US cloud providers' Safe Harbor guarantees do provide adequate data protection to EU businesses, US Government says

Out-Law News | 22 Apr 2013 | 1:50 pm | 3 min. read

Data protection authorities in the EU cannot deem US firms' self-certified compliance with the EU-US' Safe Harbor data protection framework as not offering adequate data protection in a cloud context, a US Government body has said.

The US Department of Commerce’s International Trade Administration (ITA) said that US firms' compliance with the Safe Harbor principles was sufficient to guarantee adequate data protection (8-page / 174KB PDF) whether the outsourcing arrangement involves the use of cloud computing technology or not.

Last year an EU privacy body said that EU businesses need to see evidence that cloud providers comply with Safe Harbor standards if personal data they are responsible for is to be transferred and processed in the US. The Article 29 Working Party, which is a committee made up of representatives from the 27 data protection authorities in EU member states, said that the companies cannot rely on cloud providers' "self-certification" that they comply with Safe Harbor standards.

However, the ITA has now published a document in which it said that the Safe Harbor framework is "binding" on all countries within the European Economic Area (EEA) and that therefore EU data protection authorities cannot "unilaterally refuse to recognise Safe Harbor certification as a valid means of demonstrating that a service provider ensures an adequate level of data protection". The EEA is a trading bloc that comprises the EU, Iceland, Norway and Liechtenstein.

"A data controller subject to the Directive or Member State laws implementing the Directive must comply with the data protection requirements set forth therein; however, it is an eligible US organisation’s voluntary, but fully enforceable commitment to adhere to the Safe Harbor Privacy Principles (i.e., supported by independent dispute resolution and subject to enforcement by the Federal Trade Commission) that provides the guarantee of 'adequate' protection under Safe Harbor," the ITA said.

"Additional requirements cannot be imposed exclusively on US service providers processing personal data transferred from the EU simply because they satisfy the 'adequacy' requirement through Safe Harbor certification (i.e., the same basic rules apply to all cloud service providers whether they be located in the EU or an 'adequate' country, or Safe Harbor-compliant)," it said.

The ITA said it was legitimate to allow data controllers and data processors to set out how adequate security of personal data will be provided under the terms of their contract. It said that the Safe Harbor framework requires signatories to address security issues in a manner that "echoes" EU data protection rules.

Current EU data protection laws prevent companies from sending personal data outside of the EEA except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection.

The European Commission and the US Department of Commerce have an agreed framework in place that allows for the transfer of personal data from Europe to the US where data protections meet EU standards. US organisations that conform to requirements of the Safe Harbor scheme are deemed as having met European safety standards outlined in the Data Protection Directive.

Technology law specialist Luke Scanlon of Pinsent Masons, the law firm behind, said that the ITA had not recognised some regulatory burdens facing some clients of US cloud providers.

"The ITA is correct in pointing out that additional requirements cannot be imposed on US service providers in order to confirm that they satisfy the adequacy requirement if they hold a Safe Harbour certification," Scanlon said. "But this does not mean that additional obligations are not to be imposed on US cloud providers in respect of some categories of EU cloud customers."

"While a US cloud provider may have satisfied the requirements of EU data protection laws as to providing 'adequate protection’, this does not affect obligations imposed on financial services firms under separate EU financial services laws such as MiFID. So long as regulators continue to take the view that EU financial services laws require outsourcing service providers to guarantee physical access to premises upon which data is processed, for potential cloud customers to whom these laws apply, a safe harbor certification may need to be backed-up by further guarantees, which may mean that in some circumstances the identities of the location of sub-processors would need to be revealed."