Cloud computing and EU information insurance law: Part Two
This partial summarises how EEA cloud users are influenced by a Directive’s requirement that EEA countries contingency demarcate transfers of ‘personal data’ outside a EEA, solely to countries affording an ‘adequate’ turn of insurance – meaning, a customary in gripping with a Directive’s categorical principles.
This ubiquitous transfers limitation (Restriction) relates even if a EEA user transfers personal information internally, to a possess (non-EEA) bend or organisation company.
The ubiquitous perspective is that a Restriction would request if, in sequence to slight or store personal data, an EEA controller uses a cloud provider who employs information centres outward a EEA, so that information competence upsurge tonon-EEA information centres. This is one motorist behind cloud providers increasingly charity European business a choice to obstruct information to EEA servers only.
Indeed, non-EEA users who slight personal data, yet use EEA cloud providers or any providers who occupy EEA information centres, could theoretically turn theme to EU information insurance laws. The Restriction could request when perplexing to ‘re-export’ a information – even information creatively collected outside the EEA, relating customarily to non-EEA individuals. This contingency lift issues about coercion opposite non-EEA users.
To maximize fit apparatus utilisation, in cloud computing programmed program competence replicate or pierce information between opposite information centres, presumably even in opposite countries. Some cloud providers competence know or be means to pinpoint a accurate geographical plcae of certain information during any one time, yet are demure to share that information with their users, for confidence or other reasons. However, other providers can’t determine information location.
Even where all applicable information centres are cramped to a EEA, if non-EEA staff entrance personal data, eg for support queries, that could engage a ‘transfer’ to them.
It’s not usually deliberately uploading personal information to a cloud use that competence trigger a Restriction. Eg, a German information insurance regulator required local website owners to deactivate a Facebook ‘Like’ plugin etc on their sites, on a basement that it would send visitors’ personal information to Facebook in a US, that was not certified yet visitors’ prior sensitive consent.
So, how can cloud users who are ‘controllers’ of personal data comply with a Restriction?
The European Commission has motionless that certain countries have ‘adequate protection': Andorra, Argentina, Canada (where a Canadian Personal Information Protection and Electronic Documents Act 2000 applies), Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man and Jersey.
Personal information competence therefore be eliminated to information centres in those countries for estimate there. But that whitelist is short. How else can ‘adequate protection’ be achieved?
Data subjects (individuals to whom information relate) could be asked to determine to transfers of their personal information outward a EEA. However, that’s generally deliberate unsound for steady or unchanging transfers, as opposite to one-off transfers, given despotic conditions request and, if determine is withdrawn, a position could be formidable to unwind.
Also, a chairman transferring information competence not be a chairman whose determine is needed, as in a German instance above. It competence count on a circumstances.
Therefore, in practice, other methods are customarily deliberate safer for compliance.
US organisations (including cloud providers) that import personal information from a EU can uncover an adequate customary of insurance by participating in a ‘Safe Harbor’ programme, a self-regulatory regime determined by an agreement between a EU and US. However, certain organisations aren’t eligible, quite telecommunication common carriers and financial institutions.
Currently many vast cloud providers are US-based, so it competence seem that Safe Harbor would be a apparent approach to promote EEA controllers’ use of US cloud services.
However, doubts have been lifted about a efficiency of Safe Harbor, quite by German regulators. For instance, Safe Harbor has been in place given 2000, yet a US Federal Trade Commission took a initial movement for crack of Safe Harbor principles only in 2011 – opposite Google, per a Buzz service, for not giving notice or choice to users when it used information collected for Gmail for opposite purposes.
The Danish regulator has ruled, in propinquity to Google Apps, that Safe Harbor can customarily be used if a personal information eliminated are processed in information centres located in a EEA or US – and customarily there. Stating ‘Europe‘ for information centre locations wasn’t deliberate good enough, as some European countries aren’t in a EEA.
Furthermore, a position on ‘onward transfers’ to third parties of personal information primarily eliminated underneath Safe Harbor is unclear.
The cloud provider receiving a initial send underneath Safe Harbor could be regulating a sub-provider’s services – typically, SaaS layered on IaaS or PaaS. For example, Dropbox’s SaaS storage use is built on Amazon’s IaaS infrastructure service, so here Dropbox is a provider, Amazon a sub-provider. As a standing of a IaaS or PaaS sub-provider underneath Safe Harbor is capricious in such a situation, it’s misleading what mandate contingency be met for ‘onward transfer’ of information to a sub-provider whose infrastructure is being used. Similarly, there competence be issues if a controller wants to concede third parties entrance to personal information creatively eliminated underneath Safe Harbor.
‘Adequate protection’ competence be supposing by creation transfers underneath contractual clauses in form authorized by a Commission.
There are dual categorical sets of these indication clauses: for transfers from controller to controller, and from controller to processor.
Providers are generally deliberate ‘processors’, although in some cases they competence be controllers (the dividing line isn’t transparent enough), and in others, maybe neither.
However, indication clauses have their limitations. They contingency be used yet any changes, nonetheless they can form partial of a incomparable contract. So, they can customarily be used if a provider is peaceful to determine to commitments underneath them, ‘as is’. Also, indication clauses won’t assistance where a provider is not even a processor, or a processor set of clauses was used yet a provider turns out to be a controller!
Furthermore, there are issues with a layered conditions (again, consider SaaS on IaaS/PaaS) where a provider offers services formed on a IaaS/PaaS services of a non-EEA sub-provider. In this scenario, an EEA controller can use indication clauses customarily where a provider is itself non-EEA – but not where a provider is EEA-established.
In a latter case, signing indication clauses with a provider won’t work; a non-EEA sub-provider needs to pointer adult to indication clauses approach with a controller, or with a EEA provider behaving for a controller – or pointer an ad hoc agreement with a controller, that regulators competence or competence not approve.
This means that, in a layered conditions involving non-EEA sub-providers, it competence indeed be easier for EEA controllers to use non-EEA providers. This competence expostulate business divided from EEA providers. The unsymmetrical position of EEA and non-EEA providers of cloud services that are formed on, eg, Amazon, Google App Engine or Windows Azure, seems unintended – yet it is what it is.
Furthermore, if non-EEA controllers use EEA information centres or EEA providers to slight personal data, indication clauses can’t be used to ‘re-export’ a data. That competence put non-EEA cloud users off from regulating EEA providers or information centres.
So in many ways, stream laws indeed daunt business who are controllers of personal information from regulating EEA providers or EEA information centres!
Hopefully, in destiny lawmakers will mislay these disincentives. A draft Data Protection Regulation to remodel stream laws was due by a Commission in Jan 2012, and is going by a EU legislative slight currently. It would concede transfers underneath indication clauses adopted or certified by a supervisory authority, as good as by a Commission, whichis helpful. Suitable indication clauses rectifying this problem, and covering processor to processor transfers, would be welcome.
‘Binding corporate rules’ are codes of control ruling ubiquitous transfers of personal data within the controller’s multinational corporate group, meant to be enforceable by information subjects.
Personal information competence be eliminated underneath BCRs authorized by applicable authorities. However, a slight for receiving regulatory capitulation of BCRs is prolonged and expensive, with opposite countries carrying their possess procedures, and some information insurance authorities still need sold capitulation of sold transfers done underneath authorized BCRs. BCRs competence support information transfers within a corporate group’s private cloud, though.
There have been customarily a handful of BCRs to date, for vast tellurian groups that can means a time and money.
The breeze Regulation would need EEA-wide capitulation of BCRs, and also envisages permitting BCRs within processors’ corporate groups. That would help, yet transfers are still limited to within a group. Extending BCRs to concede transfers within a community cloud, eg of separate financial services organisations with common high confidence requirements, competence be even some-more helpful.
Own endowment assessment
Even yet any of a above, controllers competence still be means to yield ‘adequate safeguards’ for ubiquitous transfers. The UK regulator doesn’t pre-approve transfers, yet lets controllers make their possess endowment assessments. However, many other EEA countries won’t concede this, and it competence be time-consuming and dear to find capitulation for each ad hoc information send contract.
The breeze Regulation would concede transfers customarily underneath Commission endowment decisions, or if ‘appropriate safeguards’ for information insurance are adduced ‘in a legally contracting instrument’ (such as BCRs or indication clauses). That competence stop authorities from permitting controllers to make their possess endowment decisions, and seems retrograde. It could boost bureaucracy and requests for regulatory pre-approvals. Wouldn’t regulators’ resources be improved destined towards questioning and enforcing information insurance law breaches, rather than commendatory slight transfers?
Given a issues summarized above, it’s not startling that now a easiest unsentimental approach to understanding with a Restriction is simply to keep personal information within a EEA.
Some providers concede business to select a geographical segment for their data/applications. However, as flagged above, for controllers to approve with a Restriction it competence not be adequate to offer “Europe” or even “Western Europe” as a region; providers need to offer “EEA”, or list named EEA countries.
Even providers who concede users to mention “EEA” or sold EEA countries competence not dedicate contractually to gripping information in a comparison region, nonetheless eg Amazon does now agree not to pierce information from a comparison segment yet presentation (unless compulsory by law/authorities).
A final problem is that EEA countries have implemented a Directive differently, so their information insurance laws are not identical. For example, UK confidence mandate are comparatively ubiquitous and high level, since Italy requires many minute measures.
This means that personal information relocating between information centres in opposite EEA countries could be theme to opposite authorised mandate during opposite times, even within a EEA! That’s apparently not unequivocally satisfactory, and one aim of a breeze Regulation is to harmonize information insurance laws opposite a EU. Being a Regulation rather than Directive, a supplies would request directly around a EU when it takes effect, yet countries carrying to pass any implementing legislation.
However, approach outcome isn’t enough. To grasp loyal harmonisation, a Regulation needs to be amply transparent and certain. But, in many respects, it isn’t. Different countries, authorities and courts competence appreciate it differently. More work is indispensable on a breeze Regulation.
The Restriction apparently inhibits EEA users from regulating non-EEA information centres (or providers who use non-EEA information centres) for cloud computing, notwithstanding cloud’s intensity costs assets and larger flexibility. Furthermore, information insurance laws are not amply transparent or harmonised opposite a EEA. While there are exceptions to a Restriction or ways to grasp adequacy, they are not straightforward.
As record improves, costs revoke and business increasingly direct larger clarity for regulatory correspondence and other reasons, maybe some-more providers will, to say or boost marketplace competitiveness, offer users capabilities to guard information plcae etc, during slightest to nation turn – either as a customary or additionally-priced feature.
It’s also not improbable that in destiny servers could be housed in ships or aircraft in or over ubiquitous waters, drifting a dwindle of an EEA country. Google has patented floating information centres, while a Pirate Bay is considering using servers on drones in low orbit, nonetheless for other reasons and substantially not sporting any EEA flags!
However, let’s step behind and ask a some-more simple question. Is a Restriction unequivocally still suitable today? It was created in a days of floppy disks and stand-alone databases, formed on a arrogance that information physically located in a sold nation would risk being accessed by unapproved third parties in that country.
But certainly this arrogance has been undermined by technological developments and globalisation, quite a palliate of information delivery and remote entrance to information around a internet. Personal information competence be emailed, present messaged, tweeted or copied to recipients in mixed countries opposite a creation instantly, as good as being accessible internationally on websites – and even accessed remotely by hackers.
Wouldn’t a better, if some-more radical, resolution be to annul a Restriction altogether? Restricting information plcae isn’t a customarily or even best approach to forestall unapproved entrance to personal data. Shouldn’t a accessibility of encryption be recognised? What’s some-more during risk: strongly-encrypted information stored outward a EEA on servers with no network connection, or unencrypted information on uncertain internet-connected servers in a EEA? Isn’t it applicable that cloud information may be stored in fragmented form regulating exclusive record systems, so that seizing apparatus or even a information centre competence not indispensably outcome in unapproved entrance to information (unless a provider cooperates)?
Rather than privately restricting information location, because not simply focus on requiring suitable security, clarity and burden mandate that are technologically neutral and take into comment cloud computing’s characteristics, with information plcae being usually one cause that competence impact information security?
The breeze Regulation would not do that. While in some ways it tries to residence certain of a problems mentioned above, in other ways it competence make ubiquitous information transfers some-more difficult, as discussed previously.
It seems hapless that a event wasn’t taken to concede suitable safeguards to be supposing regulating technological means, eg by a controller regulating encryption and holding a possess backups.
The breeze Regulation would concede transfers required for ‘the functions of a legitimate interests followed by a controller or a processor’, where it’s cumulative suitable safeguards. However, that won’t sssssssssssssssbe certified where transfers are ‘frequent or massive’. But how most or mostly is ‘frequent or massive’? It’s not transparent enough. More importantly, shouldn’t a concentration simply be on carrying suitable safeguards, whatever a distance or magnitude of transfers?
In summary, restricting information trade per se, rather than emphasising security, burden and clarity (wherever in a universe information are processed), competence reason behind a fit use of cloud computing, and a breeze Regulation would intensify this.
The full paper by Kuan Hon and Prof Christopher Millard detailing a above (including tables display how a Restriction relates to several permutations of locations of cloud user, provider and information centre), is accessible for giveaway download: Data Export in Cloud Computing – How Can Personal Data Be Transferred Outside a EEA? The Cloud of Unknowing, Part 4
Kuan Hon, a non-practising English barrister and New York attorney, is part-time consultant to the Cloud Legal Project, and a corner law and mechanism scholarship PhD claimant during Queen Mary, University of London.