
  5. Know Your Service Providers.  Apps serve as a gateway to user data for a wide variety of mobile ecosystem operators – and any one of those operators might, potentially, misuse the data it accesses.  Developers need to be particularly careful when integrating third party APIs into their apps, making sure that they properly understand their service providers’ data practices.  Failure to do proper due diligence will leave the developer exposed.

Any developer will tell you that you don’t build great products by designing to achieve compliance; instead, you build great products by designing a great user experience.  Fortunately, in privacy, both goals are aligned.  A great privacy experience is necessarily part and parcel of a great user experience, and developers need to address users’ privacy needs at the earliest stages of development, through to release and beyond.

Posted in Article 29 Working Party, Geolocation, Mobile telecoms, Privacy by design, Smartphones

2013 to be the year of mobile regulation?

avatar Posted on January 4th, 2013 by Phil Lee

After a jolly festive period (considerably warmer, I’m led to understand, for me in Palo Alto than for my colleagues in the UK), the New Year is upon us and privacy professionals everywhere will no doubt be turning their minds to what 2013 has in store for them.  Certainly, there’s plenty of developments to keep abreast of, ranging from the ongoing EU regulatory reform process through to the recent formal recognition of Binding Corporate Rules for processors.  My partner, Eduardo Ustaran, has posted an excellent blog outlining his predictions here.

But one safe bet for greater regulatory attention this year is mobile apps and platforms.  Indeed, with all the excitement surrounding cookie consent and EU regulatory reform, mobile has remained largely overlooked by EU data protection authorities to date.  Sure, we’ve had the Article 29 Working Party opine on geolocation services and on facial recognition in mobile services.  The Norwegian Data Protection Inspectorate even published a report on mobile apps in 2011 (“What does your app know about you?“).  But really, that’s been about it.  Pretty uninspiring, not to mention surprising, when consumers are fast abandoning their creaky old desktop machines and accessing online services through shiny new smartphones and tablets: Forbes even reports that mobile access now accounts for 43% of total minutes spent on Facebook by its users.

Migration from traditional computing platforms to mobile computing is not, in and of itself, enough to guarantee regulator interest.  But there are plenty of other reasons to believe that mobile apps and platforms will come under increased scrutiny this year:

1.  First, meaningful regulatory guidance is long overdue.  Mobiles are inherently more privacy invasive than any other computing platform.  We entrust more data to our mobile devices (in my case, my photos, address books, social networking, banking and shopping account details, geolocation patterns, and private correspondence) than any other platform and generally with far less security – that 4 digit PIN really doesn’t pass muster.  We download apps from third parties we’ve often scarcely ever heard of, with no idea as to what information they’re going to collect or how they’re going to use it, and grant them all manner of permissions without even thinking – why, exactly, does that flashlight app need to know details of my real-time location?  Yet despite the huge potential for privacy invasion, there persists a broad lack of understanding as to who is accountable for compliance failures (the app store, the platform provider, the network provider or the app developer) and what measures they should be implementing to avoid privacy breaches in the first place.  This uncertainty and confusion makes regulatory involvement inevitable.

2.  Second, regulators are already beginning to get active in the mobile space – if this were not the case, the point above would otherwise be pure speculation.  It’s not, though.  On my side of the Pond, we’ve recently seen the California Attorney General file suit against Delta Air Lines for its failure to include a privacy policy within its mobile app (this action itself following letters sent by the AG to multiple app providers warning them to get their acts together).  Then, a few days later, the FTC launched a report on children’s data collection through mobile apps, in which it indicated that it was launching multiple investigations into potential violations of the Children’s Online Privacy Protection Act (COPPA) and the FTC Act’s unfair and deceptive practices regime.  The writing is on the wall, and it’s likely EU regulators will begin following the FTC’s lead.

3.  Third, the Article 29 Working Party intends to do just that.  In a press release in October, the Working Party announced that “Considering the rapid increase in the use of smartphones, the amount of downloaded apps worldwide and the existence of many small-sized app-developers, the Working Party… [will] publish guidance on mobile apps… early next year.” So guidance is coming and, bearing in mind that the Article 29 Working Party is made up of representatives from national EU data protection authorities, it’s safe to say that mobile privacy is riding high on the EU regulatory agenda.

In 2010, the Wall Street Journal reported: “An examination of 101 popular smartphone “apps”—games and other software applications for iPhone and Android phones—showed that 56 transmitted the phone’s unique device ID to other companies without users’ awareness or consent. Forty-seven apps transmitted the phone’s location in some way. Five sent age, gender and other personal details to outsiders… Many apps don’t offer even a basic form of consumer protection: written privacy policies. Forty-five of the 101 apps didn’t provide privacy policies on their websites or inside the apps at the time of testing.“  Since then, there hasn’t been a great deal of improvement.  My money’s on 2013 being the year that this will change.

Posted in Article 29 Working Party, Geolocation, Mobile telecoms, Privacy by design, Smartphones

Article 29 Working Party pushes for Binding Safe Processor Rules

avatar Posted on December 9th, 2012 by Eduardo Ustaran

 

The Article 29 Working Party has taken another crucial step towards the full recognition of BCR for processors or ‘Binding Safe Processor Rules’. Following the unqualified backing by the European Commission in the proposal for a Data Protection Regulation early in 2012 and the publication of the criteria for approval by the Working Party itself last summer, an agreement has now been reached by the European data protection authorities on the application and approval process.

The official announcement of a mutual recognition and cooperation procedure-type approach will take place in January 2013 and shortly after, the Working Party will issue the appropriate application form. This is the strongest indication to date that applications for BCR for processors will be dealt with in the same way as the traditional BCR, opening the door for hybrid BCRs for those organisations with global data protection programmes that apply to their dual role as controllers (in respect of their own data) and processors (in respect of their clients’ data, as in the case of cloud service providers).

 

Posted in Article 29 Working Party, Binding Corporate Rules, Binding Safe Processor Rules, Cloud computing

A week in Brussels

avatar Posted on November 16th, 2012 by Eduardo Ustaran

Life is always busy in Brussels.  Policy making and legislative activities never stop but this particular week has been rather eventful for the current European data protection reform process.  The Data Protection Congress organised by the IAPP has served as an open and constructive forum for some of the key players to get together and debate their views in front of a very sophisticated audience.  The most visible message of the week has been that all parties involved – European Parliament, Commission, Council of the EU, EDPS and of course the data protection authorities – are now working at full pace to consider the issues, listen to other stakeholders and inject their thinking into the end result.

Here are some of the key takeaways about the data protection legislative reform we heard at the IAPP Data Protection Congress:

*    Francoise Le Bail, Director General for Justice at the European Commission, kicked off a prestigious roster of keynote speakers by acknowledging the need to simplify the current proposal, particularly for the benefit of SMEs.  However, she fiercely defended two commonly criticised aspects of the draft Regulation: the Commission’s delegated acts, which she believes are needed to maintain the Regulation’s flexibility; and monetary fines, which are meant to give the new framework much needed teeth.

*    For Jan Philipp Albrecht, Rapporteur of the LIBE Committee with primary responsibility for leading the European Parliament’s position, the main challenge is to convince everyone (individuals and businesses) that a harmonised approach is needed.  Reiterating his aim to approve the final text before the next European Parliament elections in June 2014, he emphasised the need for a regulation (rather than a directive) for the sake of certainty going forward, making clear LIBE’s stance on this issue.  Mr Albrecht also said that whilst we are on the right track in terms of principles, we also need to achieve foreseeability, which suggests that some of the more technology-specific provisions will be revised.

*    Jacob Kohnstamm, Chairman of the Article 29 Working Party showed his concern about some essential elements being under attack, namely: personal data, consent and purpose limitation.  With regard to personal data, he would favour of a slight extension of the definition to cover any data that may be used to single out individuals.  He believes that it is crucial to leave the concept of consent untouched because if data protection is a fundamental right, the individual’s consent must override everything else.  With regard to purpose limitation, as well as profiling, Mr Kohnstamm announced that the Article 29 Working Party is working on alternative proposals.  Not surprisingly, Mr Kohnstamm is wary of the ‘one stop shop’ principle and emphasised the role of the proposed European Data Protection Board to get the balance right.

*    The ‘one stop shop’ principle became one of the most heatedly debated topics.  Isabelle Falque-Pierrotin, President of the CNIL, indicated that the current proposal was simply not realistic and that local data protection authorities should not be prevented from enforcing the law.  Jan Philipp Albrecht responded by saying that it is very important to have one competent regulator to ensure consistency of interpretation and actions.  The debate on this issue is clearly wide open with Peter Hustinx, the European Data Protection Supervisor, taking a position somewhere in between where there is one regulator as a single point of contact for the same organisation across the EU but all regulators are still competent.

Clearly, the pressure to get the balance right is on and whilst there is no sense of urgency yet, Sophie in ‘t Veld, MEP, summarised the situation perfectly when she referred to the fact that after months of familiarisation with the Commission’s proposals, it was now time to put our heads down and get on with the business of building the future data protection framework for Europe.

 

Posted in Article 29 Working Party, DPAs competence, Legislative reform, Profiling, Sanctions

Weather forecast for cloud computing in Europe is “overall good”

avatar Posted on October 8th, 2012 by Dominika Kupczyk

The end of September has seen the UK Information Commissioner’s Office release its guidance on cloud computing, shortly followed by the European Commission’s announcement on a new strategy for “Unleashing the potential of cloud computing in Europe”.

ICO

The ICO’s new guidance starts with a helpful ‘setting the scene’ introduction for those new to the topic of cloud computing by going through definitions, different deployment and service models before moving on to an analysis of the data protection obligations.

According to the ICO, based on the fact of determining the purposes and the manner in which any personal data may be processed, the cloud customer is most likely to be the data controller. The guidance does contain a caveat that each case of outsourcing to the cloud and the controller/processor roles of each party will need to be determined separately. The end of the document has a useful checklist of considerations.

The guidance sets out a logical approach that should be followed by potential customers of cloud computing services and which comprises the following steps:

  1. Data selection – selecting which data to move to the cloud and creating a record of which categories of data you are planning to move.
  2. Risk assessment – carrying out privacy impact assessments is recommended for large and complex personal data processing operations in the cloud.
  3. The type of service and provider selection– taking into account the maturity of the service offered and whether it targets a specific market.
  4. Monitoring performance – ongoing obligation throughout the time the outsourcing to the cloud takes place.
  5. Informing cloud users – this reflects the transparency principle; cloud customers who are data controllers (who make services that run on the cloud available to individuals) will need to consider informing the individuals/cloud end users of the service about the processing in the cloud.
  6. Written contract – it is a legal requirement under the Data Protection Act to have a written contract in place between a data controller and a data processor.

 

With regard to selecting a cloud provider the ICO points potential cloud users to the need to look at the security offered, how the data will be protected and the access controls that have been put in place. Helpfully for data controllers, the ICO recognises that it is not always possible to carry out physical audits of the cloud provider but highlights the importance of ensuring that appropriate technical and organisational security measures are maintained at all times.

On the data transfers front the ICO states that cloud customers should ask potential cloud providers for a list of countries where data is likely to be processed and for information relating to the safeguards in place there. It is unfortunate that in this aspect the ICO follows the recent Article 29 Working Party Opinion on Cloud Computing.

EU

Turning to the European Commission’s announcement of a new strategy for “Unleashing the potential of cloud computing in Europe”, the main aim of the strategy is to support the take-up of cloud computing services through creating new homogenised technical standards on interoperability, data portability and reversibility by 2013; as well as certification schemes for cloud providers. A key area where, according to the strategy document, the Commission will concentrate its work on will be safe and fair contract terms and conditions for cloud computing services. This will involve developing model terms for service level agreements. The strategy stresses the importance of the ongoing work on the proposed Data Protection Regulation and the expectation that this work should be completed in 2013.

The new strategy when coupled with the recent Article 29 Working Party Opinion shows clear signs that cloud computing is fast gaining prominence on the European Commission’s Digital Agenda. At this stage it is important to track the developments in this area and for industry members to continue providing their feedback to proposals. The ICO’s guidance proves that a pragmatic approach to cloud computing is achievable without minimising the protection afforded to individuals’ personal data.

In short, the key takeaways from these developments are that in addition to contributing to the development of model contract terms, customers of cloud computing services must look at the selection process and the contractual documentation as their top priorities when approaching a cloud service relationship.

Posted in Article 29 Working Party, Cloud computing

A balanced approach to the cloud

avatar Posted on July 27th, 2012 by Eduardo Ustaran

Cloud computing is not a fashion or a swanky new name given to technology outsourcing.  Cloud computing is not a marketing plot to sell more Internet connections and fibre optics.  Cloud computing is not a twisted way of helping data hungry governments get their hands on corporate secrets.  Cloud computing is in fact the most obvious business application of networked computing and essentially what the Internet was created for in the first place.  However, the unstoppable growth and increasing power of cloud service providers and the suspicion of their critics have jointly contributed to a climate where controversies and horror stories abound, which is unfortunate when data protection and the cloud are in fact made for each other.

The development of cloud computing is commonly associated with the evolution of the Internet giants.  It is kind of obvious that the Internet pioneers with massive servers and an even greater vision would be the ones to spot the opportunities presented by the cloud.  The rest is now history and today, the leading cloud service providers are technology powerhouses that dictate the way businesses, governments and consumers can make the most of the information economy.  This position of power is very visible and often criticised for being incapable of accommodating requests for specific levels of data protection.

Rightly or wrongly, the cloud providers’ stance is seen by the EU data protection authorities as obstinate and the recent Article 29 Working Party Opinion on cloud computing makes that very clear.  So whilst coyly acknowledging the potential benefits of cloud computing, the Working Party firmly focuses on the risks that it presents for data protection and sets out a detailed ‘wish list’ of how to overcome them.  However, as if trying to compensate for the perceived inflexibility of the cloud providers, the Opinion of the authorities has set the bar for compliance with data protection in the context of cloud computing considerably above today’s standards.  The risk with that approach is that both customers and providers of cloud computing services may regard it as so unrealistic that rather than attempting to get close to it, they may decide to simply ignore it.

The EU data protection regulators should certainly be praised for being brave in setting their expectations.  But unfortunately some of those expectations are not only over and above the actual legal requirements, but they are also unachievable in a commercial world.  Once the potential customer of cloud services gets past the risk analysis stage – which is correctly identified by the Working Party as a crucial first step – the key element of the commercial relationship is the contract between customer and provider.  So not surprisingly, the regulators have focused their efforts on emphasising that the imbalance in the contractual power of a small controller with respect to a large service provider should not be considered as a justification for the controller to accept contractual terms which are not in compliance with data protection law.

The challenge is that if the standards for compliance involve things like getting the names of all subcontractors commissioned by the provider, being told about the locations of all data centres, getting the provider to help the customer comply with its obligations and inform that customer of changes to the cloud, plus adding an array of technical measures ranging from isolation to portability of data, compliance is simply never going to happen.  We cannot afford that to be the case when so much of the world’s information is already residing in the cloud.  Clearly, the right balance needs to be achieved by making sure that cloud customers can choose wisely and spot responsible providers, whilst those providers are encouraged to adopt the right practices.

Ultimately, it is not about who is in the strongest position to negotiate a contract, but about taking privacy and data security responsibilities truly seriously.  Aiming for a realistic level of compliance does not mean letting cloud providers off the hook.  The regulators’ frustration is more than justified when uncompromising providers try to hide behind an empty Safe Harbor registration.  Data protection is not an unachievable aim but an essential ingredient of cloud computing.  Like in all immature markets, it is still too early to distinguish fully between the good and the bad players but that is not to say that a balanced and realistic approach to the cloud will not result in an optimal level of data protection.

 

This article was first published in Data Protection Law & Policy in July 2012

Posted in Article 29 Working Party, Binding Safe Processor Rules, Cloud computing

Binding Safe Processor Rules are Go

avatar Posted on July 7th, 2012 by Eduardo Ustaran

It was exactly four years ago when the term Binding Safe Processor Rules was coined. Nobody had heard about this concept before and the idea of allowing a humble data processor to take responsibility for adopting and implementing its own set of rules based on European privacy standards from which its clients could benefit to legitimise any international processing of personal data seemed ill conceived. Regulators and data protection lawyers were sceptical about the prospect of a service provider taking such a primary compliance role. However, the idea was not ill conceived and fortunately for the future of data protection, that scepticism has turned into pragmatism as the Article 29 Working Party has proved.

For those involved in international data protection, the publication by the Article 29 Working Party of a document with the elements to be found in a set of BCR for processors or Binding Safe Processor Rules (BSPR) will not have come as a complete surprise. For starters, it is patently obvious that many of those who play the role of data processors make key operational decisions about the way in which personal data is handled at a global scale. That justifies from both a public policy and a practical compliance point of view giving those processors a bigger part in relation to compliance with data protection obligations. It is precisely for that reason that the European Commission envisaged the possibility of BSPR in the draft Data Protection Regulation currently being debated in Brussels. So it was only a matter of time before the EU data protection authorities got their act together to rally behind a concept that is set to revolutionise international data protection.

The document issued by the Working Party had been in the making for quite some time and a fair amount of thinking has gone into the process of replicating the complex BCR requirements in a data processor context. The regulators knew that for BSPR to work, the requirements had to be realistic in terms of compliance responsibilities and, above all, suited to the those who do not normally have a direct relationship with the individuals whose data they process. Part of the early criticism about BSPR was due to the fact that in traditional terms, data controllers should always be responsible for complying with the law and for ensuring that the information for which they are primarily accountable is adequately protected. Therefore, the process of crafting a viable set of criteria for BSPR has involved detailed legal work and considerable imagination.

The result is a near perfect balance between what is possible and what is desirable. A key point of reference to determine whether a framework such as BSPR is ever going to fly is the potential liability of the safe processor. Aim for a zero liability approach and no controller in the land will trust you with their data. Impose an unqualified direct level of responsibility and only the bravest (or foolish) service providers will swallow it. The Working Party has gone for a tried and tested level of liability, the same one that appears in the model clauses for international data transfers approved by the European Commission. The effect is that processors will be no worse off under BSPR than under the model clauses.

An equally important measure to determine the viability of BSPR is the scope of the substantive data protection safeguards that apply to safe processors. BSPR was never going to be just about ensuring an appropriate level of security. BSPR, like BCR, are about adopting a holistic approach to responsible personal data processing and the regulators’ expectations reflect that. But the good news is that, unlike in the case of Safe Harbor, each of the privacy principles at the core of BSPR have been thought out with the processor role in mind. So safe processors will be expected to do things like being cooperative with controllers, comply with their instructions and help them honour individuals’ rights. Clearly, achieving practical data protection is very much the aim.

As the first applications for BSPR status start rolling, we will see how the data protection authorities live up to their own criteria. The work is by no means over but what four years ago was a dream, tomorrow will be the way to go for responsible global data services providers.

This article was first published in Data Protection Law & Policy in June 2012.

Posted in Article 29 Working Party, Binding Corporate Rules, Binding Safe Processor Rules

A belt and braces approach to the Cloud

avatar Posted on July 4th, 2012 by Brian Davidson

The EU’s Article 29 Working Party has published its latest Opinion, setting out its views on the key data protection issues and challenges of ‘Cloud Computing’ – a term which not only invokes debate in data privacy circles about what it is (it’s essentially the use of technologies which focus on efficient internet-based delivery of IT applications, processing services and memory space) but also the risks of such technology. The truth is, cloud services are here to stay, delivering efficiencies to a huge number of public authorities and global organisations – witness the City of Los Angeles who signed a deal with Google for the use of its cloud services to deliver more efficient public services and store data; or more recently Apple’s ‘iCloud’ service which allows its army of users to purchase, store and access media content and personal documents across their Apple devices.

Whilst acknowledging the economic and societal advantages that cloud technologies can bring, the Opinion is very keen to express the privacy risks facing public and private sector organisations when deploying cloud services and the actions they should therefore take. Indeed, the Opinion begins by highlighting those risks, emphasising the lack of control experienced by ‘cloud clients’ as they surrender their personal data to the ‘cloud providers’ and therefore their control of technical and organisational measures to ensure the availability, confidentiality and transparency of that data. (At this point, we should highlight that the Working Party generally refers to ‘cloud clients’ as data controllers – on the basis that they generally determine the purpose and outsourcing of the processing and ‘cloud providers’ as ‘data processors’ on the basis that they provide the cloud services – based on the instructions of their clients.)

The Opinion also highlights a lack of ‘transparency’ as another risk, whereby insufficient information on a cloud provider’s operations poses a risk to clients and data subjects;  on the basis that they may not be aware of potential threats to their data and therefore cannot take appropriate actions. Therefore, the Working Party highlights the need for such ‘cloud clients’ to carry out adequate risk assessments of potential cloud providers before implementation of any project.

The Opinion emphasises that even in complex cloud data processing arrangements, where parties play different roles in processing personal data, compliance with relevant data protection rules and responsibilities must be clearly allocated. The Opinion recognises that many cloud clients ‘may not have room for manoeuvre’ with regard to contractual terms when negotiating with cloud providers – particularly many of the larger providers who offer ‘standardised’ services. Nevertheless the Opinion emphasises that it is still the cloud client who assumes the role of ‘data controller’ (regardless of how small they are) and must therefore ensure that appropriate guarantees are in place to ensure compliance with data protection legislation for the duration of the agreement.

In addition to identifying compliance with the basic principles of data protection (such as transparency; purpose specification and limitation; security and erasure/anonymisation issues) the Opinion stipulates the standard provisions that the Working Party would expect to see in any contract for cloud services, including:

- the technical and/organisational measures to be implemented by the cloud provider, including clarification of the responsibilities of the cloud provider to notify the cloud client in the event of a data breach.

- relevant details of the instructions issued by the client to the cloud provider, with particular regard to applicable SLAs and penalties.

- subject and time frame of the services to be provided by the cloud provider; including the extent, manner and purpose of the personal data processing by the cloud provider.

- inclusion of a confidentiality clause, binding on both the cloud provider and its employees who may have access to the data.

- the inclusion of express provisions that the cloud provider may not communicate the personal data to third parties, even for preservation purposes, unless it is provided for in the contract that subcontractors will be used. The contract should also stipulate that sub-processors should not be utilised without the consent of the client, in line with a clear duty for the provider to inform the client of any intended changes in this regard – with the client retaining the power to object to such changes and/or terminate the contract.

- an obligation on the cloud provider to provide a list of locations where the personal data may be processed.

Finally, the Opinion recognises the need to regulate data transfers to so-called ‘third countries’ in the context of cloud services but acknowledges that, owing to the lack of a stable understanding of where data is going to be at any given time, some of the current mechanisms in place to ensure the ‘adequacy’ of such transfers are somewhat limited. In this regard, the opinion starts by rejecting the Safe Harbor mechanism as a transfer solution (on the basis that Safe Harbor certification alone cannot substitute for the relevant contractual arrangements and guarantees which may be required by Data Protection Authorities at the national level – particularly on the data security issues applicable to cloud computing – the Working Party emphasises that it does not consider the relevant Safe Harbor data security provisions to be effective in this regard).

Therefore, the Opinion leans towards the use of the 2010 Model Clauses (with its applicable sub-processor provisions) but more importantly recognises the suitability of the BCR framework; and specifically the ongoing development of Binding Safe Processor Rules (BSPR) which would allow the client to entrust their data to the cloud service provider while being assured that onward transfers for sub-processing purposes would receive an adequate level of protection.

In conclusion, whilst acknowledging the significant growth in this area and consequently the need for flexible mechanisms, the Working Party Opinion suggests a belt and braces approach which today puts European customers of cloud service providers in an awkward position. Time will tell if the Working Party’s expectations are realistic but in the meantime, the specific acknowledgement of BSPR as the future model to ensure compliance whilst allowing for the flexibilities presented by cloud computing can be seen as a step in the right direction.

Posted in 95 directive, Article 29 Working Party, Binding Safe Processor Rules, Cloud computing

« Older Entries