Out-Law News | 30 Jan 2013 | 12:00 pm | 4 min. read
Businesses should be prevented from using model contract clauses and binding corporate rules (BCRs) as mechanisms for processing personal data in the cloud because those arrangements do not prohibit US law enforcement bodies from gaining access to that information, it said.
The report, ordered by the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE), said that the EU had created "derogations" from traditional rules governing international transfers of personal data that, in a cloud computing context, could not adequately protect the privacy of that information. It said BCRs and model contract clauses were examples of the 'derogations' created and that both are were "equally unsuitable to prevent the use of cloud data for surveillance purposes".
The report (63-page / 1.32MB PDF) said that the EU had made "errors" when forging an agreement with the US over the recognition of US organisations' data protection standards. The terms of the EU's 'Safe Harbor' agreement with the US mean that the EU cannot control who can access EU citizens' personal data once it has been uploaded to cloud servers, it said.
"The existing derogations must be dis-applied for Cloud because of the systemic risk of loss of data sovereignty," the report said. "The EU should open new negotiations with the US for recognition of a human right to privacy which grants Europeans equal protections in US courts."
The US-EU Safe Harbor agreement (SHA) allows for such data transfers where data protections meet EU standards. US organisations that conform to requirements of the scheme are deemed as having met European safety standards outlined in the Data Protection Directive.
Under that Directive companies are prohibited from sending personal data outside of the European Economic Area (EEA) except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection.
When a company wants to send personal data to non-EEA countries, so-called 'third' countries, that company must ensure that adequate protections are in place. 'Adequate' in this context means that the data is given the same protections that it would by EU laws. This applies even when the transfer is from one group company to another.
One mechanism open to companies to achieve those 'adequacy' standards is to put in place binding corporate rules (BCRs), which are legally-binding commitments companies draw up over the transfer and processing of personal data outside of the EEA. BCRs are most often used to enable 'intra-group' transfers of personal data.
Another mechanism is the use of model contract clauses, specific clauses which the European Commission has approved for use in contracts.
However, the report warned that US authorities could "lawfully" obtain access to EU citizens' personal data on cloud servers under the terms of the US Patriot Act or US Foreign Intelligence Surveillance Amendment (FISA) Act and, consequently, the EU's sole "sovereignty" over that data was lost when it was uploaded onto cloud servers. This was despite the EU's pronouncements on BCRs and model contract clauses, it said.
The report said that planned revisions to the EU's data protection law framework should include rules governing "law enforcement cooperation with the private sector". It also recommended that the European Parliament press for the new framework to require businesses to give "prominent warnings to individual data subjects" to let them know that EU cloud data could be "exported to US jurisdiction".
"No data subject should be left unaware if sensitive data about them is exposed to a third country's surveillance apparatus," it said.
The report raised the prospect of organisations being caught between adhering to legal requirements set out under FISA or conforming to EU "soft-law".
"The [EU privacy watchdog the Article 29 Working Party] has ... proposed that 'binding corporate rules' can be adapted to provide adequate safeguards for EU data exported into the Cloud," the report said. "However, they foresee and permit secret disclosure of data to 'third countries'. They say: 'In any case, the request for disclosure should be put on hold and the DPA competent for the controller and the lead DPA for the BCR should be clearly informed about it.
"The question arises, if the CEO and corporate counsel of a major US Cloud company are faced with a choice between obeying the soft-law exhortations of [the Article 29 Working Party]which will result in contempt of the FISA Court for breach of secrecy, or not doing what they 'should' (and side-stepping huge risks of reputation damage to their business), which law is more likely to be obeyed?" it said.
Last year the Article 29 Working Party, in an opinion on the issue of cloud computing and data protection, said that EU businesses wishing to use cloud services to store and process personal data must use cloud providers that can "guarantee" compliance with EU data protection laws. It also said that those firms cannot rely on cloud providers' "self-certification" that they comply with Safe Harbor standards when reviewing their compliance with EU data protection laws.
The report cited the Working Party's opinion and said that cloud providers that operate as either a 'platform-as-a-service' (PaaS) or 'software-as-a-service' (SaaS) are unable to "fulfil any of the privacy principles on which Safe Harbour is founded" because they are "intrinsically" data processors.
It said that data processors that obtain BCRs face similar constraints over the privacy protections they can say they offer when processing personal data in a cloud computing context. The ability to use auditing schemes to review cloud providers' data protection standards cannot overcome those constraints, it said.
"For the same reasons that Safe-Harbour-for-processors is a problematic concept (because a IaaS/PaaS Cloud cannot by definition fulfil any of the SHA Principles) BCRs-for-processors role should also be questioned," it said. "All they can do is pledge to maintain the Cloud datacentres. They can say nothing about the meaning of the data, or the substantive functions at the software level of personal data processing."
"Both the [Article 29 Working Party] and the Commission place great faith in 'audit' procedures to ensure Cloud services are compliant, but no commercial audit methodology can seek to uncover secret surveillance which is 'lawful' under the national security rubric of a third country (especially if that audit is conducted by a company from that country). There is no way that an EU DPA can know whether this is happening or not, if the Cloud software fabric is designed and controlled from outside EU jurisdiction."
The European Commission last year outlined plans to draw up new model contract terms that businesses could use in forming contracts and service level agreements with cloud computing providers.