Archive for the ‘Binding Safe Processor Rules’ Category

Legislative realism needed

Posted on November 25th, 2013 by



One thing that is clear in the context of the ongoing EU data protection reform is that speculation is rife. Everyone seems to have a view on what will happen. Most people seem to think that the chances of agreeing a new framework before the end of the current Parliament in April 2014 are pretty much nil. A few others are more hopeful and believe that the political will of those involved and the relentless enthusiasm of the European Commission may just be powerful enough to achieve a little miracle. At a more granular level, speculation about the future of Safe Harbor or BCR for processors, and about the outcome of the interlinked debates on the concept of personal data, consent, legitimate interests, profiling, one-stop-shop and a hundred other micro-issues is only creating more questions than answers.

So whilst we wait for the Council of the EU to make its move and give us a clearer idea of how big the gap may be between its own position and those of the Commission and the Parliament, it is perhaps time to take stock of where we are at the moment. The legislative process has progressed at a steady pace since the European Commission revealed its blueprint for a new framework in November 2010 – it seems like a decade ago in ‘Internet time’! But the reality is that the drafts we have on the table today still follow relatively closely the Commission’s vision of three years ago: an ambitious, harmonised regime with strong rights and tight data protection standards. Whether we like it or not, and in the absence of some really catchy radical thinking, the resulting legal framework – whenever it happens, in 5 months or 15 months – will most likely follow this pattern.

Since a radical new approach is unlikely to steal the show at this stage, here are some suggestions for some modest tweaks to the current drafts that might contribute to make the forthcoming regime a bit more realistic and workable:

Personal data – It is quite outrageous that we are still trying to figure out whether someone’s name is personal data, as the UK courts are currently doing. If we cannot nail that one down, how are we ever going to decide whether the knowledge derived from the fact that one can turn on a toaster with an iPhone is personal data? Let’s therefore define personal data by reference to the impact that information about someone may have on that individual.

Consent – There is no point in playing around with the definition. Irrespective of whether we leave the word ‘explicit’ in it or not, everybody is going to interpret it in whichever way they want. Let’s focus instead on accepting that the role of consent as the essence of privacy is massively overrated. We as individuals simply cannot control every possible use of our information. Therefore, consent should have a limited role as a ground for processing, and be reserved for uses of data where the level of intrusion is potentially high and we may actually have a meaningful degree of control. Very few cases indeed.

International data transfers – Until now, UK controllers have been priviledged enough to operate under a regime which effectively allows them to carry out a risk-based assessment of the appropriate measures to protect data internationally. Whilst this may have been possible under the Directive, no matter how hard the UK Government may try to preserve this approach, this is unlikely to continue to be an option under the Regulation – particularly in the current post-Snowden climate. A more palatable alternative across Member States would be to allow data flows on the basis of agreements between parties within and outside the EU but without the need for specific authorisation by national regulators. Hardly an earth shattering move, but one that would help minimise useless paperwork.

One-stop-shop – This is one of the most promising features of the forthcoming law and possibly the flagship of the Commission’s proposals for a harmonised regime. Unfortunately and due to unhelpful political rivalries, we seem to have got ourselves into a mess of shared competences between national regulators – both individually and collectively. Isn’t it time to be brave and accept the leadership of an exclusively competent regulator who will at the same time endeavour to cooperate with their European counterparts? If so, let’s make it happen and also apply this concept to cases where the data controllership is outside Europe.

Some will see these suggestions as idealistic and some will see them as biased. In fact, they are simply meant to be effective.

This article was first published in Data Protection Law & Policy in November 2013.

The conflicting realities of data globalisation

Posted on June 17th, 2013 by



The current data globalisation phenomenon is largely due to the close integration of borderless communications with our everyday comings and goings. Global communications are so embedded in the way we go about our lives that we are hardly aware of how far our data is travelling every second that goes by. But data is always on the move and we don’t even need to leave home to be contributing to this. Ordinary technology right at our fingertips is doing the job for us leaving behind an international trail of data – some more public than other.

The Internet is global by definition. Or more accurately, by design. The original idea behind the Internet was to rely on geographically dispersed computers to transmit packets of information that would be correctly assembled at destination. That concept developed very quickly into a borderless network and today we take it for granted that the Internet is unequivocally global. This effect has been maximised by our ability to communicate whilst on the move. Mobile communications have penetrated our lives at an even greater speed and in a more significant way than the Internet itself.

This trend has led visionaries like Google’s Eric Schmidt to affirm that thanks to mobile technology, the amount of digitally connected people will more than triple – going from the current 2 billion to 7 billion people – very soon. That is more than three times the amount of data generated today. Similarly, the global leader in professional networking, LinkedIn, which has just celebrated its 10th anniversary, is banking on mobile communications as one of the pillars for achieving its mission of connecting the world’s professionals.

As a result, everyone is global – every business, every consumer and every citizen. One of the realities of this situation has been exposed by the recent PRISM revelations, which highlight very clearly the global availability of digital communications data. Perversely, the news about the NSA programme is set to have a direct impact on the current and forthcoming legislative restrictions on international data flows, which is precisely one of the factors disrupting the globalisation of data. In fact, PRISM is already being referred to as a key justification for a tight EU data protection framework and strong jurisdictional limitations on data exports, no matter how non-sensical those limitations may otherwise be.

The public policy and regulatory consequences of the PRISM affair for international data flows are pretty predictable. Future ‘adequacy findings’ by the European Commission as well as Safe Harbor will be negatively affected. We can assume that if the European Commission decides to have a go at seeking a re-negotiation of Safe Harbor, this will be cited as a justification. Things will not end there. Both contractual safeguards and binding corporate rules will be expected to address possible conflicts of law involving data requests for law enforcement or national security reasons in a way that no blanket disclosures are allowed. And of course, the derogations from the prohibition on international data transfers will be narrowly interpreted, particularly when they refer to transfers that are necessary on grounds of public interest.

The conflicting realities of data globalisation could not be more striking. On the one hand, every day practice shows that data is geographically neutral and simply flows across global networks to make itself available to those with access to it. On the other, it is going to take a fair amount of convincing to show that any restrictions on international data flows should be both measured and realistic. To address these conflicting realities we must therefore acknowledge the global nature of the web and Internet communications, the borderless fluidity of the mobile ecosystem and our human ability to embrace the most ambitious innovations and make them ordinary. So since we cannot stop the technological evolution of our time and the increasing value of data, perhaps it is time to accept that regulating data flows should not be about putting up barriers but about applying globally recognised safeguards.

This article was first published in Data Protection Law & Policy in June 2013.

BCR for processors get EU regulators’ vital endorsement

Posted on May 1st, 2013 by



The fact that with everything that is going on in the world of data protection right now, the Article 29 Working Party has devoted a thorough 19 page explanatory document to clarifying and endorsing the role of BCR for Processors or “Binding Safe Processor Rules” is very telling. It is nearly 10 years since BCR was conceived and whilst the approval process is not precisely a walk in the park, much has been achieved in terms of its status, simplification and even international recognition. However, the idea of applying the same approach to an international group of vendors or to cloud service providers is still quite novel.

The prospect of the forthcoming EU data protection framework specifically recognising both flavours of BCR is obviously encouraging but right now, the support provided by the Working Party is invaluable. The benefits of BSPR are well documented – easier contractual arrangements for customers and suppliers, one stop shop in terms of data transfers compliance for cloud customers, no need for cumbersome model clauses… It sounds like a much needed panacea to overcome the tough EU restrictions on international data transfers affecting global outsourcing and data processing operations. But as in the early days of the traditional BCR, potential suitors need to know that the idea is workable and regulators will value the efforts made to achieve safe processor status.

Those who were already familiar with the previous opinions by the Working Party on BSPR – in particular WP195 – will not find the content of the new opinion particularly surprising. However, there are very useful and reassuring pointers in there, as highlighted by the following key statements and clarifications:

*    The outsourcing industry has been constant in its request for a new legal instrument that would allow for a global approach to data protection in the outsourcing business and officially recognise internal rules organisations may have implemented.

*    That kind of legal instrument would provide an efficient way to frame massive transfers made by a processor to subprocessors which part of the same organisation acting on behalf and under the instructions of a controller.

*    BCR for processors should be understood as adequate safeguards provided by the processor to the controller allowing the latter to comply with applicable EU data protection law.

*    However, BCR for processors do not aim to shift controllers’ duties to processors.

*    A processor’s organisation that have implemented BCR for processors will not need to sign contracts to frame transfers with each of the sub-processors part of its organisation as BCR for processors adduce safeguards to data transferred and processed on behalf and under the instructions of a controller.

*    BCR for processors already “approved” at EU level will be referred by the controller as the appropriate safeguards proposed for the international transfers.

*    Updates to the BCR for processors or to the list of the members of the BCR are possible without having to re-apply before the data protection authorities.

So in summary, and despite the detailed requirements that must be met, the overall approach of the Working Party is very “can do” and pragmatic. To finish things off in a collaborative manner, the Working Party points out at the end of the document that further input from interested circles and experts on the basis of the experience obtained will be welcomed. Keep it up!

 

How to solve BCR conflicts with local law

Posted on March 13th, 2013 by



A frequently asked question by many clients considering BCR is “How can we apply BCR on a global basis?  What if non-EU laws conflict with our BCR requirements?”  Normally, this question is raised during an early-stage stakeholder review – typically, by local in-house counsel or a country manager who points out, quite reasonably, that BCR are designed to meet EU data protection standards, not their own local laws.

It’s a very good, and perfectly valid, question to ask – but one that can very quickly be laid to rest.  BCR are a voluntary set of self-regulatory standards that can readily be designed to flex to non-EU local law requirements.  Global businesses necessarily have to comply with the myriad of different laws applicable to them, and the BCR policy can address this need in the following way:

(*)  where local law standards are lower than those in the BCR, then the BCR policy should specify that its standards will apply.  In this way, the local controller not only achieves, but exceeds, local law requirements and continues to meet its commitments under its BCR; and

(*)  where local law standards are higher than those in the BCR, then the BCR policy should specify that the local law standards will apply.  In this way, the local controller achieves local law compliance and exceeds its commitments under the BCR.

In both cases, the controller manages to fulfill its responsibilities under both applicable local law and the BCR, so a head on collision between the two almost never arises.  But for those very exceptional circumstances where mandatory local laws do prohibit the controller from complying with the BCR, then the group’s EU headquarters or privacy function is simply required to take a “responsible decision” on what action to take and consult with EU data protection authorities if in doubt.

The net result?  Carefully designed BCR provide a globally consistent data management framework that set an expected baseline level of compliance throughout the organization – exceeded only if and when required by local law.

Technology issues that will shape privacy in 2013

Posted on December 13th, 2012 by



Making predictions as we approach a new year has become a bit of a tradition.  The degree of error is typically proportional to the level of boldness of those predictions, but as in the early days of weather forecasting, the accuracy expectations attached to big statements about what may or may not happen in today’s uncertain world are pretty low.  Having said that, it wouldn’t be particularly risky to assume that during 2013, the EU legislative bodies will be thinking hard about things like whether the current definition of personal data is wide enough, what kind of security breach should trigger a public disclosure, the right amount for monetary fines or the scope of the European Commission’s power to adopt ‘delegated acts’.  But whilst it is easy to get distracted by the fascinating data protection legislative developments currently taking place in the EU, next year’s key privacy developments will be significantly shaped by the equally fascinating technological revolution of our time.

A so far low profile issue from a regulatory perspective has been the ever growing mobile app phenomenon.  Like having a website in the late 90s, launching a mobile app has become a ‘must do’ for any self-respecting consumer-facing business.  However, even the simplest app is likely to be many times more sophisticated than the early websites and will collect much more useful and clever data about its users and their lifestyles.  That is a fact and, on the whole, apps are a very beneficial technological development for the 21st century homo-mobile.  The key issue is how this development can be reconciled with the current data protection rules dealing with information provision, grounds for processing and data proportionality.  Until now, technology has as usual led the way and the law is clumsily trying to follow, but in the next few months we are likely to witness much more legal activity on this front than what we have seen to date.

Mobile data collection via apps has been a focus of attention in theUSAfor a while but recent developments are a clue to what is about to happen.  The spark may well have been ignited by the California Attorney General who in the first ever legal action under the state’s online privacy law, is suing Delta Air Lines for distributing a mobile application without a privacy policy.  Delta had reportedly been operating its mobile app without a privacy policy since at least 2010 and did not manage to post one after being ordered by the authorities to do so.  On a similar although slightly more alarming note, children’s mobile game company Mobbles is being accused by the Center for Digital Democracy of violating COPPA, which establishes strict parental consent rules affecting the collection of children’s data.  These are unlikely to be isolated incidents given that app operators tend to collect more data than what is necessary to run the app.  In fact, these cases are almost certainly the start of a trend that will extend toEuropein 2013 and lead EU data protection authorities and mobile app developers to lock horns on how to achieve a decent degree of compliance in this environment.

Speaking of locking horns, next year (possibly quite early on) we will see the first instances of enforcement of the cookie consent requirement.  What is likely to be big about this is not so much the amount of the fines or the volume of enforcement actions, but the fact that we will see for real what the regulators’ compliance expectations actually are.  Will ‘implied consent’ become the norm or will websites suddenly rush to present their users with hard opt-in mechanisms before placing cookies on their devices?  Much would need to change for the latter to prevail but at the same time, the ‘wait and see’ attitude that has ruled to date will be over soon, as the bar will be set and the decision to comply or not will be based purely on risk – an unfortunate position to be in, caused by an ill-drafted law.  Let that be a lesson for the future.

The other big technological phenomenon that will impact on privacy and security practices – probably in a positive way – will be the cloud.  Much has been written on the data protection implications of cloud computing in the past months.  Regulators have given detailed advice.  Policy makers have made grand statements.  But the real action will be seen in 2013, when a number of leaders in the field start rolling out Binding Safe Processor Rules programmes and regulators are faced with the prospect of scrutinising global cloud vendors’ data protection offerings.  Let us hope that we can use this opportunity to listen to each other’s concerns, agree a commercially realistic set of standards and get the balance right.  That would be a massive achievement.

 

This article was first published in Data Protection Law & Policy in December 2012.

Article 29 Working Party pushes for Binding Safe Processor Rules

Posted on December 9th, 2012 by



 

The Article 29 Working Party has taken another crucial step towards the full recognition of BCR for processors or ‘Binding Safe Processor Rules’. Following the unqualified backing by the European Commission in the proposal for a Data Protection Regulation early in 2012 and the publication of the criteria for approval by the Working Party itself last summer, an agreement has now been reached by the European data protection authorities on the application and approval process.

The official announcement of a mutual recognition and cooperation procedure-type approach will take place in January 2013 and shortly after, the Working Party will issue the appropriate application form. This is the strongest indication to date that applications for BCR for processors will be dealt with in the same way as the traditional BCR, opening the door for hybrid BCRs for those organisations with global data protection programmes that apply to their dual role as controllers (in respect of their own data) and processors (in respect of their clients’ data, as in the case of cloud service providers).

 

Privacy in the global village

Posted on September 4th, 2012 by



There is nothing like the Olympic Games to remind us of the diversity of our global village – from the young fully-clothed Saudi athlete to the veteran Japanese rider, including of course the African marathon runner who ran for the world.  Yet among that diversity, all of those athletes have something in common: passion for sport and desire to succeed.  In the ever changing world of privacy and data protection, global diversity is proven every day by fascinating developments taking place in every corner of the planet.  At the same time, a common pattern can be seen in many of those developments: their attempt to strike the right balance between the exploitation and the protection of the most valuable asset of our time.  So whilst Brussels wakes up from its legislative recess, it is worthwhile having a look at what has been happening in other parts of the world and spot trends and priorities in the regulation of personal information.

The most veteran jurisdiction in this area of law in Asia, Hong Kong, has just had a revamp of its 15 year old Personal Data (Privacy) Ordinance.  Interestingly, the changes represent a considerable toughening of the existing regime, covering things like additional requirements in relation to direct marketing, supervisory duties in respect of data processors and enhanced enforcement powers for the privacy commissioner.  So whilst the regulator will not be able to award compensation to aggrieved individuals as originally requested by the Office of the Privacy Commissioner, new financial penalties as well as the potential for up to five years imprisonment signal a stricter approach to the use of personal information.

Further north, in South Korea, the Personal Information Protection Act has only been in force for a few months but is already being branded as the toughest in Asia.  With requirements that mirror some of the most demanding provisions of the proposed EU data protection regulation – like mandatory privacy officers, detailed security measures and data breach notification – Korea’s new law is not one to be taken lightly.  The local regulator is unlikely to be a quiet one and there are reports about a CNIL-like investigation into Google’s changes to its privacy policy, which if anything, will raise the authority’s standing among its peers.

The rest of Asia is not standing still either as countries like Malaysia, Singapore and the Philippines are also making progress in this area.  Malaysia’s Personal Data Protection Act has just come into force, so it is a bit early to say how far reaching it will be in practice but its pedigree looks rather European.  Singapore’s approach is slightly more modest and the legislative process is less advanced, but the draft bill is not without complexity.  As for the Philippines, after some delay, the new Data Privacy Act has now been formally signed by the country’s president and will be fully in force in about a year’s time.  The Philippines’ law is in line with the European approach to privacy as a fundamental right, but much less prescriptive when it comes to regulating international data transfers.

This particular issue is one that concerns global organisations seeking to adopt a coherent and consistent methodology for compliance in respect of data flows.  The European approach to international data transfers is intimidating to say the least, so it is understandable that those organisations that are investing in programmes like Binding Corporate Rules want to take advantage of that solution on a truly global scale.  Otherwise, it would be hugely frustrating to devise and implement a data protection framework that worked for Europe but didn’t quite cut it in a growing number of jurisdictions.

Fortunately, here is where the accountability model championed under the APEC Cross-Border Privacy Rules throughout Asia and other countries around the Pacific Ocean does the trick, as it gives organisations the opportunity to decide how best protect the personal information they collect and use around the world.  That way, whether one is trying to meet the expectations of data protection regulators in Europe, Asia or indeed America in respect of international data flows, it is not only possible but advisable, to devise a system like BCR that regards data protection as a global response to a business need and not as a box-ticking exercise.

 
This article was first published in Data Protection Law & Policy in August 2012.

A balanced approach to the cloud

Posted on July 27th, 2012 by



Cloud computing is not a fashion or a swanky new name given to technology outsourcing.  Cloud computing is not a marketing plot to sell more Internet connections and fibre optics.  Cloud computing is not a twisted way of helping data hungry governments get their hands on corporate secrets.  Cloud computing is in fact the most obvious business application of networked computing and essentially what the Internet was created for in the first place.  However, the unstoppable growth and increasing power of cloud service providers and the suspicion of their critics have jointly contributed to a climate where controversies and horror stories abound, which is unfortunate when data protection and the cloud are in fact made for each other.

The development of cloud computing is commonly associated with the evolution of the Internet giants.  It is kind of obvious that the Internet pioneers with massive servers and an even greater vision would be the ones to spot the opportunities presented by the cloud.  The rest is now history and today, the leading cloud service providers are technology powerhouses that dictate the way businesses, governments and consumers can make the most of the information economy.  This position of power is very visible and often criticised for being incapable of accommodating requests for specific levels of data protection.

Rightly or wrongly, the cloud providers’ stance is seen by the EU data protection authorities as obstinate and the recent Article 29 Working Party Opinion on cloud computing makes that very clear.  So whilst coyly acknowledging the potential benefits of cloud computing, the Working Party firmly focuses on the risks that it presents for data protection and sets out a detailed ‘wish list’ of how to overcome them.  However, as if trying to compensate for the perceived inflexibility of the cloud providers, the Opinion of the authorities has set the bar for compliance with data protection in the context of cloud computing considerably above today’s standards.  The risk with that approach is that both customers and providers of cloud computing services may regard it as so unrealistic that rather than attempting to get close to it, they may decide to simply ignore it.

The EU data protection regulators should certainly be praised for being brave in setting their expectations.  But unfortunately some of those expectations are not only over and above the actual legal requirements, but they are also unachievable in a commercial world.  Once the potential customer of cloud services gets past the risk analysis stage – which is correctly identified by the Working Party as a crucial first step – the key element of the commercial relationship is the contract between customer and provider.  So not surprisingly, the regulators have focused their efforts on emphasising that the imbalance in the contractual power of a small controller with respect to a large service provider should not be considered as a justification for the controller to accept contractual terms which are not in compliance with data protection law.

The challenge is that if the standards for compliance involve things like getting the names of all subcontractors commissioned by the provider, being told about the locations of all data centres, getting the provider to help the customer comply with its obligations and inform that customer of changes to the cloud, plus adding an array of technical measures ranging from isolation to portability of data, compliance is simply never going to happen.  We cannot afford that to be the case when so much of the world’s information is already residing in the cloud.  Clearly, the right balance needs to be achieved by making sure that cloud customers can choose wisely and spot responsible providers, whilst those providers are encouraged to adopt the right practices.

Ultimately, it is not about who is in the strongest position to negotiate a contract, but about taking privacy and data security responsibilities truly seriously.  Aiming for a realistic level of compliance does not mean letting cloud providers off the hook.  The regulators’ frustration is more than justified when uncompromising providers try to hide behind an empty Safe Harbor registration.  Data protection is not an unachievable aim but an essential ingredient of cloud computing.  Like in all immature markets, it is still too early to distinguish fully between the good and the bad players but that is not to say that a balanced and realistic approach to the cloud will not result in an optimal level of data protection.

 

This article was first published in Data Protection Law & Policy in July 2012

Binding Safe Processor Rules are Go

Posted on July 7th, 2012 by



It was exactly four years ago when the term Binding Safe Processor Rules was coined. Nobody had heard about this concept before and the idea of allowing a humble data processor to take responsibility for adopting and implementing its own set of rules based on European privacy standards from which its clients could benefit to legitimise any international processing of personal data seemed ill conceived. Regulators and data protection lawyers were sceptical about the prospect of a service provider taking such a primary compliance role. However, the idea was not ill conceived and fortunately for the future of data protection, that scepticism has turned into pragmatism as the Article 29 Working Party has proved.

For those involved in international data protection, the publication by the Article 29 Working Party of a document with the elements to be found in a set of BCR for processors or Binding Safe Processor Rules (BSPR) will not have come as a complete surprise. For starters, it is patently obvious that many of those who play the role of data processors make key operational decisions about the way in which personal data is handled at a global scale. That justifies from both a public policy and a practical compliance point of view giving those processors a bigger part in relation to compliance with data protection obligations. It is precisely for that reason that the European Commission envisaged the possibility of BSPR in the draft Data Protection Regulation currently being debated in Brussels. So it was only a matter of time before the EU data protection authorities got their act together to rally behind a concept that is set to revolutionise international data protection.

The document issued by the Working Party had been in the making for quite some time and a fair amount of thinking has gone into the process of replicating the complex BCR requirements in a data processor context. The regulators knew that for BSPR to work, the requirements had to be realistic in terms of compliance responsibilities and, above all, suited to the those who do not normally have a direct relationship with the individuals whose data they process. Part of the early criticism about BSPR was due to the fact that in traditional terms, data controllers should always be responsible for complying with the law and for ensuring that the information for which they are primarily accountable is adequately protected. Therefore, the process of crafting a viable set of criteria for BSPR has involved detailed legal work and considerable imagination.

The result is a near perfect balance between what is possible and what is desirable. A key point of reference to determine whether a framework such as BSPR is ever going to fly is the potential liability of the safe processor. Aim for a zero liability approach and no controller in the land will trust you with their data. Impose an unqualified direct level of responsibility and only the bravest (or foolish) service providers will swallow it. The Working Party has gone for a tried and tested level of liability, the same one that appears in the model clauses for international data transfers approved by the European Commission. The effect is that processors will be no worse off under BSPR than under the model clauses.

An equally important measure to determine the viability of BSPR is the scope of the substantive data protection safeguards that apply to safe processors. BSPR was never going to be just about ensuring an appropriate level of security. BSPR, like BCR, are about adopting a holistic approach to responsible personal data processing and the regulators’ expectations reflect that. But the good news is that, unlike in the case of Safe Harbor, each of the privacy principles at the core of BSPR have been thought out with the processor role in mind. So safe processors will be expected to do things like being cooperative with controllers, comply with their instructions and help them honour individuals’ rights. Clearly, achieving practical data protection is very much the aim.

As the first applications for BSPR status start rolling, we will see how the data protection authorities live up to their own criteria. The work is by no means over but what four years ago was a dream, tomorrow will be the way to go for responsible global data services providers.

This article was first published in Data Protection Law & Policy in June 2012.

A belt and braces approach to the Cloud

Posted on July 4th, 2012 by



The EU’s Article 29 Working Party has published its latest Opinion, setting out its views on the key data protection issues and challenges of ‘Cloud Computing’ – a term which not only invokes debate in data privacy circles about what it is (it’s essentially the use of technologies which focus on efficient internet-based delivery of IT applications, processing services and memory space) but also the risks of such technology. The truth is, cloud services are here to stay, delivering efficiencies to a huge number of public authorities and global organisations – witness the City of Los Angeles who signed a deal with Google for the use of its cloud services to deliver more efficient public services and store data; or more recently Apple’s ‘iCloud’ service which allows its army of users to purchase, store and access media content and personal documents across their Apple devices.

Whilst acknowledging the economic and societal advantages that cloud technologies can bring, the Opinion is very keen to express the privacy risks facing public and private sector organisations when deploying cloud services and the actions they should therefore take. Indeed, the Opinion begins by highlighting those risks, emphasising the lack of control experienced by ‘cloud clients’ as they surrender their personal data to the ‘cloud providers’ and therefore their control of technical and organisational measures to ensure the availability, confidentiality and transparency of that data. (At this point, we should highlight that the Working Party generally refers to ‘cloud clients’ as data controllers – on the basis that they generally determine the purpose and outsourcing of the processing and ‘cloud providers’ as ‘data processors’ on the basis that they provide the cloud services – based on the instructions of their clients.)

The Opinion also highlights a lack of ‘transparency’ as another risk, whereby insufficient information on a cloud provider’s operations poses a risk to clients and data subjects;  on the basis that they may not be aware of potential threats to their data and therefore cannot take appropriate actions. Therefore, the Working Party highlights the need for such ‘cloud clients’ to carry out adequate risk assessments of potential cloud providers before implementation of any project.

The Opinion emphasises that even in complex cloud data processing arrangements, where parties play different roles in processing personal data, compliance with relevant data protection rules and responsibilities must be clearly allocated. The Opinion recognises that many cloud clients ‘may not have room for manoeuvre’ with regard to contractual terms when negotiating with cloud providers – particularly many of the larger providers who offer ‘standardised’ services. Nevertheless the Opinion emphasises that it is still the cloud client who assumes the role of ‘data controller’ (regardless of how small they are) and must therefore ensure that appropriate guarantees are in place to ensure compliance with data protection legislation for the duration of the agreement.

In addition to identifying compliance with the basic principles of data protection (such as transparency; purpose specification and limitation; security and erasure/anonymisation issues) the Opinion stipulates the standard provisions that the Working Party would expect to see in any contract for cloud services, including:

- the technical and/organisational measures to be implemented by the cloud provider, including clarification of the responsibilities of the cloud provider to notify the cloud client in the event of a data breach.

- relevant details of the instructions issued by the client to the cloud provider, with particular regard to applicable SLAs and penalties.

- subject and time frame of the services to be provided by the cloud provider; including the extent, manner and purpose of the personal data processing by the cloud provider.

- inclusion of a confidentiality clause, binding on both the cloud provider and its employees who may have access to the data.

- the inclusion of express provisions that the cloud provider may not communicate the personal data to third parties, even for preservation purposes, unless it is provided for in the contract that subcontractors will be used. The contract should also stipulate that sub-processors should not be utilised without the consent of the client, in line with a clear duty for the provider to inform the client of any intended changes in this regard – with the client retaining the power to object to such changes and/or terminate the contract.

- an obligation on the cloud provider to provide a list of locations where the personal data may be processed.

Finally, the Opinion recognises the need to regulate data transfers to so-called ‘third countries’ in the context of cloud services but acknowledges that, owing to the lack of a stable understanding of where data is going to be at any given time, some of the current mechanisms in place to ensure the ‘adequacy’ of such transfers are somewhat limited. In this regard, the opinion starts by rejecting the Safe Harbor mechanism as a transfer solution (on the basis that Safe Harbor certification alone cannot substitute for the relevant contractual arrangements and guarantees which may be required by Data Protection Authorities at the national level – particularly on the data security issues applicable to cloud computing – the Working Party emphasises that it does not consider the relevant Safe Harbor data security provisions to be effective in this regard).

Therefore, the Opinion leans towards the use of the 2010 Model Clauses (with its applicable sub-processor provisions) but more importantly recognises the suitability of the BCR framework; and specifically the ongoing development of Binding Safe Processor Rules (BSPR) which would allow the client to entrust their data to the cloud service provider while being assured that onward transfers for sub-processing purposes would receive an adequate level of protection.

In conclusion, whilst acknowledging the significant growth in this area and consequently the need for flexible mechanisms, the Working Party Opinion suggests a belt and braces approach which today puts European customers of cloud service providers in an awkward position. Time will tell if the Working Party’s expectations are realistic but in the meantime, the specific acknowledgement of BSPR as the future model to ensure compliance whilst allowing for the flexibilities presented by cloud computing can be seen as a step in the right direction.