Out-Law / Your Daily Need-To-Know

Providers' Safe Harbor 'self-certification' not enough to guarantee use of cloud service is data protection-compliant, says privacy watchdog

Out-Law News | 05 Jul 2012 | 10:02 am | 4 min. read

EU businesses need to see evidence that cloud providers comply with Safe Harbor standards if personal data they are responsible for is to be transferred and processed in the US, a privacy watchdog has said.

Companies cannot rely on cloud providers' "self-certification" that they comply with Safe Harbor standards, the Article 29 Working Party said.

"In the view of the Working Party, sole self-certification with Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment," the Working Party said.

"The Working Party considers that companies exporting data should not merely rely on the statement of the data importer claiming that he has a Safe Harbor certification. On the contrary, the company exporting data should obtain evidence that the Safe Harbor self-certifications exists and request evidence demonstrating that their principles are complied with," it said.

The US-EU Safe Harbor scheme is an agreement between the European Commission and US Department of Commerce that allows for the transfer of personal data from Europe to the US where data protections meet EU standards. US organisations that conform to requirements of the scheme are deemed as having met European safety standards outlined in the Data Protection Directive. EU companies are not allowed to transfer personal data to countries outside the European Economic Area (EEA) unless there is adequate protection for that data.

The Working Party, which is a committee made up of representatives from the 27 data protection authorities in EU member states, said that businesses wishing to use cloud services to store and process personal data must use cloud providers that can "guarantee" compliance with EU data protection laws. In a new opinion (27-page / 180KB PDF) on cloud computing it set out a wide range of recommendations of how 'data controllers' can meet their obligations under the laws.

The watchdog acknowledged that businesses using cloud providers cannot be where their data is because of the nature of cloud services.

"Cloud computing is most frequently based on a complete lack of any stable location of data within the cloud provider's network," it said. "Data can be in one data centre at 2pm and on the other side of the world at 4pm. The cloud client is therefore rarely in a position to be able to know in real time where the data are located or stored or transferred."

For this reason the Working Party said that "the traditional legal instruments" that enable the legitimate transfer of personal data to "third countries" outside of the EEA "have limitations".

EU organisations seeking to use cloud services should "verify whether the cloud provider can guarantee the lawfulness of any cross-border international data transfers." The watchdog said that data controllers must also "verify if the standard contracts composed by cloud providers are compliant with national requirements regarding contractual data processing."

Cloud providers do not normally provide information that will allow cloud clients to assess whether they comply with specific national requirements over contractual data processing, the Working Party said. Even if cloud providers claim compliance with Safe Harbor rules as a "substitute" for the lack of those guarantees, "the exporter" should still use "other legal instruments available", such as standard contractual clauses or binding corporate rules, to ensure compliance with data transfer rules, it said.

EU data protection laws prevent companies sending personal data outside of the European Economic Area (EEA) except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. When a company wants to send personal data to other non-EEA countries that company must ensure that data protection safeguards are in place. This is the case even when the transfer takes place between one company within a group and another.

Model contract clauses have been approved by the European Commission as one mechanism companies can use to legitimately transfer personal data they collect to other companies based outside of the EEA. The clauses insert standard provisions into a contract that enable the flow of data between EU-based businesses and those located non EEA countries. The clauses enable outsourcing of personal data processing to firms based in non-EEA countries.

The Article 29 Working Party said those clauses can be used by businesses to govern the personal data transfers outside the EEA that happen in the cloud. It said the clauses can be adapted to reflect the "pragmatic experiences" of those using cloud services, providing that the provisions are not contradictory to the Commission-approved terms and do not "prejudice" the rights of individuals.

Another mechanism that allows businesses to meet the 'adequacy' requirements for international personal data transfers is in committing to binding corporate rules (BCRs).

BCRs are legally-binding commitments companies draw up over the transfer and processing of personal data outside of the EEA to a country that is not pre-approved by the European Commission.

Currently BCRs are assessed on an individual basis by regulators in member states.

The Article 29 Working Party said that it is "working on BCRs for processors which will allow the transfer within the group for the benefit of the controllers without requiring the signature of contracts between processor and sub-processors per client."

The Working Party said that the applicable national data protection laws governing cloud computing activities differ depending on where data controllers are based and the nature of their processing activities.

If data controllers using cloud services are based in a single EU member state, the data protection law in that country would apply regardless of where that processing takes place. In circumstances where the data controller is based in a number of different EU countries, "the applicable law shall be that of each of the Member States in which this processing occurs."

The Working Party added that if an organisation is based outside of the EEA but the cloud provider does operate within the area, the law in the country where the cloud provider is based will govern processing activities.