Where Is My Data? (Part 2)
To read the first part of this article, click here.
In the USA the Department of Commerce in 2000 created the Safe Harbor framework to ensure organisations put appropriate controls in place for the protection of data, when handling European and UK companies’ data that may be stored in the USA (for example an American company who may have regional offices in the UK, France and Germany that keeps employee data such as employment, tax and personal details centrally in the USA). The Safe Harbor directives consist of seven rules that have been established specifically for US companies to comply with EU data storage directives.
The Safe Harbor approach, which allows for data on EU subjects to be moved out of the EU, does not have the adoption you may think, even if you did decide it covers your needs. Many US cloud firms have not signed up to Safe Harbor and the liabilities that it might entail for them. So it’s important to assimilate two things: one, does it give you the safety you want, and two has the vendor you’re considering signed to it and is this reflected in your terms of service/license with them? Transfers to US organisations adhering to the Safe Harbor principles can take place lawfully under EU law, since the recipient organisations are deemed to provide an adequate level of protection for the data.
There has been much discussion recently about storing data in the USA or with non-European cloud firms, much driven after it was realised that the United States can use the Patriot Act to access European citizens’ data without their consent. The Patriot act providing the ability for the US government and law enforcers to access foreign data stored on US-located servers as well as data held in the EU by US-based vendors
You may also hear of the Article 29 Working Party, which is an independent European advisory body on data protection and privacy issues made up as a committee of representatives from the 27 data protection authorities in EU member states. It analyses all relevant issues for cloud computing service providers operating in the European Economic Area (EEA). The Article 29 Working Party in July 2012 stated on cloud that companies exporting data to providers outside their local jurisdiction should not merely rely on the statement of the data importer claiming that they have a Safe Harbor certification. They recommend that the company exporting data should obtain evidence that the Safe Harbor self-certifications exist and request evidence demonstrating that their principles are being complied with. The Article 29 Working Party stated:“Businesses that wish to use cloud services to store and process personal data must use providers that can ‘guarantee’ compliance with EU data protection laws.” The Working Party’s conclusion appears to be that US Safe Harbor coverage is not robust enough on the basis that it alone cannot substitute for the relevant contractual arrangements and guarantees which may be required by individual data protection authorities,
When using public clouds which are offered globally to a range of audiences from enterprise companies through to small businesses and consumers there is a risk of data leaving the EU without you knowing. You have the right to know if this may happen and where your data may be stored and the cloud provider should be open with you about this and give transparency so that you can make those educated choices.
Since the issues around US-stored cloud data and the Patriot Act’s lack of alignment with the Safe Harbor principals came to light, European bodies have been revising and updating the data protection laws that apply to all 27 European member states and this is under review as this article is written. Outlined plans for change, including amendments that may compel any non-European company with customers or clients within Europe to comply with European regulations, are expected during the next few years. It was stated that the European Commission will come forward with proposals to reform the 1995 Data Protection Directive and in the next year or so we can expect an outcome of these actions. Recent discussion has also mooted that these may even go as far as restricting firms to keeping data within the EU, although this is much argued as restricting European firms’ technological choice.
The other challenge that has highlighted the need for more legal clarity is whether the customer or the cloud provider is the data controller. The controller is the one who determines purposes and means of the processing of personal data. The processor is the one who processes personal data on behalf of the controller. Typically this means the customer is the controller; however, due to the nature of the cloud computing environment the historical definitions can be unclear and such roles still often need to be determined on a case-by-case basis until legal clarity is brought to bear.
Therefore it should be clear in a cloud provider’s service contract with you if you or they are acting as the data controller and thus have legal responsibility for the data held and processed in the elected cloud service. Data controllers are more responsible for data protection compliance than data processors.
In the majority of SaaS cases the customer will be seen as the data controller and the cloud service provider as the data processor. Therefore to remain on the right side of the Data Protection Act and EU laws the customer when moving their data outside of the EU (when using foreign and likely USA services) needs to ensure they have performed diligence and ensured adequate protection is in place to secure their own obligations as the data controller, for which company directors are liable.
For example a US cloud service that is cheap and promises no contract to tie you in may seem attractive at first, but with no contract what terms are protecting your data, where and how are they holding, securing and protecting it and if asked how would you justify that you protected that data diligently when you have no contract to cite as to the terms it is held and protected by? Should anything happen to that provider or your data, an Information Commissioner’s Office query on your data obligations would likely conclude negatively for you at the first base, finding you transferred customer data without due protection in place in form of a contract.
It is important to understand that you may be subject to the authority of the jurisdiction where your data and systems are hosted or where the parent company providing the hosting is from. If you want to make sure that you are compliant with local data laws and also doing right by your own clients whom you hold data on, then you should be vigilant to understand where your data is ultimately held and whether or not the hosting entity is compliant with the appropriate local legislation that you require. New EU data protection regulation could mean fines of up to two per cent of company turnover for data security breaches and with fines and data breaches being reported more diligently, evaluating your obligations around data security and sovereignty now, and understanding them and any necessary actions is key.
It is your data that you are putting into the cloud and according to the lawyers and the data protection laws it means that you are responsible for it. You are by default the data controller and must choose a cloud provider that guarantees compliance with data protection legislation. Microsoft, Google, Amazon, Salesforce and any other US-based organisation has to comply with local laws meaning that any data that is housed, stored or processed by a US-based company, is open to inspection and interception by USA authorities without notice or permission of a non-US company who has hosted their data in their systems.
In fact during Microsoft’s Office 365 launch, Gordon Frazer, Managing Director of Microsoft UK, admitted exclusively to ZDNet that the Patriot Act can be invoked by US law enforcement to access EU-stored data without consent. The managing director of Microsoft UK admitted that it would comply with the Patriot Act as its headquarters are based in the US. While it would try to inform its customers before this should happen, it stated that it could not guarantee this. This means that if you do business with a UK subsidiary of a US-based cloud operator who is hosting your data in the UK and you specify that English law applies as well as operating under EU data protection laws, the FBI can still get access to your data. While this had already been suspected, this was the first clear affirmation and is true for any US-based cloud provider.
This could illustrate why, in the Cloud Industry Forum 2012 Cloud Adoption outlook report, 47 per cent of UK organisations wanted their data stored in the UK (this has likely increased now we have seen a year of Prism news) This reflects a sense of national law being perceived as providing a higher level of comfort for users. In a separate public survey carried out by the Cloud Industry Forum of 5,800 individuals, 64 per cent had concern as to where data would be stored.
To read the concluding part of this article, click here.
This article originally appeared in Outsource magazine Issue #35 Spring 2014.
About the Author