Out-Law / Your Daily Need-To-Know

Knowing where your data is processed in the cloud not central to exercising control over it, says expert

Out-Law Analysis | 13 Feb 2017 | 9:00 am | 4 min. read

ANALYSIS: It should not be obligatory for banks in the UK to pre-agree where their data will be processed and stored when contracting with cloud service providers.

Banks that set out a data residency plan with their cloud provider will not necessarily have more control over their data than other types of cloud customers in cases where providers utilise servers based all over the world.

There are effective technical measures, including encryption, which can be used to give banks better access to and control over data held in the cloud. Getting those measures right is more important than where data is processed or stored, and this should be reflected in how banks' are deemed to meet regulatory requirements.

There are also conflicts in international law between the privacy safeguards which need to be afforded to personal data and the potential disclosure of that information.

The location of data, including issues concerning the transfer of data outside the European Economic Area (EEA) and access to data by law enforcement authorities, is one of seven issues identified as the main barriers to banks' adoption of cloud-based services in a new report by the British Bankers' Association, which was produced in partnership with Pinsent Masons, the law firm behind Out-Law.com.

The issues facing global banks

Banks that operate globally are increasingly looking at cloud-based services as an opportunity to not only streamline their existing IT systems, but to tap into the latest digital technologies.

Cloud solutions offer banks flexibility and scalability in terms of their IT resources. The global nature of data processing in the cloud can further help banks reduce latency in the services they deliver.

However, banks cannot just simply select a cloud provider that processes data on servers based all over the world. There are compliance checks that must be undertaken first.

Where banks wish to process personal data in the cloud there are cross-border data transfer challenges to overcome. This is because using cloud-based services may involve the transfer of data outside of the EEA. EU and UK data protection laws set out strict requirements on the privacy protections that must be in place before transfers of personal data of this kind take place.

Further, in cloud computing guidance published last year, the FCA said banks must "agree a data residency policy" with a cloud provider "upon commencing a relationship with them". The policy should set out "the jurisdictions in which the firm’s data can be stored, processed and managed", it said.

The purpose of the guidelines is to ensure the FCA's and other UK regulators' "effective access" to data held in the cloud is not inhibited because of the jurisdiction the data is stored in.

The FCA said firms should consider factors such as "the wider political and security stability of the jurisdiction; the law in force in the jurisdiction in question (including data protection); and the international obligations of the jurisdiction" when making such an assessment.

Disclosure obligations

The FCA's guidance, however, does not fully account for the extra-territorial reach of some legislation. It presumes that storing data outside of some countries will mean it is not subject to disclosure in those jurisdictions.

This presumption is not necessarily right, and a high-profile case before the US courts provides an example of this.

A US district court previously ordered Microsoft to disclose customer data it held on servers based in Ireland to US authorities to help those authorities with a criminal investigation.

That ruling, which considered the scope of a warrant issued under the US Stored Communications Act, was overturned by the US Court of Appeals last year after Microsoft challenged the decision of the district court on privacy grounds. The company has said that any disclosures of that nature should be governed by international agreements, such as mutual legal assistance treaties (MLATs) which serve to balance conflicting laws.

The Court of Appeals ruling could still be overturned by the US Supreme Court.

Beyond the Microsoft case, the scope of the US authorities' data gathering capabilities has also been highlighted by the revelations of whistleblower Edward Snowden, a former contractor at the National Security Agency.

In response to heightened privacy concerns that the Snowden revelations provoked, a number of cloud providers announced plans to enable more localised storage of data for their customers. Microsoft even developed a particular structural solution in partnership with Deutsche Telekom in Germany in an attempt to ensure data it held was beyond the reach of foreign government access, except through proper channels such as under the terms of MLATs.

So it is clear that, by engaging third party cloud providers to store and process data, banks might find that their data is potentially subject to disclosure to overseas authorities.

This presents a challenge for banks and cloud providers where customer data is concerned, as their privacy obligations under the Data Protection Act, or GDPR when it takes effect, may conflict with the disclosure laws in other countries.

EU law makers have attempted to address this conflict in the provisions of the GDPR. The GDPR contains a so-called 'anti-FISA' clause which will ban data transfers or disclosures under any third country judgment or decision except under an international agreement such as a mutual legal assistance treaty (MLAT). FISA is the US Foreign Intelligence Surveillance Act.

For its part, the UK government announced that it would not opt in to the anti-FISA clause. It said this is "as a result of concerns relating to the integrity of the UK legal system".

Cloud providers may therefore find themselves in a difficult position if they are required to safeguard the privacy of data held in accordance with the GDPR and also disclose customer personal data to the US authorities.

An alternative way to give banks more control over data

The FCA wants to ensure that banks meet their obligations on data security and other duties under data protection legislation. It also seeks to ensure that banks have control over their own data, and that it can exercise its audit rights in a cloud context in a similar way as it would be able to if banks' data was stored on servers on-premises.

But the regulator should clarify in its guidance that banks do not need to provide access to encryption keys unless required to do so under court order or other similar disclosure process. It is counterintuitive for these keys to potentially sensitive data to be made available under anything other than the strictest of circumstances.

Marc Dautlich is an expert in information law at Pinsent Masons, the law firm behind Out-Law.com