1.
Introduction ^
Data protection and its regulation is a relatively new concept in legal history. Nevertheless, it has experienced a tremendous growth in importance due to the associated risks caused by rapid IT developments. Furthermore, globalization is increasing the necessity for a stable and transparent international data protection framework, facilitating data flow without impediments. Currently, data protection is mostly realized by way of national laws and thus local laws affecting the trans-border flow of data merit closer attention. Differences in the approaches taken are rooted in the cultural, historical and legal background of the individual countries. Especially common law countries formerly only had limited laws on privacy, of which data protection forms an integral part. However, a considerable amount of countries follow basic principles of data protection derived from international sources, such as the 1980 OECD Guidelines.1
This article addresses data protection issues specifically related to trans-border data flow in a cloud environment, disregarding the factors it has in common with outsourcing or related technologies. Thus a reference made to a cloud provider envisages a public cloud provider as the services of a private cloud are closer to an outsourced data centre; therefore, they are not subject to most of the problems encountered in the context of a public cloud. Also the issues as to the applicable law in an international data transfer are not being addressed hereinafter.2
1.1.
Definition of cloud computing ^
At present there is no generally accepted definition of what the essential elements of cloud computing are.3 Commonly it is described in its most basic form as the supply of computing capabilities through a communication link.4 These computing capabilities can be storage space or simply an amount of calculating capacity. There are potentially also many other factors to cloud computing such as a payment on a usage basis or the lack of specific software installed on the customer’s computer. Inherently the ongoing development of cloud computing technologies makes a universal definition hard to achieve. The following three factors have been used by the (London) Cloud Legal Project team5:
- «Cloud computing provides flexible, location-independent access to computing resources that are quickly and seamlessly allocated or released in relation to demand.
- Services (especially infrastructure) are abstracted and typically virtualized, generally being allocated from a pool shared as a fungible resource with other customers.
- Charging, where present, is commonly on an access basis, often in proportion to the resources used.»6
Furthermore, the exact amount of the resource requested is not predetermined but simply scalable on request through a mouse click. Because of the strict EU data protection laws some providers offer a «European» cloud which guarantees that the capacity will only be rendered from an EU server location. Thus no data protection laws relevant to trans-border transfers must be observed as the EU is seen as one single geographic area for data protection purposes.7 However, as the laws within the EU differ substantially, further national laws might have to be observed with regard to data processing.
1.2.
Infrastructure as a service (IaaS) ^
This type of service encompasses the provision of infrastructure (mostly in form of hardware capacity) to the customer by the cloud service provider (i.e. Amazon EC2). Such a service is used by companies, which require additional capacities during peak periods or simply do not want to invest into expensive IT infrastructure. An IaaS provider is responsible for delivering the required capacities remotely through its scalable systems. The storage place is mostly determined by the provider, which will usually store copies of the data in different locations based on availability and costs. As the infrastructure is used by multiple parties, secure segmentation between the parties is essential in ensuring data protection.8
1.3.
Platform as a service (PaaS) ^
PaaS is an alternative for setting up a cloud computing business without the high initial start-up costs of developing a software platform or acquiring infrastructure. It combines both IaaS and a software solution allowing the customers to develop their own environment within a framework and platform supplied by the PaaS provider.9 The data is either stored on the cloud provider's systems or locally on the customer's.
1.4.
Software as a service (SaaS) ^
SaaS is a form of cloud computing in which the user can access a software that is running on a server remotely anywhere in the world (i.e. Google Docs). This service generally does not require the user to install any additional software beside his internet browser. The data is commonly stored on the cloud provider´s servers. In order to ensure data protection and access safety, the provider needs to implement sophisticated authentication methods.10 However, on the downside there is a considerable risk of vendor lock-in as moving the data to another provider will be costly and difficult due to varying platforms (data formats).
2.
Regulatory challenges, approaches and available legal frameworks ^
As trans-border data flow is nowadays being carried out on a continuous basis within a cloud environment, legal frameworks are required to cater for their specific needs, in particular avoiding conflicts of national laws in international transfers. Among other things, the nature of data movement has changed from a point to point transfer to a more «multi-directional fashion throughout the globe».11 Increasingly, such data transmissions through multiple computers lead to problems in ascertaining the specific location of data and the type of processing being carried out.
This assessment is mainly due to an inherent feature of cloud computing, the fragmentation of data, which allows processing to take place on multiple servers in varying locations. Such a shifting of data around the globe allows the processing to be rendered where capacity is most cheaply available. A user is no longer required to own hardware or software as he can access these systems directly via the internet through a simple displaying device. Furthermore, it allows multiple parties from varying locations to access, process, store and alter data at any given time.12 The ease of access to new cloud technologies such as DropBox or GoogleDocs has significantly contributed to the growth seen in its use by private individuals. As these users predominately neither know how cloud computing works nor understand the associated privacy risks, legislative intervention is necessary to offer a minimum degree of protection.
2.1.
International flow of data ^
An important pressure to harmonize data protection standards is generated by international trade law. Different levels of protection jeopardize the cross-border rendering of services, particularly IT and electronic services.13 As the tertiary sector has succeeded industry production in many developed countries, impediments on trans-border data transfers can have a significant impact on an economy, especially if companies decide to set up their data centers in other locations because of ambiguous data protection laws. Differing approaches, frameworks and formalities in complying with data protection laws should therefore be kept to a minimum.
In practice, supervision is an issue as many data protection agencies are underfunded and understaffed, resulting in an inability to carry out their tasks to the level expected. Therefore, the new EU Data Protection Regulation aims at limiting non-compliance by companies through increased fines for data protection breaches.14 Such laws would counteract the lack of enforcement currently given. However, compliance procedures do not address the problems associated with foreign legislation such as the Patriot Act15, infringing on data protection by essentially overriding any contractual data protection arrangement.
2.2.
Legal frameworks ^
In most international legal instruments, the regulations governing the trans-border data flow do not belong to the basic principles of data protection (such as the purpose specification, the proportionality or the data quality), but build a special section apart from the privacy core rules. This assessment is not only true for the relevant legal instruments (in particular the EU Directive), but also for the Madrid Resolution of 2009 being considered as «non-binding general Magna Charta»16 of data protection. Furthermore, the European Court of Justice in its ground-breaking Bodil Lindqvist case has expressed the opinion that international data transfers would be a «regime of special application», contrasting it with the «general regime» under Chapter II of the EU Directive 95/46.17
United Nations
In 1990 the United Nations General Assembly adopted Guidelines for the Regulation of Computerized Personal Data Files. These non-binding Guidelines documents were seen as a moral commitment for carrying out activities related to trans-border data transfers. They require some reciprocal safeguards but any limitation most go only so far to what is necessary to ensure a predetermined level of data protection.18
OECD
One of the first proposals addressing major data protection issues were the OECD Guidelines governing the protection of privacy and trans-border flows. In 1980 a council of experts debated and drafted new ideas in regard to data protection. They agreed that free cross-border flow of data is a central aspect in an increasingly globalized world. Nevertheless in order to ensure protection of individuals the Guidelines prohibit data transfers to a country which does not observe the Guidelines or fails to provide protection comparable to the country from which it is sent.19
Council of Europe
In 1981 the Council of Europe, acting in its capacity as regional organization with 47 member countries, released a Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108). It encompasses the principle that member states should not prohibit or subject to special authorization the trans-border flow of personal data.20 Derogations from this principle are possible, in so far as the legislation of a member state «includes specific regulations for certain categories of personal data or of automated personal data files, because of the nature of those data or those files, except where the regulations of the other Party provide an equivalent protection».21
The Council of Europe adopted an Additional Protocol to the Convention in 2001 expressly allowing the transfer of personal data to a non-party if an adequate level of data protection applies.22 However, the need for specific derogations was acknowledged thus allowing for exceptions in the cases of, for example, legitimate prevailing interests, especially important public interests and safeguards based on binding contractual or corporate rules (BCR).
European Union (EU)
During the development of the internet in the 1990s the most important legal instrument regulating trans-border data flow in the EU, the Data Protection Directive 95/46 (DPD), was enacted. The EU Directive is legally binding in the 27 EU member states and the 3 EEA member countries. It sets strict requirements for a trans-border data transfer such as the requirement of a recipient country to provide an adequate level of protection as determined by the European Commission or other conditions in order to fulfill the required data protection standards (binding corporate rules, contractual agreements).23 A determination of «adequacy» is made based on the assessment of the Article 29 Working Party, resulting in a list of countries being approved as fulfilling an adequate level of data protection. If a country is not on the list the data protection requirements can be met by way of EU-approved standard contractual clauses or through the Safe Harbor framework.
APEC
The Asia-Pacific Economic Cooperation (APEC) with its 21 member states agreed on an APEC Privacy Framework in 2004, being composed of a set of voluntary privacy principles. Under its framework the original holder of the data is accountable for compliance with the data protection directive. It also allows for the implementation of Cross-border Privacy Rules (CBPR) that realize adequate data protection notwithstanding the location where processing takes place.24 As the APEC Privacy Framework is voluntary some APEC countries (for example Canada, Australia) have implemented the accountability approach in their own data protection legislation, others have their own approaches to privacy protection and tend to implement provisions similar to the EU Directive.
2.3.
Approaches to regulation ^
Some countries such as New Zealand25 advocate the free flow of data, only imposing restrictions where this is necessary to fulfill a legitimate legislative objective. Others such as the EU generally prohibit the flow of personal data out of the EU, unless an exception can be invoked. From a formal perspective, two different approaches can be realized, namely a private ordering or a public lawmaking.
2.3.1.
Self-regulatory approaches ^
The Voluntary Model Data Protection Code for the Private Sector of the Infocomm Development Authority of Singapore and the National Trust Council of Singapore includes obligations of the data exporter such as the request to ensure that the data will not be processed inconsistently with the Code.26 The private rules are not easily enforceable, but flexible in adjusting to current needs.
2.3.2.
Legislative regulatory approaches ^
Geographical approach
The geographical approach to regulating trans-border data flow is being applied by the EU Member States, Switzerland, Argentina, Morocco and Russia.27 Its focus is on a transfer of personal data outside a territorial scope and the associated loss of control. In order to ensure compliance with the data protection laws the receiving country will have to meet at least the same standard of protection as the country from which the data originates.
Organizational approach
The organizational approach in comparison is a much more practical one. It places the burden on the original data exporter to ensure that wherever the data might be sent to, it is kept safe according to the standards of the country which it originates from. The EU legal framework also recognizes particular instruments that legitimize trans-border data flows within organizations, such as binding corporate rules and standard contractual clauses.28 Other concepts such as the notion of «accountability» can be found in both systems and will most likely grow closer to each other over time.29
3.
Trans-border data flow in the cloud – challenges under the DPD ^
3.1.
Issues arising in cloud computing ^
General definition of a controller and processor
Identifying a cloud provider as controller or processor
3.2.
Trans-border data flow under an adequacy decision ^
The EU Commission can declare a country to fulfil an adequate level of data protection, which allows personal data to be transferred to these countries without further assessment. Such a finding of adequacy can also only apply to specific sectors within a third country. For instance Canada is considered an adequate country in regard to the Personal Information Protection and Electronic Documents Act which covers certain recipients and transfers.30 Also Switzerland is considered to fulfil an adequate data protection standard for all personal data transfers covered by the DPD.31
A factor taken into account in ascertaining such adequacy is the ratification of standards such as the Convention 108 on the Processing of Personal Data.32 Generally it can be said that the EU Commission will not find a country’s data protection standard to be adequate, if it does not fulfil the main principles of the DPD. Interestingly this seems to lead to an export of the EU data protection laws as third countries will have to comply with its rules in order to freely move personal data out of the EU. However, the main provider of cloud computing services (the US) does not currently qualify as offering an adequate standard due to its very liberal and diverse state data protection laws.
3.3.1.
First Step: Legal grounds for processing personal data under local law ^
The transfer approval under national law will essentially depend on how a member state has implemented Article 7 DPD33 into its national law. For example the Spanish Data Protection Act requires consent of the data subject.34 In comparison, the Austrian data protection law requires notification to the Data Protection Authority (DPA) as well as processing in good faith within the boundaries prescribed by the Datenschutzgesetz.35 Additionally every EU member state is able to impose further specific requirements that must be met before personal data can legally be transferred abroad.36 These requirements might not only be based on the DPD but also on other laws such as employment law.
3.3.2.
Second Step: Legal grounds for transfer of personal data abroad ^
Transfer to a third country under the appropriate safeguard framework
In cases where no other exception is present a transfer to a third country is allowed under Article 26(2)37 if «the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights». Such safeguards take the form of contractual clauses38 for which the Commission approves standard clauses.39 Other options such as an «Auslobung» under Austrian law would also be a viable possibility as it ensures that the data subject can enforce the promises made through court action.40
A data exporter can choose to either use these approved standard clauses or an ad hoc solution, which will require prior approval by the DPA of the member state from which the data is to be transferred.41 Under the ad-hoc authorisation the exporting party has to apply to the national DPA for approval of the contractual framework it has implemented for the export of personal data. The DPA closely looks at the obligations imposed on the importer and the exporter in ascertaining whether the requirements of the DPD are met. Some EU member states such as Spain have published rules as to the drafting of data transfer contracts.42 However, it is left to the states to decide if they require prior approval of the contract, simply want to be notified or require no action at all.
These conflicting approaches led companies to choose a member state in which the requirements are easiest to fulfil. In these countries, where there is no prior approval of the clause or the measures taken, the complete legal burden of ensuring compliance is shifted to the company.43 Such a solution is not ideal for cloud providers as they are unable to gauge the protective steps required of them due to the complexity of their operations.
Transfer to a third country under a standard contractual clause
The Commission has set up a framework of standard contract clauses which parties wanting to export personal data outside the EU can use. These clauses form part of a comprehensive compliance strategy under which they must implement the contracted legal obligations. Additionally, the parties can also utilise the clauses to further supplement their internal BCR.44
Controller to controller standard clauses in transfers to third countries
Under the current DPD framework there are two sets of approved standard clauses which were presented in 2001 and 2004. The newer clause modified the liability for damages the respective parties caused, deleting the previous joint and severable liability whilst imposing an additional due diligence requirement.45 Also requests for access can now be denied if they are obviously abusive. Importantly consumer organisations are no longer allowed to bring suit on behalf of the data subject. However, the data subject can still file a claim against the exporter and even the importer, if the exporter fails to take action to enforce the contractual obligations within a reasonable time.46 This is an important part of granting data subjects enforceable third party rights.
Another aspect is the lack of limited liability in these clauses, which will give the cloud customer in some cases a right to recover higher damages from the cloud provider than under a normal commercial contract.47 It remains to be seen how a DPA would react to a limitation of liability between the provider and the customer as this will alter the contractual clause in a significant way thus reducing its benefits. The exporter and importer can now agree that the importer will respond to all DPA requests. This is a sensible decision as the importer will be able to provide exact and timely answers to any enquiry as to how the data is processed and maintained. The importer will no longer have to fully guarantee that no national law conflicts with the obligations under the contract as such a guarantee is now limited to the knowledge of the importer at the time it entered into the contract. In addition, the ambiguity in regard to the requirement of the importer to follow the DPA’s instructions was resolved by only imposing such a requirement in cases in which the DPA or the competent court’s decision has become final.
Member states implementation of contractual clauses
The European Commission has pointed out that the member states can implement their own licensing system for standard contractual clauses in order to ensure compliance with the DPD but «are obliged to recognise the standard contractual clauses as fulfilling the requirements set down by the Directive for the export of data and consequently may not refuse the transfer».48 This view is further supported by the wording of Article 26(4) DPD. Such a licencing system depending on member state law can require the parties to file copies of the clause with the DPA or require prior notarised signatures by the parties. Additionally data covered by specific laws (i.e. employment law) might also require the express approval of the data subject.49
3.3.3.
The UK approach in particular ^
The UK’s contractual approach is more lenient than the one taken in other EU member states. This difference in the implementation of the DPD enables exporters to execute their transfers without further external examination as only a self-assessment and notification to the Data Protection Commissioner is required. The exporter can elect not to use the EU Commission’s contractual clauses but self-assess the adequacy of the data protection in the importing country and to take appropriate measures. In doing so it should take into account the type of data, duration of processing, purpose of processing and the legal framework in the importing country.50
The risk hereby lays in the legal uncertainty that the so assessed transfer might later be found not to meet the adequacy requirement. It has also been suggested that this UK approach of self-assessment violates EU law.51 However, such an approach according to a UK Information Commissioner’s Office (ICO) guidance note seems to assume the export to a processor not to a controller leaving the question open in situations where an export is carried out to a controller.52 In limiting the application to an export to processors the UK ICO retains control over the controller which is ultimately responsible for ensuring the data protection.53
3.4.
Safe Harbor Agreement and data transfers to the USA ^
As the United States of America have adopted a liberal regulatory approach to data protection they do not fulfil the requirements as to the adequacy standard under the DPD. In order to address this issue in cases in which personal data is transferred from the EU to the US, the European Commission and the US Department of Commerce (DOC) negotiated the Safe Harbor Agreement.54 In essence it provides a substitute private framework, which fulfils the minimum standards of adequacy under the DPD.55 It requires the US based companies to publish their privacy policy which must be compliant with the Safe Harbor principles.56 These principles require (i) notice if data is collected, (ii) individuals´ choice to opt-out of the collection of data, (iii) no transfer of collected data without express consent, (iv) security of the collected data, (v) integrity of the data, (vi) right to access the data by the individual, (vii) enforcement of these rules.
Institutional setting
In order to be allowed to use this framework, however, the US company must be subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation. Interestingly the compliance can be monitored through a self´ or third party assessment for which the DOC maintains a register of complying institutions.57 Because of the option of a US cloud provider to decide to have only a certain type of data approved under the Safe Harbor Agreement, a European cloud user should always check with the DOC that the intended data to be transferred is covered by the framework.
Due to the different implementation of the DPD by the EU member states there are some inconsistencies in the way the Safe Harbor Agreement is interpreted by the national DPA. However, unless the US company has committed itself to cooperating with the EU member state’s DPA, the US law will apply in the interpretation of the applicable Safe Harbor Agreement.58 Such agreements are not limited to data controllers but can also be taken up by data processors.
Enforcement
Once a party participates in the Safe Harbor regime it has to decide, which enforcement and dispute resolution mechanism it wants to subject itself to. This can either be a private self-regulatory mechanism as stated above or a government mechanism. Depending on the type of data (i.e. employment data) this decision might be predetermined because of the requirement to cooperate with the European DPA. When a company elects to join a self-regulatory mechanism it must ensure that the elected mechanism meets the Safe Harbour requirements. As soon as these decisions have been made the company must send a written certification to the Department of Commerce stating its compliance with the Safe Harbor principles. It also has to publish a complying privacy policy, in which it expresses that it adheres to the Safe Harbor standards. The membership to the Safe Harbor framework must be affirmed on an annual basis. A member can decide to opt out giving notice to the DOC. Any data transferred up to this point remains subject to the Safe Harbor principles.59
In case of a breach the FTC can file a deceptive trade practices charge and the data subject or the cloud customer could claim damages.60 The coverage of employment data under the Safe Harbor framework remains controversial as the FTC is only responsible for deceptive trade practices, which on the face does not cover the relationship between the company and its employees in regard to their privacy e.g. human resource data. However, it seems that it has developed into an accepted practice to allow such a transfer under the Safe Harbor framework.
3.5.
Binding corporate rules (BCR) ^
As opposed to the Safe Harbor Agreement, which is limited to US-EU transfers and only applies to certain transfers or categories thereof, BCR are applicable within the institution or corporate structure and ensure the enforcement of the DPD in transfers to any party governed by them.61 They can also indicate compliance with the Safe Harbor principles, but are not determinative. Importantly they must grant enforceable rights to the data subject and are legally binding on the entire corporate structure.
3.5.1.
Practical importance ^
For multinational companies using and offering cloud services BCR seem to be the only solution. Separate individual contracts imposing data protection requirements are simply too complex to implement and administer in an international cloud environment. Therefore, the BCR are seen as a feasible framework to facilitate international data transfer of personal data within corporate groups in countries, which do not meet the EU standards.62 These BCR form a minimum standard within a corporate group leaving it open to a national regulator to impose further requirements. Once such a framework is approved by the national DPA and implemented by the respective companies it provides a significant compliance cost advantage.
The approval of BCR by the European Commission is not required as the Commission´s power only applies to standard contractual clauses. Each member state has its own set of approval requirements, which can vary in some detail.63 The Article 29 Working Party has issued information as to the substantive requirements for approval.64 However, this guidance is only an indication as to the main requirements.
3.5.2.
Approval procedure for BCR ^
There are two main streams of approval of BCRs. Firstly some member states have not made approval by the local or national DPA mandatory as Article 2565 does not require this. In doing so, they have shifted the burden in ensuring compliance on the companies. Secondly some interpret BCR to fall under contractual clauses and thus do require approval under Article 26(2).66 Because of these different approaches the Article 29 Working party developed a «co-operation procedure»67 to facilitate the approval process for companies wanting to implement BCRs.
3.5.3.
Coordination procedure for implementing BCR ^
As a first step the group of companies (i.e. Google and its subsidiaries) must determine which corporate entity is making the application on their behalf to the responsible DPA. This is usually done by the EU headquarters which must create a position (i.e. Data Protection Officer) responsible for the task of overseeing the BCR implementation. Furthermore, there needs to be an «ownership relation» between the companies in the group, sharing a common system of governance essentially amounting to «a group of companies bound by rules».68 These factors ensure enforceability and compliance. The company will usually apply to a so called «lead DPA», which is then responsible for coordination with the other member state DPA. However, there is no fixed rule which «lead DPA» to choose. The decision can be based on different factors such as the location of the headquarters, data centres or previous dealings.
Despite some published guidance no approved standard application form exists. According to the Article 29 Working Party the applications should contain the contact details of the applicant, choice of lead, proof of fulfilled Working Party Paper 74 requirements and documents constituting the BCR. These documents should explain means and purpose of the processing activity, responsibilities and the data flow to third countries.69 Once the lead DPA accepts the final draft it sends it to all the national DPA for approval. Assuming they consider the BCR to offer «adequate safeguards» and there are no objections the final draft can be translated into the national languages and approval can be sought from each member state’s DPA. However, the member states requirements for BCR can still vary.70
3.5.4.
Legal challenges when applying BCR ^
Internal Effect
Enforceability of the BCR is essential for approval. On the face of it this seems to be very clear, however, there are a couple of different ways in achieving this aim. One option is to use corporate rules, which are binding on all of the groups’ entities. Secondly the head company could contract to accept all responsibility for the worldwide group (unilateral commitment). Thirdly the head company could require the incorporation of regulatory measures, which are binding on all group members.71 The problems arising in the use of unilateral commitments are their differing recognition in the member states. Some recognise them through their data protection legislation explicitly72, others only implicitly or under conditions (e.g. contractual commitment having recourse to other companies). As the BCR have to be binding on the employees within the group certain obligations must also to be reflected in their respective employment contracts.
External Effect
3.5.5.
BCR and cloud computing ^
Technical and procedural steps for cloud providers
A prudent approach by a corporate group envisaging to use BCR is to ensure that appropriate technical measures are implemented. These should include:
«1. An adequate information management system to control access to data; this includes the use of audit trails, which allow logs to be kept (and would help at a later stage in investigations);
2. Use of privacy enhancing technology and protection against breaches, for example through the use of patches, encryption etc.;
3. Obligation to segregate data stored;
4. Maintaining a person responsible for security.»73
Procedural measures should include:
«1. Obligations to audit the system (and keep audit-trails);
2. Cooperation between service providers and Data Protection Authorities (allowing audit of security measures/issuance of recommendations);
3. A security policy expressed in clear language. The terms of service proposed by the cloud computing providers tend to be problematic, with the exception of Intellectual Property rights that are usually well respected. In fact, on most occasions the user does not have any negotiation power and must accept the policies as they are.»74
«4. Notification of data disclosure and security breaches. The reviewed e-Privacy Directive 2009/136/EC calls for mandatory notification of security breaches, provided they are likely ‹to adversely affect their personal data privacy› (i.e. ID theft, reputational loss) and unless encryption measures were enabled.»75
Unknown server location
3.6.
Multiple party involvement ^
Solution 1: Web of contracts approach
Under this approach all parties have individual contracts between each other. The exporter will have a contract with each and every importer. This is a very complex solution but it will satisfy the DPA’s requirements. Additionally, the parties are required to have onward transfer agreements between themselves. However, the administrative resources employed seem to become substantial, if there are many parties involved. Such an approach is only advisable when the number of parties is limited.76 In a cloud computing context it is not a viable solution as too many parties are involved.
Solution 2: Master agreement approach
In a master agreement a single standard clause is used, which needs to be signed by all exporters and importers. The difficulty hereby lies in determining whether a party is a controller or processor. One solution is to identify the data flow and contract accordingly. It is advisable to include a default clause into the agreement in order to cater for situations where a party becomes a controller based on its conduct. 77
Solution 3: Power of attorney approach
This approach is mostly used in a corporate structure, where a controlling company signs on behalf of the subsidiary being vested with a power of attorney. Bestowing such a power of attorney can sometimes be a very complex matter because of company law requirements, the companies’ statute or the fact that the company might be located in a third country.78
3.7.1.
Problem of further protection ^
Once one of the methods under the DPD for trans-border data flow is chosen, the question arises as to what rules apply, when this data is transferred to another party after it has left the EU. It is prudent to ensure the further protection of personal data even once it has left the EU. The legal framework for the onward transfer depends on the legal basis allowing it to be transferred to a third country in the first place.79 Such an onward transfer is classed as «processing» of personal data.
A controller-to-controller onward transfer is in most instances governed by either the applicable Safe Harbor Agreement or the two sets of EU approved standard contractual clauses. There are no restrictions on onward transfers to a country, which ensures adequate protection.80 In 2010 the European Commission issued a new set of standard contractual clauses, which require the data importer (i.e. non-EU cloud provider) to ensure that any party, to which an onward transfer takes place, is contractually obliged to adhere to the EU data protection laws.
This new set of clauses addresses a previous lack of regulation and uncertainty surrounding processor-to-processor transfers. Under the new clauses the processor will be required to ensure the appropriate level of data protection as well as to insert the same clause into any further sub-processing contracts.81 In addition the data subject should be informed of a transfer.82 If adequate data protection is ensured through these measures then the consent of the data subject does not appear to be necessary.
3.7.2.
Available legal scenarios ^
Due to the complexity of cloud computing services various scenarios of trans-border data flow are imaginable. For example a SaaS cloud provider receives personal data under an approved contractual framework from its EU customer. However, the SaaS provider uses the service of an IaaS provider located in another third country (subcontracting). Would such an onward transfer be covered by the initial contractual clause? In a first step one has to look at the SaaS and IaaS provider in order to determine, whether they are controllers or processors.83 Then one of the following scenarios will apply.
Scenario 1: Third country controller to a third country controller
Scenario 2: Third country controller to a third country processor
There is no express provision, which allows a transfer from an importing controller to a processor. However, it seems that such a transfer is recognised by the second set of contractual clauses in decision 2004/915/EC84. It is essential that confidentiality and security is ensured and that the processing only takes place upon the express authority of the importing controller. The obligation of the importing controller to allow inspection of its processing facilities by the exporting controller must also be inserted into a subsequent contract with the processor. Additionally the importing controller has to give the exporting controller the assurance that at the time of entering into the contract there is no local law which could have a substantial effect on the performance of the contract. If such a situation arises, the importing controller must inform the customer immediately of the applicable law.85
Scenario 3: Third country processor to a third country controller
This scenario is legally not permissible as the processor does not have the authority to determine the means and purpose of processing, thus cannot allow a subsequent controller to do such.86 Any such transfer will be in violation of the EU data protection laws.
Scenario 4: Third country processor to a third country processor
Unless the processor is based in a country with adequate data protection or is governed by the Safe Harbor principles or BCR, the processor will have to implement the 2010 controller to processor clauses, which allow a further sub processing based on certain conditions. Such are the written consent of the data exporter87 as well as the handing over of a copy of the sub processing agreement.88 In case of commercial sensitive information the processor is allowed to issue only a document relevant to the data protection without the commercial information. Such a document must be given to the data subject upon request. The processor also has to give the controller through the 2010 clauses the assurance, that it has no reason to believe that a local law is preventing the performance of the obligations toward the controller. This provision will have to be inserted into any contract with a sub processor in order to maintain the rights of the controller and to fulfil the data protection requirements of the DPD.
3.7.3.
Effects on cloud computing ^
3.8.
Application of derogation ^
As expressed in an Article 29 Working Party Paper the exception mentioned in Article 26(1)89 is a «derogation from the principle of adequate protection laid down in Article 25»90 and should be construed narrowly. It allows a transfer to a third country to take place regardless of the data protection standards present in the importing country. The following exceptions are foreseen:
- 1. Consent: The data subject can give its consent to a transfer. This consent needs to be clear and unambiguous, given freely through an informed choice by the data subject.91 It must be received before the data is transferred.92 In relation to employment law consent cannot be legally obtained because of the dependency relationship between the employee and employer.93 Consent can be revoked at any time resulting in the controller and its processor being required to give back the data held. One should highlight that most IT users do not read privacy statements which they consent too. A uniform signalling system (i.e. special frame in a contract, pop up) would be a good solution requiring the exporter to specially highlight a third country transfer to the customer.
- 2. Transfer necessary for performance of the contract: The EU DPA have interpreted the term «necessary» narrowly. This means that as long as the object of the contract can be performed via different means it will not be considered necessary to transfer the personal data.94 The same approach has been applied in the UK to employee payment data.95 Also the proposal to transfer account data via the SWIFT system to a data centre in the US was based on an argument of contractual necessity. The German DPA, however, expressed its view, that such a transfer was not necessary as the data could also be processed in the EU, ultimately prohibiting the transfer under Article 26(1).96
- 3. Transfer due to legal necessity or on public interest grounds: The SWIFT case illustrated, that even if a foreign law requires disclosure the exporter must find a legal basis for the export under the EU DPD. Additionally, the public interest exception will only apply where the transfer is also in the interest of the EU such as in regard to tax or customs.97 As expressed by the UK Information Commissioner this is a very high standard to be met, which will only apply in exceptional circumstances.98
4.
Trans-border data flow under the new EU Data Protection Regulation (DPR) ^
The new DPR proposal was presented in January 2012 in order to address shortcomings in the 1995 Data Protection Directive. In some areas such as cooperation between national DPA the proposal clarified and improved the existing framework, however, other important issues such as the classification of a party as controller or processor have not been resolved. Furthermore, the proposal has also added some new interpretative challenges, by adding new terminology such as «in the context of an establishment».99
4.1.
Jurisdiction of the new Regulation ^
4.1.1.
Territorial scope ^
A processor or controller will be subject to the territorial scope of the Regulation, if it processes personal data in the context of an EU establishment.102 Therefore, a cloud provider being a processor of personal data will be subject to the Regulation at the place of its main establishment. It seems that in light of the current interpretation «in the context of» the Regulation would apply to a cloud provider’s worldwide processing operations once it has an establishment in the form of an administration in the EEA.103 This will deter non EU cloud providers to set up establishments in form of offices or other administrative entities in the EU.104
Additionally, a controller outside the EU which processes personal data related to the provision of goods or services in the EU or for the monitoring of its citizens will now also be subject to the DPR. Invariably a non EU cloud provider will be in some form targeting EU customers through the internet with its cloud services. It is therefore pivotal to determine if the provider is acting as a controller or mere processor. Generally a private individual will not have a say in how a service is rendered. For example Apple products require the use of a personal data transfer to be activated giving no choice as to submit personal information if one wants to use the device. Hence in such scenarios the cloud provider will be a controller. In comparison a processor outside the EU will only be governed by the Regulation, if a member state law applies by virtue of international public law.105
The situation of cloud providers undertaking less than processors has so far not been resolved. These providers will be classed as processors under the Regulation and subject to even more burden then they are under the DPD. This includes appointing a Data Protection Officer and conducting an Article 33106 impact assessment which requires at least an evaluation of the risk and the implemented technical security measures.107 Also Article 28108 prescribes extensive record keeping requirements. Imposing such obligations and their costs on a cloud provider in a very competitive IaaS market seems to go beyond what is necessary to meet the legitimate objective of protecting personal data. A new category of entities with even less obligations than processors should be introduced for cloud providers which only supply the infrastructure but do not have any involvement in what is happening on their servers.
4.1.2.
Extraterritorial application ^
The new approach in the data protection jurisdiction with its focus on «targeting» rather than on «means or equipment» seems to be a more practical solution. Nevertheless the concept of «offering» brings some ambiguity in regard to its extent and requires further clarification. Also the terminology such as «only occasionally», and «monitoring» need to be further defined in order to ensure certainty for cloud providers and customers.109
The cloud provider might not know that its service is used by customers from the EEA in cases, in which the service is worldwide accessible and not specifically targeted to a special geographic group. The question then is what comprises «offering goods or services» to EU residents. What knowledge is required? Importantly the Regulation speaks of offering not supplying. This might be seen as implicitly requiring a certain positive action by the provider to acquire customers from the EEA. Which party has the burden of proving the applicability of the Regulation? Must the cloud provider allegedly offering services to EU residents prove that it did not do so? Requiring a cloud provider to proof, that it did not target EU residents potentially seems to impose a presumption favouring the application of the Regulation, where no such a wording can be found therein.110
The issue as to the contradictory interpretation of «an establishment» under the DPD has also not been resolved by the Regulation. Again it would have been wise to specify this terminology so as to define it as «having an establishment in» a country to avoid the argument under the new Regulation, that a «controller is ‹established in› the EEA, but is not processing personal data ‹in the context› of the activities of any of its EEA establishments».111 Once a processor processes personal data in the context of its establishment in the EU its worldwide processing is subject to the Regulation.112 It is fully conceivable that the EU law makers want to extend the data protection laws internationally in cases, in which personal data of EU residents are processed or otherwise utilised.113
4.2.
Transfer of personal data outside EEA ^
4.2.1.
Transfer with an adequacy decision ^
The definition of what was considered an «adequate» privacy framework remained unclear under the old Data Protection Directive thus complicating a determinative and reliable assessment. Under the proposed Regulation the old Article 26 DPD has been expanded to include international organisations. Additionally the considerations for an adequacy determination have been clearly defined in Article 41 (2) thereby adding more certainty but also more restrictions to the process. The Commission is required to publish a list with adequate and also non-adequate countries and institutions.114
4.2.2.
Transfer under the appropriate safeguards provision ^
As long as no determination as to the adequacy has been made by the Commission the controller or processor can satisfy the data protection requirements as to data protection by adducing appropriate safeguards in a legally binding instrument.115 Such safeguards can take the form of BCR in accordance with the requirements in Article 43116, standard clauses adopted by the Commission or Supervisory Authority (declared valid by the Commission) or contractual clauses authorised by the Supervisory Authority (ad hoc). The BCR and standard clauses will not require any further authorisation.117 If the parties develop their own contractual safeguards they must seek prior authorisation according to Article 34(1)118 from the supervisory authority.119 As a last resort, if the appropriate safeguards cannot be provided for in a legally binding instrument, the processor or controller can seek approval by the supervisory authority before carrying out a transfer.120
4.2.3.
Binding corporate rules (BCR) ^
The supervisory authority approves binding corporate rules. These rules must include certain obligations, liabilities and rights as set out in Article 43 (2).121 They address the main issues highlighted by the Article 29 Working Party including the type of transfer, the use of personal data, and information where the data is to be processed. An EU party to a BCR will now be responsible for breaches caused by any other member of the group that occur outside the EU.122 Additionally, a data protection officer must be designated, who is responsible for monitoring compliance within the group of undertakings.123 The proposed requirements for BCR form the basis on which companies wanting to use the BCR framework can develop their own rules. It ensures a minimum standard and gives certainty as to what is required for approval.
4.2.4.
Alternatives to an adequacy decision or appropriate safeguards ^
The new Article 44124 mirrors the Article 26 DPD provision whilst further clarifying the alternative grounds for a transfer of personal data to third countries. As previously informed consent by the data subject it will waive the necessity of acquiring approval. Furthermore, the exception for the performance of a contract in the interest of the data subject is clarified as it now expressly extends not only to contracts with natural but also legal persons.125 This may further open the door for controllers-processor transfers. A transfer will also be exempt in cases, where there are important grounds of public interest or the transfer is necessary in relation to a legal claim.126 Such public interest must be recognised by EU law or the law of the member state to which the controller is subject.127
A new important addition has been made by introducing an exception for the pursuit of a legitimate interest by the controller or processor. In order to use this exception the transfer must not be frequent or massive and the controller or processor is required to conduct an assessment of all the surrounding circumstances and if necessary to adduce appropriate safeguards. In conducting such an assessment the party must consider the factors mentioned in Subsection 3 of Article 44.128 However, such a solution will likely only be used in exceptional situations as it requires detailed documentation and notification to the supervisory authority.129 In addition the exclusion of massive and frequent transfers seems to diminish its usefulness for a cloud provider. The question remains why such a restriction has been inserted, where the focus of the Regulation is on the protection of personal data. The quantity and frequency do not affect the aim of keeping personal data safe.
4.3.
Liability of processors abroad ^
New requirements were introduced including a contractual obligation of the controller to seek approval before using a sub-processor. As this is general practice, especially in multi-layered cloud services (i.e. SaaS running on IaaS in EEA), imposing such a restriction will likely deprive the users of cloud computing technologies of some of its main advantages.130 Article 30131 imposes additional security obligations on processors. These requirements apply to cloud providers being processors despite the fact that they may not know that the controlling customer is processing personal data as they are only supplying the capabilities for various possible processing activities.
Furthermore, the processor is required to process the data as instructed by the controller and is subject to liability if these instructions are not followed.132 In practice, the processor will not actually determine how or what is processed as the controller generally carries out the processing on the processors systems without the processors active involvement going beyond the mere supply of resources.133 The definition of processor should be amended in this regard or a new definition created. It seems that the Regulation does not fully address the problems processors face in the cloud. Some situations such as processing undertaken by the processor only for security purposes are not addressed. It remains unclear if a processor would become a controller because of such processing activities despite the fact that such an interpretation could seriously imped data security as a processor will thus refrain from taking such beneficial action.134 The proposed Regulation could have an adverse effect on the growth of cloud computing in the EEA as it imposes additional burden on processors thus reducing their potential profit margin.
The Regulation allows for compensation paid by the controller or processor who causes damage to a data subject through a breach of the Regulation.135 In addition, the supervisory authorities may impose administrative sanction for non-compliance with the Regulation of up to 1 million Euro.136 These sanctions will act as a strong incentive for cloud providers to either comply with their obligations under the law or to not do business in or with the EU.
5.
Remaining problems and the way forward ^
In many cases the authorities may not have sufficient resources or personnel to properly monitor compliance with trans-border data flow regulation. For example, one study found that eleven out of twenty-seven national data protection authorities in the EU member states were unable to carry out the entirety of their tasks because of a lack of financial and human resources.137 Users of a cloud service will increasingly have problems to enforce their rights where data is stored or processed in another country.138 In light of these developments the OECD is advocating a closer co-operation between privacy law enforcement authorities.139
5.1.
Effects of the Patriot Act ^
Increasingly large data collections are perceived as a threat to individual as well as national security. However, some big data collections are based on legal sources aiming at enhancing security to the benefit of all. The most prominent example is the US Patriot Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) of 2001.140 Once the Act was passed by US Congress concerns as to the effects on the European data protection laws emerged.141
In essence the Act allows US authorities to overrule the Safe Harbor framework and access any data stored in the US once a terrorism allegation is raised. Ultimately it opens the door for «fishing expeditions» as US agencies can demand any information a US company has stored without any actual evidence of a crime. This applies to all data stored in any form. Critics suggest that these laws prevent the data protection level from being considered «adequate» under the DPD standard.142 However, for example the Austrian Data Protection Commission has not yet followed this reasoning and allows such transfers to occur as they do not require approval under the Austrian data protection law.143
5.2.
Transfers under a BCR framework to a non-complying third country ^
5.3.
New technological approaches ^
Information, including personal data is a crucial business asset which must be managed in a responsible way. Due to the growing complexity of this topic, companies including cloud providers have realized the need for their own strategic information management to ensure data security.144 It is being realized that «if data protection and management are to be effective, the obligations to protect and secure data must attach to the data itself and must be met wherever it’s stored or processed.»145 The ability to tag data is important in this context. It allows linking data to specific information such as its origin and use. Knowing this information allows the application of the home country’s data protection law as well as a determination to where the data can be sent legally.146 Additionally it enables a cloud provider to determine what law applies to a specific data even when the home jurisdiction of the data subject changes over time.
Some countries such as Australia follow such an approach which can be enforced technically through tagging. The Australian legislator passed a Bill in December 2012 which will put increased pressure on entities transferring personal data to another country. An Australian party sending the data abroad will need to take reasonable steps to ascertain the security level maintained oversees and take appropriate precautions in order to ensure the data’s protection. Importantly the exporter will be liable for any breach, even committed by a third party abroad.147 This might in some instances even be the case where reasonable steps have been taken to ensure data protection. It therefore seems that the Australian approach has moved away from a location based to a more security based solution.
Such a conclusion can be drawn from the use of the wording «disclosure» as opposed to «transfer» as well as the statements made by the Privacy Commissioner who expressed that a breach will not have occurred in a transmission in which no third party has gained access. Furthermore, this interpretation seems to be in line with the ultimate aim of the legislation namely the protection of unauthorized use of personal information. It is to be hoped that the industry takes this new law as an incentive to develop safe transfer and processing methods which will ultimately solve the issues surrounding trans-border transfers. In the context of cloud computing this would allow a cloud provider to self-assess what type of service it is offering and how to ensure the safety of the data appropriate to its business.148 To what extent foreign governments can still gain access to data remains to be seen.
Prof. Rolf H. Weber is Chair Professor for International Business Law at the University of Zurich, Switzerland, Visiting Professor at the University of Hong Kong, Hong Kong and attorney-at-law (Zurich). The author is engaged as co-investigator in the research project «In Search of a Technological Framework for the Protection of Personal Data», supported by the General Research Grant of the University of Hong Kong. Address: University of Zurich, Rämistrasse 74/38, 8001 Zürich, Switzerland. E-mail: rolf.weber@rwi.uzh.ch.
Dominic N. Staiger is Assistant to Prof. Weber at the University of Zurich. The author has written his Master thesis on the effects of EU data protection laws on cloud computing. E-mail: dominic.staiger@rwi.uzh.ch.
- 1 Kuner Christopher, «Regulation of Transborder Data Flows under Data Protection and Privacy Law: Past, Present, and Future», Tilburg University Legal Studies Working Paper No. 016/2010, ‹http://ssrn.com/abstract=1689483›.
- 2 For a detailed discussion see: Kuner Christopher, «European Data Protection Law», (2007) Oxford University Press, 4.31.
- 3 Luis Vaquero, Luis Rodero-Merino, Juan Caceres, Maik Lindner, «A Break in the Clouds: Towards a Cloud Definition» (2009), ACM SIGCOMM Computer Communication Review, 54.
- 4 Renzo Marchini, «Cloud Computing: A practical Introduction to the legal issues» (2010), British Standards Institution, 4.
- 5 The Cloud Legal Project (CLP) team is comprised of: Prof. Christopher Millard, Prof. Chris Reed, Prof. Ian Walden, Dr. Julia Hörnle, Dr. Alan Cunningham, W Kuan Hon and Simon Bradshaw.
- 6 Christopher Millard, Ian Walden, W Kuan Hon and Alan Cunningham, «Response to the UK Ministry of Justice’s Call for Evidence on the European Commission’s Data Protection Proposals» (5. March 2012), Queen Mary, University of London, 1, online available at: ‹http://www.cloudlegal.ccls.qmul.ac.uk/docs/65220.pdf›.
- 7 European Parliament, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on Free Movement of such Data, 1995, Article 1(2), online available at: ‹http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1995:281:0031:0050:EN:PDF›.
- 8 Alexander Benlian, Thomas Hess, Peter Buxmann, «Software as a Service, Anbieterstrategien, Kundenbedürfnisse und Wertschöpfungsstrukturen» (2010), Gabler Verlag, 61.
- 9 Benlian et al., supra note 8, 61.
- 10 Serge Gutwirth, Yves Poullet, Paul de Hert, Ronald Leenes, «Computers, Privacy and Data Protection: an Element of Choice» (2011), Springer, 383.
- 11 Paul Schwartz, Managing Global Data Privacy: Cross-Border Information Flows in a Networked Environment 4 (2009), available at http://theprivacyprojects.org/wp-content/uploads/2009/08/The-Privacy-Projects-Paul-Schwartz-Global-Data-Flows-20093.pdf.
- 12 Fabian Schuster, Wolfgang Reichl, «Cloud Computing & SaaS: Was sind die wirklich neuen Fragen?», CR 1/2010, 41.
- 13 For a detailed discussion of the respective problems see Rolf H.Weber, Regulatory Autonomy and Privacy Standards under the GATS, 7 AJWH 26 (2012).
- 14 European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11/4 draft, 2012, Article 79(6) online available at: ‹http://ec.europa.eu/justice/dataprotection/document/review2012/com_2012_11_en.pdf›.
- 15 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) ACT OF 2001, online available at: ‹http://www.gpo.gov/fdsys/pkg/PLAW-107publ56/pdf/PLAW-107publ56.pdf›.
- 16 Rolf H Weber, «Transborder data transfers: concepts, regulatory approaches and new legislative initiatives», International Data Privacy Law, 2013, 1–14.
- 17 Case C-101/01, Göta hovrätt v. Bodil Lindqvist, 2003 E.C.R. I-12971.
- 18 Weber, supra note 16.
- 19 OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data, para. 17, available at: ‹http://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborder flowsofpersonaldata.htm›.
- 20 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Article 12(2).
- 21 Supra note 19, Article 13 (3) (a).
- 22 Supra note 19, Article 2(1) of the Additional Protocol.
- 23 Directive 95/46/EC, supra note 7, Article 25.
- 24 Apec Electronic Commerce Steering Committee, Apec Privacy Framework, 2005, available at: ‹http://publications.apec.org/publication-detail.php?pub_id=390›.
- 25 Privacy (Cross-border Information) Amendment Bill 221-2 (2008), Part 11A, available at:‹http://www.legislation.govt.nz/bill/government/2008/0221/latest/DLM1362819.html›.
- 26 Weber, supra note 16, 5.
- 27 Non exhaustive list.
- 28 Commission Decision (EC) 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive (EC) 95/46/EC of the European Parliament and of the Council, [2010] OJ L39/5, Clause 11; Commission Decision (EC) 2004/915 of 27 December 2004 amending Decision (EC) 2001/497 as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries, [2004] OJ L385/74, Clause 2.
- 29 Kuner, supra note 1, 30.
- 30 Kuner, supra note 2, 4.51.
- 31 Commission Decision (EC) 2000/518/EC.
- 32 Article 29 Working Party, «First orientations on Transfer of Personal Data to Third Countries – Possible Ways Forward in Assessing Adequacy» (WP4, 26 June 1997), 6.
- 33 Directive 95/46/EC, supra note 7.
- 34 Spanish Data Protection Act 1999, Article 6.
- 35 Datenschutzgesetz 2000 (Austrian Federal Act concerning the Protection of Personal Data) Section 17 (§ 17, 6 DSG 2000).
- 36 Kuner, supra note 2, 4.21.
- 37 Directive 95/46/EC, supra note 7.
- 38 Directive 95/46/EC, supra note 7 Article (26)(2).
- 39 Directive 95/46/EC, supra note 7 Article (26)(4).
- 40 Kuner, supra note 2, 4.68.
- 41 Directive 95/46/EC supra note 7 Article (26)(2).
- 42 Kuner, supra note 2, 4.100.
- 43 Kuner, supra note 2, 4.101.
- 44 Kuner, supra note 2, 4.83.
- 45 Kuner, supra note 2, 4.76.
- 46 Kuner, supra note 2, 4.76.
- 47 Marchini supra note 4, 75.
- 48 European Commission, Commission Staff Working Document on the implementation of the Commission decisions on standard contractual clauses for the transfer of personal data to third countries (2001/497/EC and 2002/16/EC), SEC /2006) 95 (20 January 2006) 9.
- 49 In Spain.
- 50 Kuner, supra note 2, 4.56.
- 51 Kuner, supra note 2, 4.56.
- 52 This guidance comprises two separate documents: a legal analysis of the eighth principle «The Eighth Data Protection Principle and international data transfers» (the «UK Legal Analysis») and also a more business orientated paper containing general compliance advice for companies transferring personal data overseas (the «UK General Compliance Advice»).
- 53 Marchini supra note 4, 79.
- 54 Gutwirth, Poullet, de Hert, Leenes supra note 10, 365.
- 55 See, e.g., Commission Decision (EC) 2004/915 of 27 December 2004 amending Decision (EC) 2001/497 as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries, [2004] OJ L385/74, Clauses II(i) and III; Safe Harbor Onward Transfer Principle, available at ‹http://www.export.gov/safeharbor/eu/eg_main_018475.asp›.
- 56 Marchini supra note 4, 71.
- 57 Gutwirth, Poullet, de Hert, Leenes supra note 10, 366.
- 58 Kuner, supra note 2, 4.61.
- 59 Kuner, supra note 2, 4.61.
- 60 Marchini supra note 4, 72.
- 61 Article 29 Working Party, «Working Document: Transfers of personal data to third countries: Applying Article 26(2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers» (WP 74, 3 June 2003), 6. Available at: ‹https://www.agpd.es/portalwebAGPD/canalresponsable/transferencias_internacionales/ common/wp74_en.pdf›.
- 62 Kuner, supra note 2, 4.121.
- 63 Joanna Kulesza, Walled Gardens of Privacy or «Binding Corporate Rules?» A Critical Look at International Protection of Online Privacy, 34U. Ark. Little Rock L. Rev. 747, 758 (2012).
- 64 Article 29 Working Party, «Model Checklist: Application for approval of Binding Corporate Rules» (WP 102, 25 November 2004), available at: ‹http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2004/wp102_en.pdf›.
- 65 Directive 95/46/EC, supra note 7.
- 66 Kuner, supra note 2, 4.126.
- 67 Article 29 Working Party, Working Document Setting Forth a Co-Operation Procedure for Issuing Common Opinions on Adequate Safeguards Resulting From «Binding Corporate Rules», (WP107, April 2005), available at: ‹http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2005/wp107_en.pdf›.
- 68 Article 29 Working Party, supra note 60, 7.
- 69 Kuner, supra note 2, 4.127.
- 70 Article 29 Working Party, supra note 60, 4.
- 71 Kuner, supra note 2, 4.131.
- 72 See France, Article 69(8) of the French Data Protection Act (Loi 78-17), or Paragraph 4c(2) of the German Federal Data Protection Act.
- 73 Claire Gayrel, Jacques Gérard, Jean-Philippe Moniy, Yves Poullet, Van Gyseghem, Jean-Marc. 2010. Cloud computing and its implications on data protection. Paper for the Council of Europe’s Project on Cloud Computing, Centre de Recherche Informatique et Droit (Namur, March 2010), available at: ‹http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Documents/Reports-Presetations/2079_reps_IF10_yvespoullet1b.pdf›.
- 74 Simon Bradshaw, Christopher Millard, Ian Walden, 2010. Contracts for clouds: A comparative analysis of terms and conditions for cloud computing services, Queen Mary School of Law Legal Studies Research (Paper No. 63/201), London, available at: ‹http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1662374›.
- 75 Rosa Barcelo, «EU: Revision of the ePrivacy directive», Computer Law Review International, 5.156.
- 76 Kuner, supra note 2, 4.93.
- 77 Kuner, supra note 2, 4.93.
- 78 Kuner, supra note 2, 4.93.
- 79 Kuner, supra note 2, 4.41.
- 80 Spiros Simitis, «Der Transfer von Daten in Drittländer – ein Streit ohne Ende?», (2000) Computer und Recht, 472, 479.
- 81 The model clauses for EU controllers to export personal data for processing by non-EU entities, in European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU) OJ L 39/5, 12.2.2010. Clause 11 restricts sub-contracting by the «data importer» without the data exporter’s prior written consent.
- 82 Kuner, supra note 2, 4.41.
- 83 Marchini, supra note 4, 76.
- 84 2004/915/EC: Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries.
- 85 Marchini, supra note 4, 77.
- 86 Marchini, supra note 4, 76.
- 87 Controller to processor clause 5(h) available at: ‹http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF›
- 88 Controller to processor, supra note 87, clause 5(j).
- 89 Directive 95/46/EC, supra note 7.
- 90 Article 29 Working Party, «Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1994» (WP 114, 25 November 1995), 6, available at: ‹http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2005/wp114_en.pdf›
- 91 Article 29 Working Party, supra note 90, 11–12.
- 92 Wolfgang Däuber, «Die Übermittlung von Arbeitnehmerdaten ins Ausland», (1999) Computer und Recht, 51.
- 93 Article 29 Working Party, «Opinion 8/2001 on the processing of personal data in the employment context», (WP 48, 13 September 2001), 3.
- 94 Dutch DPA, «Policy paper on transfers of personal data to third countries in the framework of the new Dutch Data Protection Act (WBP)» (February 2003), 19, available at: ‹http://www.dutchdpa.nl/downloads_int/nota_derde_landen_en.pdf›.
- 95 UK Information Commissioner, «The Eight Data Protection Principle and international data transfers» (30 May 2006), 4.3, available at: ‹http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/ international_transfers_legal_guidance_v2.0_300606.pdf›.
- 96 «Stellungnahme des ULD vom 23.08.2006, Auslandsüberweisung Schleswig-holsteinischer Banken unter Einschaltung von SWIFT», 9, available at: ‹https://www.datenschutzzentrum.de/internationaler-datenverkehr/swift/060825_swift.pdf›.
- 97 Article 29 Working Party, supra note 90, 15.
- 98 UK Information Commissioner, supra note 95, 4.4.1.
- 99 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 3 (1).
- 100 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 1, 2(1).
- 101 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 2(b) & (d).
- 102 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 3(1).
- 103 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 3 & 4(13).
- 104 W Kuan Hon, Julia Hörnle, Christopher Millard, «Data Protection Jurisdiction and Cloud Computing – When are Cloud Users and Providers Subject to EU Data Protection Law? The Cloud of Unknowing, Part 3» (2011), Queen Mary School of Law Legal Studies Research Paper No 84/2011, 18, available at: ‹http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1924240›, 34.
- 105 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 3.
- 106 General Data Protection Regulation COM(2012) 11/4 draft (note 14).
- 107 Rolf H. Weber, «Can Data Protection be Improved through Privacy Impact Assessments?», Jusletter IT 12. September 2012, Rz 13, available at ‹http://jusletter-eu.weblaw.ch/magnoliaPublic/issues/2012/12-09-2012/2052.html›.
- 108 General Data Protection Regulation COM(2012) 11/4 draft (note 14).
- 109 Millard, Walden, Hon, Cunningham (note 6), 6.
- 110 Hon, Hörnle, Millard, supra note 104, 37.
- 111 Hon, Hörnle, Millard, supra note 104, 38.
- 112 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 3(1).
- 113 Viviane Reding, «Your data, your rights: Safeguarding your privacy in a connected world» (Privacy Platform «The Review of the EU Data Protection Framework» Brussels, 16 March 2011) SPEECH/11/183, available at: ‹http://europa.eu/rapid/press-release_SPEECH-11-183_en.htm›.
- 114 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 41 (7).
- 115 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 42(1).
- 116 General Data Protection Regulation COM(2012) 11/4 draft (note 14).
- 117 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 42(3).
- 118 General Data Protection Regulation COM(2012) 11/4 draft (note 14).
- 119 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 42(4).
- 120 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 42(5).
- 121 General Data Protection Regulation COM(2012) 11/4 draft (note 14).
- 122 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 43(2)(f).
- 123 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 43(2)(h).
- 124 General Data Protection Regulation COM(2012) 11/4 draft (note 14).
- 125 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 44(1)(c).
- 126 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 44(2)(d)&(e).
- 127 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 44(5.)
- 128 General Data Protection Regulation COM(2012) 11/4 draft (note 14).
- 129 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 44(6).
- 130 Millard, Walden, Hon, Cunningham (note 6), 6.
- 131 General Data Protection Regulation COM(2012) 11/4 draft (note 14).
- 132 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 26(4).
- 133 Hon, Hörnle, Millard, supra note 104, 35.
- 134 Hon, Hörnle, Millard, supra note 104, 35.
- 135 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 77.
- 136 General Data Protection Regulation COM(2012) 11/4 draft (note 14) Article 79.
- 137 European Union Agency for Fundamental Rights, «Data Protection in the European Union: the Role of National Data Protection Authorities» (2010),42, available at: ‹http://fra.europa.eu/fraWebsite/attachments/Dataprotection_en.pdf›.
- 138 OECD, «Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy» (2007), ‹http://www.oecd.org/dataoecd/43/28/38770483.pdf›.
- 139 OECD, supra note 138.
- 140 US Patriot Act, supra note 15.
- 141 Philipp Becker, Julia Nikolaeva, «Das Dilemma der Cloud-Anbieter zwischen US Patriot Act und BDSG», CR 3/2012, 170.
- 142 Axel Spies, «USA: Cloud Computing – Schwarze Löcher im Datenschutzrecht», MMR 2009, XI (XII).
- 143 DSK 18.09.2009, K178.342/0005-DSK/2009.
- 144 Paula J. Bruening, Lisa J. Sotto, Martin E. Abrams, Fred H. Cate, «Strategic Information Management,» Privacy & Security Law, Bureau of Nat’l Affairs, vol. 7, no. 36, 2008.
- 145 Paula J Bruening, Krasnow K. Waterman, «Data Tagging for New Information Governance Models», IEEE Security & Privacy Magazine 8.5 (2010), 64-68.
- 146 Bruening, Waterman, supra note 145, 65.
- 147 Australian Privacy Principles, Principle Nr. 9, available at: ‹http://www.privacy.gov.au/materials/types/infosheets/view/6583#npp9›.
- 148 Joe Ludwig, «Australian Privacy Principles Companion Guide», June 2010, 12-13.