Out-Law Analysis 4 min. read

The Prism programme and privacy concerns: questions for UK business outsourcing

FOCUS: Businesses should evaluate their data storage and outsourcing arrangements in the wake of reports about US and UK surveillance methods, but patchy details make decision making difficult.

Recent news reports have raised questions about the privacy of data stored by major technology companies. The news could have major implications for outsourcing, and will have been unsettling reading for many companies which use cloud services.

Businesses must firstly find out about the legal regimes their outsourcing providers are subject to, but this can be difficult if providers do not make public all the situations in which personal data is made available to government or law enforcement bodies. The lack of clarity may prompt some companies to bring data back under their direct control, but another option is to use non-US based providers of personal data processing services

What has happened?

In recent days the Guardian, and newspapers in the US, published details of a programme called 'Prism' which reportedly permits the US' National Security Agency (NSA) to collect data "directly from the servers" of Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple. Through the programme, the NSA are able to access e-mail communications, photos, video and voice chat as well as online social networking details, among other things, according to leaked files published by the Guardian.

It is reported that the NSA has shared details of the information gathered through Prism with the UK's lead intelligence agency, GCHQ. Foreign Secretary William Hague has said that allegations that GCHQ has used its partnership with the US to access data it cannot legally obtain under UK law are "baseless".

Many of the tech companies have released statements admitting that they do accede to legal requests for access to data they store whilst denying their knowledge of Prism or their participation in any surveillance programme that involves granting direct access to their systems.

Amidst assurances from US President Barack Obama, UK Prime Minister David Cameron and various government and intelligence agency officials that such surveillance has been conducted within legal frameworks, some politicians and civil liberty groups have expressed concerns about the precise way in which Prism operates and whether individuals' privacy rights are being observed.

What is Prism and under what legal basis is it used?

The US director of national intelligence, James R. Clapper, has described Prism as "an internal government computer system used to facilitate the government’s statutorily authorised collection of foreign intelligence information from electronic communication service providers under court supervision, as authorized by Section 702 of the Foreign Intelligence Surveillance Act (FISA)". Clapper has said media outlets had not provided "the full context" to how Prism operates.

FISA sets out the procedures that US intelligence agencies have to follow in order to gather foreign intelligence information about foreign based individuals for the purposes of protecting against attacks on the US, such as terrorism. Under the regime intelligence agencies require a court to sanction the acquisition of data.

In the UK, there is legislation that enables law enforcement and intelligence agencies to access so-called 'communications data' - information that reveals the identity of sender/caller and recipient of communications such as phone calls and emails, and time and location of communication, amongst other details, but not the actual content of the communications themselves.

The Data Retention Directive requires telecoms firms to retain, and hand over upon request, identifying details of phone calls and emails for up to two years to help the police detect and investigate serious crimes. The details exclude the content of those communications.

The Regulation of Investigatory Powers Act (RIPA) can also be used by law enforcement agencies to force telecoms companies to hand over customers' details in order to tap phone, internet or email communications.

What has this got to do with outsourcing?

Outsourcing involves the placing of trust in a third-party to undertake tasks on your behalf and necessitates that businesses give up some control over how the third-party performs those tasks. The attraction of such arrangements is that businesses can save time and money or simply achieve greater flexibility by sourcing IT services and infrastructure, for example hosting services or application software, on demand, when they need it.

Business use of cloud computing has changed the nature of outsourcing in recent years. Now a growing number of UK businesses are turning to major cloud providers to store confidential business data for them, such as personal information about employees and customers.

All businesses in the UK that collect and process personal data are subject to rules set out in the Data Protection Act. Businesses are required to ensure, fundamentally, that all processing of personal data is carried out fairly and lawfully, regardless of whether they do the processing themselves or contract with others to do the processing on their behalf.

The Act makes it clear that businesses can legitimately process personal data without individuals' consent where the processing "is necessary for compliance with any legal obligation to which the data controller is subject" – such as handing over data in line with RIPA, for example.

Outsourcing contracts will generally account for this eventuality, but the emergence of cloud computing as a model for outsourcing has made it necessary for companies to become aware of a wider range of legislation under which their data could be accessed. This is because the nature of cloud computing means that data may be stored on a variety of servers based in different locations across the world and therefore be subject to access by various law enforcement or intelligence agencies under different legal regimes.

The US Patriot Act in particular also gives law enforcement the right, subject to certain conditions, to obtain information on individuals from US "electronic communication service providers" without those individuals' knowledge or consent.

Businesses must ensure that they are aware of the extent of the legal regimes third party providers can be subject to when entering into outsourcing contracts. Privacy regulators have made it clear that firms must be open with customers about the circumstances in which their personal data may be processed.

But a difficulty arises where third party providers, whether knowingly or otherwise, omit details about potential circumstances in which personal data in their control may be processed.

The recent reports about the workings of the Prism programme will have unnerved businesses who outsource the storage of personal data to third party cloud providers. Those firms will want urgent answers from their providers about what kind of access law enforcement and intelligence agencies have had to their data.

What are the options for businesses?

Firms will have to evaluate whether they can continue to meet their data protection obligations if cloud providers cannot offer them sufficient assurances on privacy. Some may be prompted to explore alternative arrangements with smaller non-US sourcing cloud providers, some may look instead to more traditional data centre storage options, whilst others may elect to keep the responsibility for storing data in their own hands.

Marc Dautlich is a data protection expert at Pinsent Masons, the law firm behind Out-Law.com 

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.