Gmail concerns highlight privacy disclosure challenges facing EU businesses using cloud services, says expert

Out-Law News | 16 Aug 2013 | 4:16 pm | 3 min. read

Comments advanced by Google in response to criticisms of its Gmail service relating to individuals' privacy highlight an important factor EU businesses need to consider before entering into contracts with cloud providers, an expert has said.

Technology law specialist Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that EU businesses need to be aware of their requirements under the EU's Data Protection Directive in relation to disclosures to data subjects in the event that cloud providers process personal data contained within communications for the purpose of serving targeted adverts to individuals.

In a case currently before a US district court in California, Google is trying to defend itself against claims made by a consumer group on behalf of 'Gmail' users that the company has acted in breach of US laws by scanning the contents of 'Gmail' emails in order to personalise the kinds of adverts they serve to users.

In a legal submission made to the court Google has argued (39-PAGE / 191KB PDF) that individuals have "no legitimate expectation of privacy in information" that they voluntarily give over to third parties. The argument is based on a finding made by the US Supreme Court in 1979.

Google said that there is legal precedent under US law to determine that "the automated processing of email is so widely understood and accepted that the act of sending an email constitutes implied consent to automated processing as a matter of law".

Google has also cited a case ruled on in the US last year as an example of why the present case against it should be thrown out.

The Court of Appeals in that case ruled that an internet service provider (ISP) did not infringe US law by accessing users' browsing history for the purpose of serving them with targeted advertising. This is because the accessing of the information by the ISP took place "in the ordinary course of its core business as an ISP transmitting data over its equipment", the Court of Appeals ruled, according to the argument progressed by Google.

Although there are differences between EU and US law  a part of the EU's Data Protection Directive permits organisations to process personal data without individuals' consent in some circumstances, broadly similar to the 'in the ordinary course of its core business' argument advanced by Google under US law.

The most common lawful basis organisations rely on to process personal data without consent is where they claim to have a 'legitimate interest' in processing the information. Businesses can rely on this provision providing their processing does not unduly prejudice the rights and freedoms of individuals.

However, Scanlon said that additional disclosure requirements that businesses face in relation to personal data collection and use present EU businesses with additional compliance challenges when outsourcing data processing activities where service providers themselves exploit the contents of communications.

Under the Data Protection Directive EU businesses must provide certain information to data subjects where they collect and use personal data either directly from those individuals or from other sources. Amongst the information businesses must disclose when third parties are involved include the purpose for which individuals' personal data is to be processed and who the data controller of this information is. The information must be disclosed to data subjects "at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed", according to the Directive.

"EU businesses face a challenge in adhering to the disclosure rules where they contract with cloud providers that access personal data contained in communications in the course of their business activities and make use of that information, legitimately, for their own purposes, such as to serve targeted advertising," Scanlon said.

"For example, the classic case is the cloud email provider which processes emails from accounts which they do not administer and then uses content in those emails to target advertising to their own customers. To put it in practical terms, this could be where I send you an email asking if you are interested in attending an event tonight and you then receive advertising about similar events," he said.

"It may be legitimate for the service provider to target you with that advertising but it needs to inform both of us that it is using my communication for that purpose. In the case where the service provider is providing services on behalf of an EU business, that obligation to inform may fall on the EU business," Scanlon said.

"Where an EU business is relying on a cloud provider and the cloud provider is targeting advertising in this manner, the EU business needs to ensure that the protections against data protection non-compliance they have in place are broad enough to cover these specific circumstances," Scanlon added.