Archive for the ‘Cloud computing’ Category

Article 29 Working Party issues draft model clauses for processor-to-subprocessor data transfers

Posted on April 9th, 2014 by

On 21st March 2014, the Article 29 Working Party (“WP 29″) issued a working document (WP 214) proposing new contractual clauses for cross-border transfers between an EU-based processor and a non-EU-based sub-processor (“draft model clauses”). This document addresses the situation where personal data are initially transferred by a controller to a processor within the European Union (“EU”) and are subsequently transferred by the processor to a sub-processor located outside the EU.

Back in 2010, the EU Commission adopted a revised version of its model clauses for transfers between a controller in the EU and a processor outside the EU, partly to integrate new provisions on sub-processing. However, it deliberately chose not to apply these new model clauses to situations whereby a processor established in the EU and performing the processing of personal data on behalf of a controller established in the EU subcontracts his processing operations to a sub-processor established in a third country (see recital 23 of the EU Commission’s Decision 2010/87/EU).

Absent Binding Corporate Rules, many EU data processors were left with few options for transferring the data outside the EU. This issue is particularly relevant in the context of a growing digital economy where more and more companies are transferring their data to cloud computing service providers who are often based outside the EU. Negotiating ad hoc model clauses on a case-by-case basis with the DPAs seemed to be the only solution available. This is precisely what the Spanish DPA undertook in 2012 when it adopted a specific set of standard contractual clauses for processor–to-sub-processor transfers and put in place a new procedure allowing data processors based in Spain to obtain authorizations for transferring data processed on behalf of their customers (the data controllers) to sub-processors based outside the EU.

This has inspired the WP 29 to use the Spanish model as a basis for preparing draft ad hoc model clauses for transfers from an EU data processor to a non-EU sub-processor that could be used by any processor established in the EU. However, these draft model clauses have yet to be formally adopted by the European Commission before they can be used by companies and it may take a while before the EU Commission adopts a new official set of model clauses for data processors. Meanwhile, companies cannot rely on the draft model clauses to obtain approval from their DPAs to transfer data outside the EU. While the WP 29′s document certainly paves the way in the right direction, it remains to be seen how these draft model clauses will be received by the business sector and whether they can work in practice.

Below is a list of the key provisions under the draft model clauses for data processors:

  • Structure: the overall structure and content of these draft clauses are similar to those that already exist under the controller-to-processor model clauses, but have been adapted to the context of transfers between a processor and sub-processor.
  • Framework Contract: the EU data processor must sign a Framework Contract with its controller, which contains a detailed list of obligations (16 in total) specified in the draft model clauses – including restrictions on onward sub-processing.  The practical effect of this could be to see the service terms between controllers and their EU processors expand to include a substantially greater number of data protection commitments, all with a view to facilitating future extra-EU transfers by the processor to international sub-processors under these model clauses.
  • Sub-processing: the EU processor must obtain its controller’s prior written approval in order to subcontract data processing activities to non-EU processors. It is up to the controller to decide, under the Framework Contract, whether it grants a general consent up front for all sub-processing activities, or whether a specific case-by-case approval is required each time the EU processor intends to subcontract its activities. The same applies to the sub-processing by the importing non-EU sub-processors. Any non-EU sub-processor must be contractually bound by the same obligations (including the technical and organisational security measures) as those that are imposed on the EU processor under the Framework Agreement.
  • List of sub-processing agreements: the EU processor must keep an updated list of all sub-processing agreements concluded and notified to it by its non-EU sub-processor at least once per year and must make this list available to the controller.
  • Third party beneficiary clause: depending on the situation, the data subject has three options to enforce model clause breaches against data processing parties to it – including initially against the exporting EU data processor (where the controller has factually disappeared or has ceased to exist in law), the importing non-EU data processor (where both the controller and the EU data processor have factually disappeared or have ceased to exist in law), or any subsequent sub-processor (where the controller, the exporting EU data processor and the importing non-EU data processor have all factually disappeared or have ceased to exist in law).
  • Audits: the exporting EU data processor must agree, at the request of its controller, to submit its data processing facilities for audit of the processing activities covered by the Framework Contract, which shall be carried out by the controller himself, or alternatively, an independent inspection body selected by the controller. The DPA competent for the controller has the right to conduct an audit of the exporting EU data processor, the importing non-EU data processor, and any subsequent sub-processor under the same conditions as those that would apply to an audit of the controller. The recognition of third party independent audits is especially important for cloud industry businesses who – for security and operational reasons – will often be reluctant to have clients conduct on-site audits but will typically be more comfortable holding themselves to independent third party audits.
  • Disclosure of the Framework Contract: the controller must make available to the data subjects and the competent DPA upon request a copy of the Framework Contract and any sub-processing agreement with the exception of commercially sensitive information which may be removed. In practice, it is questionable how many non-EU suppliers will be willing to sign sub-processing agreements with EU data processors on the understanding that provisions within those agreements could end up being disclosed to regulators and other third parties.
  • Termination of the Framework Contract: where the exporting EU processor, the importing non-EU data processor or any subsequent sub-processor fails to fulfil their model clauses obligations, the controller may suspend the transfer of data and/or terminate the Framework Contract.

Click here to access the WP 29′s working document WP 214 on draft ad hoc contractual clauses “EU data processor to non-EU sub-processor”.

Click here to view the article published in the World Data Protection Report.

Complex Cloud Contracting

Posted on March 26th, 2014 by

The greatest pleasure, and the greatest challenge, of being a privacy lawyer is the need to be both an ethicist and a pragmatist.  Oftentimes, I find myself advising companies not just on what is the legal thing to do, but what is the right thing to do (and, no, the two aren’t always one and the same); while, on other occasions, my task is to find solutions to real or imagined business impediments presented by the law.

Nowhere is this dichotomy more apparent than when advising on cloud deals.  The future is cloud and mobile, as someone once said.  So it seems an oddity that privacy laws are all too often interpreted in ways that impair cloud adoption and utilization.  This oddity is perhaps most apparent when negotiating cloud deals, where two parties who are in commercial agreement and want to realize the benefits of a cloud relationship are unable to reach contractual agreement over basic data protection terms.

This failure to reach contractual agreement is so often due to a misunderstanding, or (sometimes) a perverse interpretation of, EU data protection requirements, that I thought I’d use this post to set the record straight.  The following is necessarily broad brush, but hopefully paints a picture of the key things to consider in cloud deals and how to address them:

1.  What data protection terms does the law require?  In most cloud relationships, the service provider will be a “data processor” and its client the “data controller”.  In this type of relationship, the client is legally obligated to impose two key requirements on the service provider – first, that the service provider must act only on its instructions; second, that the service provider must have in place “appropriate” security.  There’s no point negotiating these.  Just accept them as a legal necessity and move on.

2.  What about Germany?  Germany is a huge market for cloud contracting, but its data privacy laws are notoriously strict.  If you’re a cloud provider rolling out a pan-EU service, you have to address German data privacy requirements as part of your offering or risk not doing business in a major EU market.  In addition to the two requirements just described above, Germany also mandates the need for precise “technical and organisational” security measures to be in place for the cloud service and the granting of audit rights in favour of the cloud client.  These need to be addressed either within the standard EU ts&cs for the cloud service or, alternatively, by way of bespoke terms just for German deals.

3.  Audit rights???  Yes, that’s right. Certain EU territories, like Germany, expect that cloud clients should have audit rights over their cloud providers.  To most cloud providers, the idea of granting audit rights under their standard terms is an anathema.  Imagine a provider with thousands of clients – you only need a small fraction of those clients to exercise audit rights at any one time for the business disruption to be overwhelming.  Not only that, but allowing multiple clients onsite and into server rooms for audit purposes itself creates a huge security risk. So what’s the solution?  A common one is that many cloud service providers have these days been independently audited against ISO and SSAE standards.  Committing in the contract to maintain recognised third party audit certifications throughout the duration of the cloud deal – possibly even offering to provide a copy of the audit certification or a summary of the audit report – will (and rightly should) satisfy many cloud clients.

4.  The old “European data center” chestnut.  I’ve been in more than a few negotiations where there’s been a mistaken belief that the cloud service provider needs to host all data in Europe in order for the service to be “legal” under European data protection law.  This is a total fallacy.  Cloud service providers can (and, make no mistake, will) move data anywhere in the world – often in the interests of security, back-ups, support and cost efficiency.  What’s more, the law permits this – though it does require that some manner of legal “data export” solution first be implemented for data being transferred out of Europe.  There are a number of solutions available – from model clauses to safe harbor to Binding Corporate Rules.  Cloud clients need to check their service providers have one of these solutions in place and that it covers the data exports in question but, so long as they do, then there’s no reason why data cannot be moved around internationally for service-related reasons.

5.  Security.  The law requires cloud clients to ensure that their service providers have implemented “appropriate” security.  The thing is, cloud clients often aren’t best able to assess whether their cloud provider’s security is or is not “appropriate” – one of the commonly cited reasons for outsourcing to the cloud in the first place is to take the benefit of the greater security expertise that cloud providers offer.  To further complicate matters, some territories – like Germany, Poland and Spain – have precise data security rules.  It’s highly unlikely that a cloud provider will ever tailor its global IT infrastructure to address nationally-driven requirements of just one or two territories, so outside of heavily-regulated sectors, there’s little point trying to negotiate for those.  Instead, cloud clients should look to other security assurances the cloud provider can offer – most notably, whether it maintains ISO and SSAE certification (see above!).

6.  Subcontracting.  Cloud suppliers subcontract: it’s a fact of life.  Whether to their own group affiliates or externally to third party suppliers, the likelihood is that the party concluding the cloud contracting will not be (solely) responsible for performing it.  The question inevitably arises as to whether the supplier needs its client’s consent to subcontract: the short answer is, generally, yes, but there’s no reason why a general consent to subcontract can’t be obtained upfront in the contract.  At the same time, however, the cloud customer will want assurances that its data won’t be outsourced to a subcontractor with lax data protection standards, so any such consent should be carefully conditioned on the cloud provider flowing down its data protection responsibilities and committing to take responsibility for managing the subcontractor’s compliance.

7.  What other terms should be in a cloud contract?  In addition to the points already discussed, it’s critical that cloud providers have in place a robust data breach response mechanism – so that they detect security intrusions asap and inform the cloud client promptly, giving it the opportunity to manage its own fallout from the breach and address any legal data breach notification requirements it may be under.  In addition, cloud providers should be expected to inform their clients (where legally permitted to do so) about any notices or complaints they receive concerning their hosting or processing of their client’s data – the client will generally be on the hook for responding to these, so it’s important it receives these notices promptly giving it adequate time to respond.

So there’s no reason that data protection should be holding those deals up!  All of the issues described above have straightforward solutions that should be palatable to both cloud clients and providers alike.  Remember: good data protection and good business are not mutually exclusive – but realistic, compatible goals.

The Commission combats the EU Data Residency rumours

Posted on October 21st, 2013 by

Last week, the European Commission published a memo entitled ‘What does the Commission mean by secure Cloud computing services in Europe?‘. The memo stems from the Commission’s 2012 strategy Unleashing the Potential of Cloud Computing in Europe‘ and addresses the growing concerns about the implications for the European cloud computing market following the PRISM revelations. It also provides insight into the hot topic of whether the Commission will introduce requirements for cloud providers to keep EU citizen’s data within European borders. 

The Commission has made it clear that its vision is for Europe to become the global leader in the cloud computing market particularly in relation to data protection and security. One of the Commission’s aims is to align the cloud market with the proposals contained in the EU data protection regulation, by establishing a single market for cloud computing. The Commission also strongly opposes the ‘Fortress Europe‘ approach to cloud computing and stresses the need for a uniform approach since undertaking separate national or regional initiatives threatens to fragment the market and weaken the EU’s strength in this area. The Commission’s memo also reiterates that ‘the fundamental principle at stake is the need to look beyond borders when it comes to cloud computing‘ – meaning that although it aims to promote a European single market for cloud services, its intention is not to require providers to host EU citizen’s data in Europe but to work across borders. It seems cloud providers who feared unachievable plans to keep data within Europe, can now breathe a sigh of relief.

As well as confirming its stance on EU data residency, the Commission’s memo recognises the increased importance of encouraging smaller European businesses and consumers to use the cloud with the aim of increasing productivity. It is hoped that although Europe is not recognised as a leader in this area yet, the Commission will be able to leverage the EU’s reputation for ‘relatively high standards of data protection, security, interoperability and transparency about service levels and government access to information‘ to help increase the use of the cloud within and out side of Europe. As a way of tackling the slow adoption of the cloud in Europe, the Commission plans to encourage EU-wide voluntary certification schemes to increase transparency and security in the cloud.  In other words, the Commission is looking to pro-competitive measures to help promote the European cloud market, rather than trying to ‘force’ European cloud development through onerous rule-making.

How achievable the Commission’s plans are to establish Europe as the world’s leading trusted cloud region will inevitably be impacted by the implementation of the EU data protection regulation (with the LIBE Committee’s vote on its amendment proposals taking place today – see here). But at least, for now, cloud providers have some much-needed comfort that the Commission has no plans to force them to start building additional data centres in the EU anytime soon.    

What will happen to Safe Harbor?

Posted on April 27th, 2013 by

As data protection-related political dramas go, the debate about the suitability and future viability of Safe Harbor is right at the top. The truth is that even when the concept was first floated by the US Department of Commerce as a self-regulatory mechanism to enable personal data transfers between the EU and the USA, and avert the threat of a trade war, it was clear that the idea would prove controversial. The fact that an agreement was finally reached between the US Government and the European Commission after several years of negotiations did not settle the matter, and European data protection authorities have traditionally been more or less publicly critical of the arrangement. The level of discomfort with Safe Harbor as an adequate mechanism in accordance with European standards was made patently obvious in the Article 29 Working Party Opinion on cloud computing of 2012, which argued that sole self-certification with Safe Harbor would not be sufficient to protect personal data in a cloud environment.

The Department of Commerce has now issued its own clarifications in response to the concerns raised by the Working Party Opinion. Understandably, the Department of Commerce makes a fierce defence of Safe Harbor as an officially recognised mechanism, which was approved by the European Commission and cannot be dismissed by the EU regulators. That is and will always be correct. Whilst the clarifications do not go into the detail of the Working Party Opinion, they certainly confirm that as far as data transfers are concerned, a Safe Harbor certification provides a public guarantee of adequate protection under the scrutiny of the Federal Trade Commission.

Such robust remarks will be music to the ears of those US cloud computing service providers that have chosen to rely on Safe Harbor to show their European compliance credentials. But the debate is far from over. The European regulators are unlikely to change their mind any time soon and if their enforcement powers increase and allow them to go after cloud service providers directly (rather than their customers) as intended by the draft Data Protection Regulation, they will be keen to put those powers into practice. In addition, we are at least a year away from the new EU data protection legal framework being agreed but some of the stakeholders are using the opportunity of a new law to reopen the validity of Safe Harbor adding to the sense of uncertainty about its future.

If I were to make a prediction about what will happen to Safe Harbor, I would say that the chances of Safe Harbor disappearing altogether are nil. However, it is very likely that the European Commission will be forced to reopen the discussions about the content of the Safe Harbor Principles in an attempt to bring them closer to the requirements of the new EU framework and indeed Binding Corporate Rules. That may actually be a good outcome for everyone because it will help the US Government assert its position that Safe Harbor matches the desired privacy standards – particularly if some tweaks are eventually introduced to incorporate new elements of the EU framework – and it may address for once and for all the perennial concerns of the EU regulators.


Position of Spain on the General Data Protection Regulation: flexibility, common sense and self-regulation

Posted on March 7th, 2013 by

As expectation and concerns rise whilst we wait for the final position of the LIBE committee and the European Parliament on the General Data Protection Regulation (the “Regulation”), the report issued by the Spanish Ministry of Justice on the Regulation (the “Report”) and the recent statements of the Spanish Minister of Justice is music to our ears.

A few weeks ago the Spanish Minister of Justice expressed concern that SMEs could be ‘suffocated’ by the new data protection framework. This concern seems to have inspired some of the amendments suggested in the Report which are designed to make the Regulation more flexible. These include substantive changes to reduce the administrative burdens for organisations with a DPO or for those that have adhered to a certification scheme, and the calculation of fines on profits rather than turnover.

Spain favours a Regulation that relies on self-regulation and accountability, clearly steering away from a restrictive ‘one size fits all’ approach which establishes an onerous (and expensive to comply with) framework . The underlying objective of these proposals seems to be the protection of the SMEs at the core of the Spanish economy. A summary of the Spanish position is provided below:

- Regulation v Directive: there is agreement that a Regulation is the best instrument to standardise data protection within the EU. This is despite the fact that this will cause complications under Spanish Constitutional law.

- Data protection principles: the Report favours the language of the Data Protection Directive (which uses the expression “adequate, relevant and not excessive”) as it allows more flexibility than the language of the Regulation which refers to personal data being “limited to the minimum necessary”. In updating personal data, the Report suggests that this should only be required “whenever necessary” and depending upon its expected use as opposed to the general obligation currently set out by the Regulation.

- Information: the requirement to inform individuals about the period during which personal data will be kept is considered excessive and very difficult to comply with. The Report suggests that this should only be required “whenever it is possible”.

- Consent: the requirement of express consent is seen as too onerous in practice and “properly informed consent” is favoured, the focus being on whether individuals understand the meaning of their actions. The adoption of sector by sector solutions in this context is not ruled out.

- Right to be forgotten: this right is considered paramount but the point is made that a balance has to be found between “theoretical technological possibilities” and “real limitations”. Making an organisation solely responsible for the erasure of personal data which has been disseminated to third parties is regarded as excessive.

- Security incidents: various amendments to the articles that regulate breach notifications are suggested to introduce less stringent requirements to the proposed regime. The suggested amendments remove the duty to notify the controller within 24 hours and also limit the obligation to notify for serious breaches only. Notifications to data subjects are also limited to those that would not have a negative impact on the investigations.

- DPOs: it is proposed that the appointment of DPOs should not be compulsory but should be encouraged by incentives such as the suppression of certain administrative burdens (as referred to below). Organisations without the resources to appoint a DPO may also be encouraged to adopt a “flexible and rigorous” certification policy or scheme. Such certifications would be by sector, revocable and renewable.

- Documentation, impact assessments and prior authorisation: the suggested amendments propose a solution whereby organisations which hold a valid certificate or which have appointed a DPO, would not have to maintain documentation, carry out PIAs or request authorisation to data protection authorities as provided for by Articles 28.2, 33 and 34 of the Regulation respectively.

- International transfers: Spain favours the current system but suggests that this could be made more flexible by only requiring the authorisation of the data protection authority for contractual clauses (which have not been adopted by the Commission or an authority) when the organisation does not have a DPO or a certificate.

- One-stop-shop: this concept is endorsed in general but the Report proposes that where a corporation is established in more than one Member State, the DPA established in the country of residence of an individual complainant should have jurisdiction to deal with the matter. The consistency mechanism would be used to ensure a coherent decision where there were several similar complaints in different countries.

- Sanctions and alternatives: Spain considers that the current system could be improved by providing less stringent alternatives to the imposition of fines. Furthermore, it is proposed that the way in which sanctions are calculated is reviewed on the basis that annual turnover does not equal benefits obtained. This is to avoid the imposition of disproportionate sanctions.

- Technological neutrality: technological neutrality is supported although the Report expresses concerns that such neutrality does not provide for adequate solutions for particular challenges, such as those presented by cloud computing or the transfer of personal data over the Internet.

- Cloud computing: the Report suggests that the Regulation takes this “new reality” into account and suggests the adoption some measures, for example, those aimed at (1) finding a balance between the roles of controllers and processors in order to avoid cloud service providers becoming solely responsible for the processing of personal data; and (2) simplifying the rules on international transfers of personal data; for example, by extending binding corporate rules to the network of sub-processors.

Technology issues that will shape privacy in 2013

Posted on December 13th, 2012 by

Making predictions as we approach a new year has become a bit of a tradition.  The degree of error is typically proportional to the level of boldness of those predictions, but as in the early days of weather forecasting, the accuracy expectations attached to big statements about what may or may not happen in today’s uncertain world are pretty low.  Having said that, it wouldn’t be particularly risky to assume that during 2013, the EU legislative bodies will be thinking hard about things like whether the current definition of personal data is wide enough, what kind of security breach should trigger a public disclosure, the right amount for monetary fines or the scope of the European Commission’s power to adopt ‘delegated acts’.  But whilst it is easy to get distracted by the fascinating data protection legislative developments currently taking place in the EU, next year’s key privacy developments will be significantly shaped by the equally fascinating technological revolution of our time.

A so far low profile issue from a regulatory perspective has been the ever growing mobile app phenomenon.  Like having a website in the late 90s, launching a mobile app has become a ‘must do’ for any self-respecting consumer-facing business.  However, even the simplest app is likely to be many times more sophisticated than the early websites and will collect much more useful and clever data about its users and their lifestyles.  That is a fact and, on the whole, apps are a very beneficial technological development for the 21st century homo-mobile.  The key issue is how this development can be reconciled with the current data protection rules dealing with information provision, grounds for processing and data proportionality.  Until now, technology has as usual led the way and the law is clumsily trying to follow, but in the next few months we are likely to witness much more legal activity on this front than what we have seen to date.

Mobile data collection via apps has been a focus of attention in theUSAfor a while but recent developments are a clue to what is about to happen.  The spark may well have been ignited by the California Attorney General who in the first ever legal action under the state’s online privacy law, is suing Delta Air Lines for distributing a mobile application without a privacy policy.  Delta had reportedly been operating its mobile app without a privacy policy since at least 2010 and did not manage to post one after being ordered by the authorities to do so.  On a similar although slightly more alarming note, children’s mobile game company Mobbles is being accused by the Center for Digital Democracy of violating COPPA, which establishes strict parental consent rules affecting the collection of children’s data.  These are unlikely to be isolated incidents given that app operators tend to collect more data than what is necessary to run the app.  In fact, these cases are almost certainly the start of a trend that will extend toEuropein 2013 and lead EU data protection authorities and mobile app developers to lock horns on how to achieve a decent degree of compliance in this environment.

Speaking of locking horns, next year (possibly quite early on) we will see the first instances of enforcement of the cookie consent requirement.  What is likely to be big about this is not so much the amount of the fines or the volume of enforcement actions, but the fact that we will see for real what the regulators’ compliance expectations actually are.  Will ‘implied consent’ become the norm or will websites suddenly rush to present their users with hard opt-in mechanisms before placing cookies on their devices?  Much would need to change for the latter to prevail but at the same time, the ‘wait and see’ attitude that has ruled to date will be over soon, as the bar will be set and the decision to comply or not will be based purely on risk – an unfortunate position to be in, caused by an ill-drafted law.  Let that be a lesson for the future.

The other big technological phenomenon that will impact on privacy and security practices – probably in a positive way – will be the cloud.  Much has been written on the data protection implications of cloud computing in the past months.  Regulators have given detailed advice.  Policy makers have made grand statements.  But the real action will be seen in 2013, when a number of leaders in the field start rolling out Binding Safe Processor Rules programmes and regulators are faced with the prospect of scrutinising global cloud vendors’ data protection offerings.  Let us hope that we can use this opportunity to listen to each other’s concerns, agree a commercially realistic set of standards and get the balance right.  That would be a massive achievement.


This article was first published in Data Protection Law & Policy in December 2012.

Article 29 Working Party pushes for Binding Safe Processor Rules

Posted on December 9th, 2012 by


The Article 29 Working Party has taken another crucial step towards the full recognition of BCR for processors or ‘Binding Safe Processor Rules’. Following the unqualified backing by the European Commission in the proposal for a Data Protection Regulation early in 2012 and the publication of the criteria for approval by the Working Party itself last summer, an agreement has now been reached by the European data protection authorities on the application and approval process.

The official announcement of a mutual recognition and cooperation procedure-type approach will take place in January 2013 and shortly after, the Working Party will issue the appropriate application form. This is the strongest indication to date that applications for BCR for processors will be dealt with in the same way as the traditional BCR, opening the door for hybrid BCRs for those organisations with global data protection programmes that apply to their dual role as controllers (in respect of their own data) and processors (in respect of their clients’ data, as in the case of cloud service providers).


Privacy’s greatest threat and how to overcome it

Posted on October 22nd, 2012 by

After some erroneous newspaper reports in 1897 that he had passed away, Mark Twain famously said that the reports of his death were greatly exaggerated.  The same might also be said of privacy.  Scott G. McNealy, former CEO of Sun Microsystems, reportedly once said “You already have zero privacy. Get over it.“.  However, if last week’s IAPP Privacy Academy in San Jose was anything to go by, privacy is very much alive and kicking.

It’s easy to understand why concerns about the death of privacy arise though.  Today’s data generation, processing and exploitation is simply vast – way beyond a level any of us could meaningfully hope to comprehend or, dare I suggest, control.  The real danger to privacy though is not the scale of data processing that goes on – that’s simply a reality of living in a modern day, technology-enabled, society; a Pandora’s box that, now opened, cannot now be closed.  Instead, the real danger to privacy is excessive and unrealistic regulation.

Better regulation drives better compliance

From many years of working in privacy, it’s been my experience that most businesses work hard to be compliant.  Naturally, there are outliers, but these few cases should not drive the regulation that determines how the majority conduct their business.  It’s also been my experience that compliance is most often achieved where the standards applied by legislators and regulators are accurate, proportionate and not excessive – the same standards they expect our controllers to apply when processing personal data.  In other words, legislation and regulation drives the best behaviour when it is achievable.

By contrast, excessive, disproportionate regulation that does not accurately reflect the way that technology works or recognise the societal benefits that data processing can deliver often brings about the opposite effect.  By making compliance impossible, or at least, disproportionately burdensome to achieve, businesses, unsurprisingly, often find themselves falling short of expected regulatory standards – in many cases, wholly unintentionally.

The recent “cookie law” is a good example of this: a law that, though well-intentioned, is effectively seen as regulating a technology (cookies) rather than a purpose (tracking), leading to widespread confusion about the standards that apply and – let’s be honest – non-compliance currently on an unprecedented scale throughout the EU.

Why the Regulation mustn’t make the same mistake

In its current form, the proposed General Data Protection Regulation also runs this risk.  The reform of Europe’s data protection laws is a golden, once-in-a-generation opportunity to re-visit how we do privacy and build a better, more robust framework that fosters new technologies and business innovation, while still protecting against unwarranted privacy intrusions and harm.

But instead of focussing on the “what”, the legislation focuses too much on the “how”: rather than looking to the outputs we should strive to achieve (namely, ensuring that ever-evolving technologies do not make unwarranted intrusions into our private lives) the draft legislation instead mandates excessive accountability standards that do not take proper account of context or actual likelihood of harm.

For example:

*  How, exactly, does an online business ensure that its processing of child data is predicated only on parental or guardian consent (Article 8)?  My prediction: many websites will build meaningless terms into their website privacy policies that children must not use the site – delivering no “real” protection in practice.

*  Why is it necessary for an organisation transferring data internationally to inform individuals “on the level of protection afforded by that third country … by reference to an adequacy decision of the Commission” (Article 14)? Do data subjects really care where their data goes and whether the Commission has made an adequacy decision – or do they just want assurance that their data will be used for legitimate purposes and at all times kept safe and secure, wherever it is?  How does this work in a technology environment that is increasingly shifting to the cloud?

*  Why should controllers be required to provide data portability to data subjects in an “electronic and structured format which is commonly used” (Article 18)?  Surely confidentiality and data security is best achieved through the use of proprietary systems whose technology is not “commonly used”, therefore less understood and vulnerable to external attack?  Are we legislating for a future of security weakness?

*  Why should data controllers and processors maintain such extensive levels of data processing documentation (Article 28)?  How will smaller businesses cope with this burden?  Yes, an exemption applies for businesses employing less than 250 persons but only if their data processing is “ancillary” to the main business activities – immediately ruling out most technology start-ups.

*  And how can we still, in this day and age, operate on a misguided assumption that model contracts provide a sound basis for protecting international exports of data (Article 42)?  Wouldn’t it make more sense to require controllers to make their own adequacy assessment and to hold them to account if they fall short of the mark?

Make your voice heard!

For the past 17 years, the European Union has been a standard-bearer in operating an effective legal and regulatory framework for privacy.  That framework is now showing its age and, if not reformed in a way that understands, respects and addresses the range of different (and competing) stakeholder interests, risks being ruinous to the privacy advancements Europe has achieved to date.

The good news is that reforming an entire European legal framework doesn’t happen overnight, and the process through to approval and adoption of the General Data Protection Regulation is a long one.  While formal consultation periods are now closed, there remain many opportunities to get involved in reform discussions through legislative and regulatory liaisons at both a European and national level.

To make their voices heard, businesses throughout the data processing spectrum must seize this opportunity to get involved.  Only through informed dialogue with stakeholders can Europe hope to output technology-neutral, proportionate legislation that delivers meaningful data protection in practice.  If it does this, then Europe stands the best chance of remaining a standard-bearer for privacy for the next 17 years too.

Weather forecast for cloud computing in Europe is “overall good”

Posted on October 8th, 2012 by

The end of September has seen the UK Information Commissioner’s Office release its guidance on cloud computing, shortly followed by the European Commission’s announcement on a new strategy for “Unleashing the potential of cloud computing in Europe”.


The ICO’s new guidance starts with a helpful ‘setting the scene’ introduction for those new to the topic of cloud computing by going through definitions, different deployment and service models before moving on to an analysis of the data protection obligations.

According to the ICO, based on the fact of determining the purposes and the manner in which any personal data may be processed, the cloud customer is most likely to be the data controller. The guidance does contain a caveat that each case of outsourcing to the cloud and the controller/processor roles of each party will need to be determined separately. The end of the document has a useful checklist of considerations.

The guidance sets out a logical approach that should be followed by potential customers of cloud computing services and which comprises the following steps:

  1. Data selection – selecting which data to move to the cloud and creating a record of which categories of data you are planning to move.
  2. Risk assessment – carrying out privacy impact assessments is recommended for large and complex personal data processing operations in the cloud.
  3. The type of service and provider selection– taking into account the maturity of the service offered and whether it targets a specific market.
  4. Monitoring performance – ongoing obligation throughout the time the outsourcing to the cloud takes place.
  5. Informing cloud users – this reflects the transparency principle; cloud customers who are data controllers (who make services that run on the cloud available to individuals) will need to consider informing the individuals/cloud end users of the service about the processing in the cloud.
  6. Written contract – it is a legal requirement under the Data Protection Act to have a written contract in place between a data controller and a data processor.


With regard to selecting a cloud provider the ICO points potential cloud users to the need to look at the security offered, how the data will be protected and the access controls that have been put in place. Helpfully for data controllers, the ICO recognises that it is not always possible to carry out physical audits of the cloud provider but highlights the importance of ensuring that appropriate technical and organisational security measures are maintained at all times.

On the data transfers front the ICO states that cloud customers should ask potential cloud providers for a list of countries where data is likely to be processed and for information relating to the safeguards in place there. It is unfortunate that in this aspect the ICO follows the recent Article 29 Working Party Opinion on Cloud Computing.


Turning to the European Commission’s announcement of a new strategy for “Unleashing the potential of cloud computing in Europe”, the main aim of the strategy is to support the take-up of cloud computing services through creating new homogenised technical standards on interoperability, data portability and reversibility by 2013; as well as certification schemes for cloud providers. A key area where, according to the strategy document, the Commission will concentrate its work on will be safe and fair contract terms and conditions for cloud computing services. This will involve developing model terms for service level agreements. The strategy stresses the importance of the ongoing work on the proposed Data Protection Regulation and the expectation that this work should be completed in 2013.

The new strategy when coupled with the recent Article 29 Working Party Opinion shows clear signs that cloud computing is fast gaining prominence on the European Commission’s Digital Agenda. At this stage it is important to track the developments in this area and for industry members to continue providing their feedback to proposals. The ICO’s guidance proves that a pragmatic approach to cloud computing is achievable without minimising the protection afforded to individuals’ personal data.

In short, the key takeaways from these developments are that in addition to contributing to the development of model contract terms, customers of cloud computing services must look at the selection process and the contractual documentation as their top priorities when approaching a cloud service relationship.

A balanced approach to the cloud

Posted on July 27th, 2012 by

Cloud computing is not a fashion or a swanky new name given to technology outsourcing.  Cloud computing is not a marketing plot to sell more Internet connections and fibre optics.  Cloud computing is not a twisted way of helping data hungry governments get their hands on corporate secrets.  Cloud computing is in fact the most obvious business application of networked computing and essentially what the Internet was created for in the first place.  However, the unstoppable growth and increasing power of cloud service providers and the suspicion of their critics have jointly contributed to a climate where controversies and horror stories abound, which is unfortunate when data protection and the cloud are in fact made for each other.

The development of cloud computing is commonly associated with the evolution of the Internet giants.  It is kind of obvious that the Internet pioneers with massive servers and an even greater vision would be the ones to spot the opportunities presented by the cloud.  The rest is now history and today, the leading cloud service providers are technology powerhouses that dictate the way businesses, governments and consumers can make the most of the information economy.  This position of power is very visible and often criticised for being incapable of accommodating requests for specific levels of data protection.

Rightly or wrongly, the cloud providers’ stance is seen by the EU data protection authorities as obstinate and the recent Article 29 Working Party Opinion on cloud computing makes that very clear.  So whilst coyly acknowledging the potential benefits of cloud computing, the Working Party firmly focuses on the risks that it presents for data protection and sets out a detailed ‘wish list’ of how to overcome them.  However, as if trying to compensate for the perceived inflexibility of the cloud providers, the Opinion of the authorities has set the bar for compliance with data protection in the context of cloud computing considerably above today’s standards.  The risk with that approach is that both customers and providers of cloud computing services may regard it as so unrealistic that rather than attempting to get close to it, they may decide to simply ignore it.

The EU data protection regulators should certainly be praised for being brave in setting their expectations.  But unfortunately some of those expectations are not only over and above the actual legal requirements, but they are also unachievable in a commercial world.  Once the potential customer of cloud services gets past the risk analysis stage – which is correctly identified by the Working Party as a crucial first step – the key element of the commercial relationship is the contract between customer and provider.  So not surprisingly, the regulators have focused their efforts on emphasising that the imbalance in the contractual power of a small controller with respect to a large service provider should not be considered as a justification for the controller to accept contractual terms which are not in compliance with data protection law.

The challenge is that if the standards for compliance involve things like getting the names of all subcontractors commissioned by the provider, being told about the locations of all data centres, getting the provider to help the customer comply with its obligations and inform that customer of changes to the cloud, plus adding an array of technical measures ranging from isolation to portability of data, compliance is simply never going to happen.  We cannot afford that to be the case when so much of the world’s information is already residing in the cloud.  Clearly, the right balance needs to be achieved by making sure that cloud customers can choose wisely and spot responsible providers, whilst those providers are encouraged to adopt the right practices.

Ultimately, it is not about who is in the strongest position to negotiate a contract, but about taking privacy and data security responsibilities truly seriously.  Aiming for a realistic level of compliance does not mean letting cloud providers off the hook.  The regulators’ frustration is more than justified when uncompromising providers try to hide behind an empty Safe Harbor registration.  Data protection is not an unachievable aim but an essential ingredient of cloud computing.  Like in all immature markets, it is still too early to distinguish fully between the good and the bad players but that is not to say that a balanced and realistic approach to the cloud will not result in an optimal level of data protection.


This article was first published in Data Protection Law & Policy in July 2012