Jusletter IT

Data protection and its regulation is a relatively new concept in legal history. Nevertheless, it has experienced a tremendous growth in importance due to the associated risks caused by rapid IT developments. Furthermore, globalization is increasing the necessity for a stable and transparent international data protection framework, facilitating data flow without impediments. Currently, data protection is mostly realized by way of national laws and thus local laws affecting the trans-border flow of data merit closer attention. Differences in the approaches taken are rooted in the cultural, historical and legal background of the individual countries. Especially common law countries formerly only had limited laws on privacy, of which data protection forms an integral part. However, a considerable amount of countries follow basic principles of data protection derived from international sources, such as the 1980 OECD Guidelines.¹

This article addresses data protection issues specifically related to trans-border data flow in a cloud environment, disregarding the factors it has in common with outsourcing or related technologies. Thus a reference made to a cloud provider envisages a public cloud provider as the services of a private cloud are closer to an outsourced data centre; therefore, they are not subject to most of the problems encountered in the context of a public cloud. Also the issues as to the applicable law in an international data transfer are not being addressed hereinafter.²

At present there is no generally accepted definition of what the essential elements of cloud computing are.³ Commonly it is described in its most basic form as the supply of computing capabilities through a communication link.⁴ These computing capabilities can be storage space or simply an amount of calculating capacity. There are potentially also many other factors to cloud computing such as a payment on a usage basis or the lack of specific software installed on the customer’s computer. Inherently the ongoing development of cloud computing technologies makes a universal definition hard to achieve. The following three factors have been used by the (London) Cloud Legal Project team⁵:

• «Cloud computing provides flexible, location-independent access to computing resources that are quickly and seamlessly allocated or released in relation to demand.
• Services (especially infrastructure) are abstracted and typically virtualized, generally being allocated from a pool shared as a fungible resource with other customers.
• Charging, where present, is commonly on an access basis, often in proportion to the resources used.»⁶

These factors differentiate cloud computing to a common outsourcing situation. When services are outsourced they are provided by a specific party in a predetermined manner and location. Usually labor intense services such as call centres are outsourced. In cloud computing this is not the case. A provider supplies the requested resource (calculating capacity, storage space) from a location, being the most cost efficient place for satisfying its customers´ needs. This means that until the capacity is rendered the customer will generally not know from where it will be provided.

Furthermore, the exact amount of the resource requested is not predetermined but simply scalable on request through a mouse click. Because of the strict EU data protection laws some providers offer a «European» cloud which guarantees that the capacity will only be rendered from an EU server location. Thus no data protection laws relevant to trans-border transfers must be observed as the EU is seen as one single geographic area for data protection purposes.⁷ However, as the laws within the EU differ substantially, further national laws might have to be observed with regard to data processing.

This type of service encompasses the provision of infrastructure (mostly in form of hardware capacity) to the customer by the cloud service provider (i.e. Amazon EC2). Such a service is used by companies, which require additional capacities during peak periods or simply do not want to invest into expensive IT infrastructure. An IaaS provider is responsible for delivering the required capacities remotely through its scalable systems. The storage place is mostly determined by the provider, which will usually store copies of the data in different locations based on availability and costs. As the infrastructure is used by multiple parties, secure segmentation between the parties is essential in ensuring data protection.⁸

PaaS is an alternative for setting up a cloud computing business without the high initial start-up costs of developing a software platform or acquiring infrastructure. It combines both IaaS and a software solution allowing the customers to develop their own environment within a framework and platform supplied by the PaaS provider.⁹ The data is either stored on the cloud provider's systems or locally on the customer's.

SaaS is a form of cloud computing in which the user can access a software that is running on a server remotely anywhere in the world (i.e. Google Docs). This service generally does not require the user to install any additional software beside his internet browser. The data is commonly stored on the cloud provider´s servers. In order to ensure data protection and access safety, the provider needs to implement sophisticated authentication methods.¹⁰ However, on the downside there is a considerable risk of vendor lock-in as moving the data to another provider will be costly and difficult due to varying platforms (data formats).

As trans-border data flow is nowadays being carried out on a continuous basis within a cloud environment, legal frameworks are required to cater for their specific needs, in particular avoiding conflicts of national laws in international transfers. Among other things, the nature of data movement has changed from a point to point transfer to a more «multi-directional fashion throughout the globe».¹¹ Increasingly, such data transmissions through multiple computers lead to problems in ascertaining the specific location of data and the type of processing being carried out.

This assessment is mainly due to an inherent feature of cloud computing, the fragmentation of data, which allows processing to take place on multiple servers in varying locations. Such a shifting of data around the globe allows the processing to be rendered where capacity is most cheaply available. A user is no longer required to own hardware or software as he can access these systems directly via the internet through a simple displaying device. Furthermore, it allows multiple parties from varying locations to access, process, store and alter data at any given time.¹² The ease of access to new cloud technologies such as DropBox or GoogleDocs has significantly contributed to the growth seen in its use by private individuals. As these users predominately neither know how cloud computing works nor understand the associated privacy risks, legislative intervention is necessary to offer a minimum degree of protection.

An important pressure to harmonize data protection standards is generated by international trade law. Different levels of protection jeopardize the cross-border rendering of services, particularly IT and electronic services.¹³ As the tertiary sector has succeeded industry production in many developed countries, impediments on trans-border data transfers can have a significant impact on an economy, especially if companies decide to set up their data centers in other locations because of ambiguous data protection laws. Differing approaches, frameworks and formalities in complying with data protection laws should therefore be kept to a minimum.

As a cloud provider ultimately knows how its business works and how it renders its services, it appears to be more efficient to set a standard of data protection leaving the exact implementation to the provider. The main task of data protection authorities would be to ensure that the methods used by a cloud provider are sufficient to meet the required standard of data protection.

In practice, supervision is an issue as many data protection agencies are underfunded and understaffed, resulting in an inability to carry out their tasks to the level expected. Therefore, the new EU Data Protection Regulation aims at limiting non-compliance by companies through increased fines for data protection breaches.¹⁴ Such laws would counteract the lack of enforcement currently given. However, compliance procedures do not address the problems associated with foreign legislation such as the Patriot Act¹⁵, infringing on data protection by essentially overriding any contractual data protection arrangement.

In most international legal instruments, the regulations governing the trans-border data flow do not belong to the basic principles of data protection (such as the purpose specification, the proportionality or the data quality), but build a special section apart from the privacy core rules. This assessment is not only true for the relevant legal instruments (in particular the EU Directive), but also for the Madrid Resolution of 2009 being considered as «non-binding general Magna Charta»¹⁶ of data protection. Furthermore, the European Court of Justice in its ground-breaking Bodil Lindqvist case has expressed the opinion that international data transfers would be a «regime of special application», contrasting it with the «general regime» under Chapter II of the EU Directive 95/46.¹⁷

United Nations

In 1990 the United Nations General Assembly adopted Guidelines for the Regulation of Computerized Personal Data Files. These non-binding Guidelines documents were seen as a moral commitment for carrying out activities related to trans-border data transfers. They require some reciprocal safeguards but any limitation most go only so far to what is necessary to ensure a predetermined level of data protection.¹⁸

OECD

One of the first proposals addressing major data protection issues were the OECD Guidelines governing the protection of privacy and trans-border flows. In 1980 a council of experts debated and drafted new ideas in regard to data protection. They agreed that free cross-border flow of data is a central aspect in an increasingly globalized world. Nevertheless in order to ensure protection of individuals the Guidelines prohibit data transfers to a country which does not observe the Guidelines or fails to provide protection comparable to the country from which it is sent.¹⁹

Council of Europe

In 1981 the Council of Europe, acting in its capacity as regional organization with 47 member countries, released a Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108). It encompasses the principle that member states should not prohibit or subject to special authorization the trans-border flow of personal data.²⁰ Derogations from this principle are possible, in so far as the legislation of a member state «includes specific regulations for certain categories of personal data or of automated personal data files, because of the nature of those data or those files, except where the regulations of the other Party provide an equivalent protection».²¹

The Council of Europe adopted an Additional Protocol to the Convention in 2001 expressly allowing the transfer of personal data to a non-party if an adequate level of data protection applies.²² However, the need for specific derogations was acknowledged thus allowing for exceptions in the cases of, for example, legitimate prevailing interests, especially important public interests and safeguards based on binding contractual or corporate rules (BCR).

European Union (EU)

During the development of the internet in the 1990s the most important legal instrument regulating trans-border data flow in the EU, the Data Protection Directive 95/46 (DPD), was enacted. The EU Directive is legally binding in the 27 EU member states and the 3 EEA member countries. It sets strict requirements for a trans-border data transfer such as the requirement of a recipient country to provide an adequate level of protection as determined by the European Commission or other conditions in order to fulfill the required data protection standards (binding corporate rules, contractual agreements).²³ A determination of «adequacy» is made based on the assessment of the Article 29 Working Party, resulting in a list of countries being approved as fulfilling an adequate level of data protection. If a country is not on the list the data protection requirements can be met by way of EU-approved standard contractual clauses or through the Safe Harbor framework.

APEC

The Asia-Pacific Economic Cooperation (APEC) with its 21 member states agreed on an APEC Privacy Framework in 2004, being composed of a set of voluntary privacy principles. Under its framework the original holder of the data is accountable for compliance with the data protection directive. It also allows for the implementation of Cross-border Privacy Rules (CBPR) that realize adequate data protection notwithstanding the location where processing takes place.²⁴ As the APEC Privacy Framework is voluntary some APEC countries (for example Canada, Australia) have implemented the accountability approach in their own data protection legislation, others have their own approaches to privacy protection and tend to implement provisions similar to the EU Directive.

Some countries such as New Zealand²⁵ advocate the free flow of data, only imposing restrictions where this is necessary to fulfill a legitimate legislative objective. Others such as the EU generally prohibit the flow of personal data out of the EU, unless an exception can be invoked. From a formal perspective, two different approaches can be realized, namely a private ordering or a public lawmaking.

Implementing a self-regulatory approach in the context of cloud computing in order to achieve a required data protection standard is fought with challenges. Such an approach would require parties in various countries to agree on a universal framework despite differing data protection laws in their home jurisdictions. However, an exception can be acknowledged for the Safe Harbor framework which allows data transfers into the United States if a self-assessed standard of data protection is fulfilled.

The Voluntary Model Data Protection Code for the Private Sector of the Infocomm Development Authority of Singapore and the National Trust Council of Singapore includes obligations of the data exporter such as the request to ensure that the data will not be processed inconsistently with the Code.²⁶ The private rules are not easily enforceable, but flexible in adjusting to current needs.

Geographical approach

The geographical approach to regulating trans-border data flow is being applied by the EU Member States, Switzerland, Argentina, Morocco and Russia.²⁷ Its focus is on a transfer of personal data outside a territorial scope and the associated loss of control. In order to ensure compliance with the data protection laws the receiving country will have to meet at least the same standard of protection as the country from which the data originates.

Organizational approach

The organizational approach in comparison is a much more practical one. It places the burden on the original data exporter to ensure that wherever the data might be sent to, it is kept safe according to the standards of the country which it originates from. The EU legal framework also recognizes particular instruments that legitimize trans-border data flows within organizations, such as binding corporate rules and standard contractual clauses.²⁸ Other concepts such as the notion of «accountability» can be found in both systems and will most likely grow closer to each other over time.²⁹

The following analysis will be carried out with reference to the DPD. However, an assessment under Swiss law would practically be identical.

The main issues in cloud computing are grouped around its very complex technical nature. In order for a data protection law to fully fulfill its objective one must know which sort of data flows from where to where and what it is used for. As the data is commonly fragmented, some of the data might be processed in various locations. Furthermore, the exact location of processing might not be known, up until the very point of its transfer, as a cloud provider will direct the data to the place where it can fulfill the requested service most cost efficiently. This complicates data protection, especially personal access and deletion rights.

General definition of a controller and processor

According to the definition of the DPD a controller is an entity or person who on its own or jointly with others determines the purpose and means of processing. What is exactly meant by determining the means or purpose of processing is subject to a controversial discussion. At what point does a party’s exercise of decision making power over the processing operation result in its classification as a controller?

Identifying a cloud provider as controller or processor

Significant obligations are attached to controllers and processors under the DPD. Therefore a careful examination as to the individual position of a cloud provider within the DPD framework is necessary. Essentially a cloud provider increases its chances of being classified as a controller the more services it offers. This is due to its discretion in determining the means of processing which generally rises with every service supplied. Especially SaaS services such as GoogleDocs grant the provider an enormous amount of control as it can determine the software as well as the hardware capacity supplied.

Currently a decisive answer to the question if a cloud provider is classed as a controller or processor cannot be achieved. Ultimately it will depend on the specific circumstances of the services provided. This situation is especially disappointing for cloud providers which only supply hardware resources to a customer carrying out the processing autonomously on the provider’s servers. They will be defined as processors despite carrying out an actual processing.

As trans-border data transfers are generally prohibited one of the exceptions below must be invoked in order to legally carry out a transfer.

The EU Commission can declare a country to fulfil an adequate level of data protection, which allows personal data to be transferred to these countries without further assessment. Such a finding of adequacy can also only apply to specific sectors within a third country. For instance Canada is considered an adequate country in regard to the Personal Information Protection and Electronic Documents Act which covers certain recipients and transfers.³⁰ Also Switzerland is considered to fulfil an adequate data protection standard for all personal data transfers covered by the DPD.³¹

A factor taken into account in ascertaining such adequacy is the ratification of standards such as the Convention 108 on the Processing of Personal Data.³² Generally it can be said that the EU Commission will not find a country’s data protection standard to be adequate, if it does not fulfil the main principles of the DPD. Interestingly this seems to lead to an export of the EU data protection laws as third countries will have to comply with its rules in order to freely move personal data out of the EU. However, the main provider of cloud computing services (the US) does not currently qualify as offering an adequate standard due to its very liberal and diverse state data protection laws.

Personal data can move freely between cloud servers situated in approved countries without restrictions imposed by the DPD. The options below will focus on the more common scenario of trans-border data flow to countries without such an adequacy decision.

The transfer approval under national law will essentially depend on how a member state has implemented Article 7 DPD³³ into its national law. For example the Spanish Data Protection Act requires consent of the data subject.³⁴ In comparison, the Austrian data protection law requires notification to the Data Protection Authority (DPA) as well as processing in good faith within the boundaries prescribed by the Datenschutzgesetz.³⁵ Additionally every EU member state is able to impose further specific requirements that must be met before personal data can legally be transferred abroad.³⁶ These requirements might not only be based on the DPD but also on other laws such as employment law.

Once a legal ground for processing personal data applies under local law, the next step is to identify a legal basis for a transfer of such data outside the EEA.

Transfer to a third country under the appropriate safeguard framework

In cases where no other exception is present a transfer to a third country is allowed under Article 26(2)³⁷ if «the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights». Such safeguards take the form of contractual clauses³⁸ for which the Commission approves standard clauses.³⁹ Other options such as an «Auslobung» under Austrian law would also be a viable possibility as it ensures that the data subject can enforce the promises made through court action.⁴⁰

A data exporter can choose to either use these approved standard clauses or an ad hoc solution, which will require prior approval by the DPA of the member state from which the data is to be transferred.⁴¹ Under the ad-hoc authorisation the exporting party has to apply to the national DPA for approval of the contractual framework it has implemented for the export of personal data. The DPA closely looks at the obligations imposed on the importer and the exporter in ascertaining whether the requirements of the DPD are met. Some EU member states such as Spain have published rules as to the drafting of data transfer contracts.⁴² However, it is left to the states to decide if they require prior approval of the contract, simply want to be notified or require no action at all.

These conflicting approaches led companies to choose a member state in which the requirements are easiest to fulfil. In these countries, where there is no prior approval of the clause or the measures taken, the complete legal burden of ensuring compliance is shifted to the company.⁴³ Such a solution is not ideal for cloud providers as they are unable to gauge the protective steps required of them due to the complexity of their operations.

Transfer to a third country under a standard contractual clause

The Commission has set up a framework of standard contract clauses which parties wanting to export personal data outside the EU can use. These clauses form part of a comprehensive compliance strategy under which they must implement the contracted legal obligations. Additionally, the parties can also utilise the clauses to further supplement their internal BCR.⁴⁴

Controller to controller standard clauses in transfers to third countries

Under the current DPD framework there are two sets of approved standard clauses which were presented in 2001 and 2004. The newer clause modified the liability for damages the respective parties caused, deleting the previous joint and severable liability whilst imposing an additional due diligence requirement.⁴⁵ Also requests for access can now be denied if they are obviously abusive. Importantly consumer organisations are no longer allowed to bring suit on behalf of the data subject. However, the data subject can still file a claim against the exporter and even the importer, if the exporter fails to take action to enforce the contractual obligations within a reasonable time.⁴⁶ This is an important part of granting data subjects enforceable third party rights.

Another aspect is the lack of limited liability in these clauses, which will give the cloud customer in some cases a right to recover higher damages from the cloud provider than under a normal commercial contract.⁴⁷ It remains to be seen how a DPA would react to a limitation of liability between the provider and the customer as this will alter the contractual clause in a significant way thus reducing its benefits. The exporter and importer can now agree that the importer will respond to all DPA requests. This is a sensible decision as the importer will be able to provide exact and timely answers to any enquiry as to how the data is processed and maintained. The importer will no longer have to fully guarantee that no national law conflicts with the obligations under the contract as such a guarantee is now limited to the knowledge of the importer at the time it entered into the contract. In addition, the ambiguity in regard to the requirement of the importer to follow the DPA’s instructions was resolved by only imposing such a requirement in cases in which the DPA or the competent court’s decision has become final.

Member states implementation of contractual clauses

The European Commission has pointed out that the member states can implement their own licensing system for standard contractual clauses in order to ensure compliance with the DPD but «are obliged to recognise the standard contractual clauses as fulfilling the requirements set down by the Directive for the export of data and consequently may not refuse the transfer».⁴⁸ This view is further supported by the wording of Article 26(4) DPD. Such a licencing system depending on member state law can require the parties to file copies of the clause with the DPA or require prior notarised signatures by the parties. Additionally data covered by specific laws (i.e. employment law) might also require the express approval of the data subject.⁴⁹

The UK’s contractual approach is more lenient than the one taken in other EU member states. This difference in the implementation of the DPD enables exporters to execute their transfers without further external examination as only a self-assessment and notification to the Data Protection Commissioner is required. The exporter can elect not to use the EU Commission’s contractual clauses but self-assess the adequacy of the data protection in the importing country and to take appropriate measures. In doing so it should take into account the type of data, duration of processing, purpose of processing and the legal framework in the importing country.⁵⁰

The risk hereby lays in the legal uncertainty that the so assessed transfer might later be found not to meet the adequacy requirement. It has also been suggested that this UK approach of self-assessment violates EU law.⁵¹ However, such an approach according to a UK Information Commissioner’s Office (ICO) guidance note seems to assume the export to a processor not to a controller leaving the question open in situations where an export is carried out to a controller.⁵² In limiting the application to an export to processors the UK ICO retains control over the controller which is ultimately responsible for ensuring the data protection.⁵³

As the United States of America have adopted a liberal regulatory approach to data protection they do not fulfil the requirements as to the adequacy standard under the DPD. In order to address this issue in cases in which personal data is transferred from the EU to the US, the European Commission and the US Department of Commerce (DOC) negotiated the Safe Harbor Agreement.⁵⁴ In essence it provides a substitute private framework, which fulfils the minimum standards of adequacy under the DPD.⁵⁵ It requires the US based companies to publish their privacy policy which must be compliant with the Safe Harbor principles.⁵⁶ These principles require (i) notice if data is collected, (ii) individuals´ choice to opt-out of the collection of data, (iii) no transfer of collected data without express consent, (iv) security of the collected data, (v) integrity of the data, (vi) right to access the data by the individual, (vii) enforcement of these rules.

Institutional setting

In order to be allowed to use this framework, however, the US company must be subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation. Interestingly the compliance can be monitored through a self´ or third party assessment for which the DOC maintains a register of complying institutions.⁵⁷ Because of the option of a US cloud provider to decide to have only a certain type of data approved under the Safe Harbor Agreement, a European cloud user should always check with the DOC that the intended data to be transferred is covered by the framework.

Due to the different implementation of the DPD by the EU member states there are some inconsistencies in the way the Safe Harbor Agreement is interpreted by the national DPA. However, unless the US company has committed itself to cooperating with the EU member state’s DPA, the US law will apply in the interpretation of the applicable Safe Harbor Agreement.⁵⁸ Such agreements are not limited to data controllers but can also be taken up by data processors.

Enforcement

Once a party participates in the Safe Harbor regime it has to decide, which enforcement and dispute resolution mechanism it wants to subject itself to. This can either be a private self-regulatory mechanism as stated above or a government mechanism. Depending on the type of data (i.e. employment data) this decision might be predetermined because of the requirement to cooperate with the European DPA. When a company elects to join a self-regulatory mechanism it must ensure that the elected mechanism meets the Safe Harbour requirements. As soon as these decisions have been made the company must send a written certification to the Department of Commerce stating its compliance with the Safe Harbor principles. It also has to publish a complying privacy policy, in which it expresses that it adheres to the Safe Harbor standards. The membership to the Safe Harbor framework must be affirmed on an annual basis. A member can decide to opt out giving notice to the DOC. Any data transferred up to this point remains subject to the Safe Harbor principles.⁵⁹

In case of a breach the FTC can file a deceptive trade practices charge and the data subject or the cloud customer could claim damages.⁶⁰ The coverage of employment data under the Safe Harbor framework remains controversial as the FTC is only responsible for deceptive trade practices, which on the face does not cover the relationship between the company and its employees in regard to their privacy e.g. human resource data. However, it seems that it has developed into an accepted practice to allow such a transfer under the Safe Harbor framework.

As opposed to the Safe Harbor Agreement, which is limited to US-EU transfers and only applies to certain transfers or categories thereof, BCR are applicable within the institution or corporate structure and ensure the enforcement of the DPD in transfers to any party governed by them.⁶¹ They can also indicate compliance with the Safe Harbor principles, but are not determinative. Importantly they must grant enforceable rights to the data subject and are legally binding on the entire corporate structure.

For multinational companies using and offering cloud services BCR seem to be the only solution. Separate individual contracts imposing data protection requirements are simply too complex to implement and administer in an international cloud environment. Therefore, the BCR are seen as a feasible framework to facilitate international data transfer of personal data within corporate groups in countries, which do not meet the EU standards.⁶² These BCR form a minimum standard within a corporate group leaving it open to a national regulator to impose further requirements. Once such a framework is approved by the national DPA and implemented by the respective companies it provides a significant compliance cost advantage.

The approval of BCR by the European Commission is not required as the Commission´s power only applies to standard contractual clauses. Each member state has its own set of approval requirements, which can vary in some detail.⁶³ The Article 29 Working Party has issued information as to the substantive requirements for approval.⁶⁴ However, this guidance is only an indication as to the main requirements.

There are two main streams of approval of BCRs. Firstly some member states have not made approval by the local or national DPA mandatory as Article 25⁶⁵ does not require this. In doing so, they have shifted the burden in ensuring compliance on the companies. Secondly some interpret BCR to fall under contractual clauses and thus do require approval under Article 26(2).⁶⁶ Because of these different approaches the Article 29 Working party developed a «co-operation procedure»⁶⁷ to facilitate the approval process for companies wanting to implement BCRs.

As a first step the group of companies (i.e. Google and its subsidiaries) must determine which corporate entity is making the application on their behalf to the responsible DPA. This is usually done by the EU headquarters which must create a position (i.e. Data Protection Officer) responsible for the task of overseeing the BCR implementation. Furthermore, there needs to be an «ownership relation» between the companies in the group, sharing a common system of governance essentially amounting to «a group of companies bound by rules».⁶⁸ These factors ensure enforceability and compliance. The company will usually apply to a so called «lead DPA», which is then responsible for coordination with the other member state DPA. However, there is no fixed rule which «lead DPA» to choose. The decision can be based on different factors such as the location of the headquarters, data centres or previous dealings.

Despite some published guidance no approved standard application form exists. According to the Article 29 Working Party the applications should contain the contact details of the applicant, choice of lead, proof of fulfilled Working Party Paper 74 requirements and documents constituting the BCR. These documents should explain means and purpose of the processing activity, responsibilities and the data flow to third countries.⁶⁹ Once the lead DPA accepts the final draft it sends it to all the national DPA for approval. Assuming they consider the BCR to offer «adequate safeguards» and there are no objections the final draft can be translated into the national languages and approval can be sought from each member state’s DPA. However, the member states requirements for BCR can still vary.⁷⁰

Internal Effect

Enforceability of the BCR is essential for approval. On the face of it this seems to be very clear, however, there are a couple of different ways in achieving this aim. One option is to use corporate rules, which are binding on all of the groups’ entities. Secondly the head company could contract to accept all responsibility for the worldwide group (unilateral commitment). Thirdly the head company could require the incorporation of regulatory measures, which are binding on all group members.⁷¹ The problems arising in the use of unilateral commitments are their differing recognition in the member states. Some recognise them through their data protection legislation explicitly⁷², others only implicitly or under conditions (e.g. contractual commitment having recourse to other companies). As the BCR have to be binding on the employees within the group certain obligations must also to be reflected in their respective employment contracts.

External Effect

The BCR must grant the individual data subject enforceable rights. This enforcement can take place through the national DPA or a court and must also cover actions by members of the group taken outside the EU. The above mentioned unilateral agreement by the parent company would fulfil these necessary requirements. Alternatively the company could enter into a contract with all the DPA with the individual data subject being a third party beneficiary.

BCR seem to be the most viable solution for cloud computing providers in order to fulfil the required trans-border data protection requirements. Once the corporate group of a cloud provider is approved as fulfilling the BCR requirements it can then process personal data in any of its server centres around the world in compliance with the DPD. The BCR´s flexibility ensures, that all transfers which occur in a cloud environment are governed by them and thus provides a major advantage compared to the model contracts, which only apply to single point to point transfers. Extensive monitoring of the data flows within the structure will not be necessary, resulting in lower compliance costs.

Technical and procedural steps for cloud providers

A prudent approach by a corporate group envisaging to use BCR is to ensure that appropriate technical measures are implemented. These should include:

«1. An adequate information management system to control access to data; this includes the use of audit trails, which allow logs to be kept (and would help at a later stage in investigations);

2. Use of privacy enhancing technology and protection against breaches, for example through the use of patches, encryption etc.;

3. Obligation to segregate data stored;

4. Maintaining a person responsible for security.»⁷³

Procedural measures should include:

«1. Obligations to audit the system (and keep audit-trails);

2. Cooperation between service providers and Data Protection Authorities (allowing audit of security measures/issuance of recommendations);

3. A security policy expressed in clear language. The terms of service proposed by the cloud computing providers tend to be problematic, with the exception of Intellectual Property rights that are usually well respected. In fact, on most occasions the user does not have any negotiation power and must accept the policies as they are.»⁷⁴

«4. Notification of data disclosure and security breaches. The reviewed e-Privacy Directive 2009/136/EC calls for mandatory notification of security breaches, provided they are likely ‹to adversely affect their personal data privacy› (i.e. ID theft, reputational loss) and unless encryption measures were enabled.»⁷⁵

Unknown server location

If a server location is not known or at least restricted to a country then an assessment of its data protection standards is practically impossible. In such a situation it seems that the use of this service under the current DPD is legally not permissible unless it is within a corporate group governed by BCR.

In the context of cloud computing situations can arise where there is more than one importer or exporter. Three possible solutions are currently available under such a scenario.

Solution 1: Web of contracts approach

Under this approach all parties have individual contracts between each other. The exporter will have a contract with each and every importer. This is a very complex solution but it will satisfy the DPA’s requirements. Additionally, the parties are required to have onward transfer agreements between themselves. However, the administrative resources employed seem to become substantial, if there are many parties involved. Such an approach is only advisable when the number of parties is limited.⁷⁶ In a cloud computing context it is not a viable solution as too many parties are involved.

Solution 2: Master agreement approach

In a master agreement a single standard clause is used, which needs to be signed by all exporters and importers. The difficulty hereby lies in determining whether a party is a controller or processor. One solution is to identify the data flow and contract accordingly. It is advisable to include a default clause into the agreement in order to cater for situations where a party becomes a controller based on its conduct. ⁷⁷

Solution 3: Power of attorney approach

This approach is mostly used in a corporate structure, where a controlling company signs on behalf of the subsidiary being vested with a power of attorney. Bestowing such a power of attorney can sometimes be a very complex matter because of company law requirements, the companies’ statute or the fact that the company might be located in a third country.⁷⁸

Once one of the methods under the DPD for trans-border data flow is chosen, the question arises as to what rules apply, when this data is transferred to another party after it has left the EU. It is prudent to ensure the further protection of personal data even once it has left the EU. The legal framework for the onward transfer depends on the legal basis allowing it to be transferred to a third country in the first place.⁷⁹ Such an onward transfer is classed as «processing» of personal data.

A controller-to-controller onward transfer is in most instances governed by either the applicable Safe Harbor Agreement or the two sets of EU approved standard contractual clauses. There are no restrictions on onward transfers to a country, which ensures adequate protection.⁸⁰ In 2010 the European Commission issued a new set of standard contractual clauses, which require the data importer (i.e. non-EU cloud provider) to ensure that any party, to which an onward transfer takes place, is contractually obliged to adhere to the EU data protection laws.

This new set of clauses addresses a previous lack of regulation and uncertainty surrounding processor-to-processor transfers. Under the new clauses the processor will be required to ensure the appropriate level of data protection as well as to insert the same clause into any further sub-processing contracts.⁸¹ In addition the data subject should be informed of a transfer.⁸² If adequate data protection is ensured through these measures then the consent of the data subject does not appear to be necessary.

Due to the complexity of cloud computing services various scenarios of trans-border data flow are imaginable. For example a SaaS cloud provider receives personal data under an approved contractual framework from its EU customer. However, the SaaS provider uses the service of an IaaS provider located in another third country (subcontracting). Would such an onward transfer be covered by the initial contractual clause? In a first step one has to look at the SaaS and IaaS provider in order to determine, whether they are controllers or processors.⁸³ Then one of the following scenarios will apply.

Scenario 1: Third country controller to a third country controller

If a controller in a third country such as an IaaS provider wants to transfer personal data to an IaaS/PaaS provider in another country, then it must either acquire the consent of the data subject or impose the same contractual clauses on the IaaS/PaaS provider as it is itself subject to.

Scenario 2: Third country controller to a third country processor

There is no express provision, which allows a transfer from an importing controller to a processor. However, it seems that such a transfer is recognised by the second set of contractual clauses in decision 2004/915/EC⁸⁴. It is essential that confidentiality and security is ensured and that the processing only takes place upon the express authority of the importing controller. The obligation of the importing controller to allow inspection of its processing facilities by the exporting controller must also be inserted into a subsequent contract with the processor. Additionally the importing controller has to give the exporting controller the assurance that at the time of entering into the contract there is no local law which could have a substantial effect on the performance of the contract. If such a situation arises, the importing controller must inform the customer immediately of the applicable law.⁸⁵

Scenario 3: Third country processor to a third country controller

This scenario is legally not permissible as the processor does not have the authority to determine the means and purpose of processing, thus cannot allow a subsequent controller to do such.⁸⁶ Any such transfer will be in violation of the EU data protection laws.

Scenario 4: Third country processor to a third country processor

Unless the processor is based in a country with adequate data protection or is governed by the Safe Harbor principles or BCR, the processor will have to implement the 2010 controller to processor clauses, which allow a further sub processing based on certain conditions. Such are the written consent of the data exporter⁸⁷ as well as the handing over of a copy of the sub processing agreement.⁸⁸ In case of commercial sensitive information the processor is allowed to issue only a document relevant to the data protection without the commercial information. Such a document must be given to the data subject upon request. The processor also has to give the controller through the 2010 clauses the assurance, that it has no reason to believe that a local law is preventing the performance of the obligations toward the controller. This provision will have to be inserted into any contract with a sub processor in order to maintain the rights of the controller and to fulfil the data protection requirements of the DPD.

On first view it appears that a controller or processor could implement a contractual framework in order to comply with the DPD. However, in cloud computing this is difficult because of its driving factors such as mobility, scalability and accessibility. Ultimately the processor or controller might not know exactly where the data is at a given time, thus assuring that no local law is hindering the performance of the contract seems at least challenging.

Nevertheless, there is a possibility of restricting the flow of data in sub-contracts (i.e. IaaS is only allowed to use servers in a specific country, which local laws are known to the exporter). For example Amazon has done this with its European cloud services. Any such additional requirements slowly reduce the benefits of the cloud system as the costs increase with each additional contract or obligation to be fulfilled. Currently BCR are the best alternative for cloud providers using resources in a corporate group on a worldwide basis. However, once data is to leave their structure towards a third country provider contractual clauses seem to be the only possible solution.

As expressed in an Article 29 Working Party Paper the exception mentioned in Article 26(1)⁸⁹ is a «derogation from the principle of adequate protection laid down in Article 25»⁹⁰ and should be construed narrowly. It allows a transfer to a third country to take place regardless of the data protection standards present in the importing country. The following exceptions are foreseen:

1. Consent: The data subject can give its consent to a transfer. This consent needs to be clear and unambiguous, given freely through an informed choice by the data subject.⁹¹ It must be received before the data is transferred.⁹² In relation to employment law consent cannot be legally obtained because of the dependency relationship between the employee and employer.⁹³ Consent can be revoked at any time resulting in the controller and its processor being required to give back the data held. One should highlight that most IT users do not read privacy statements which they consent too. A uniform signalling system (i.e. special frame in a contract, pop up) would be a good solution requiring the exporter to specially highlight a third country transfer to the customer.

2. Transfer necessary for performance of the contract: The EU DPA have interpreted the term «necessary» narrowly. This means that as long as the object of the contract can be performed via different means it will not be considered necessary to transfer the personal data.⁹⁴ The same approach has been applied in the UK to employee payment data.⁹⁵ Also the proposal to transfer account data via the SWIFT system to a data centre in the US was based on an argument of contractual necessity. The German DPA, however, expressed its view, that such a transfer was not necessary as the data could also be processed in the EU, ultimately prohibiting the transfer under Article 26(1).⁹⁶

3. Transfer due to legal necessity or on public interest grounds: The SWIFT case illustrated, that even if a foreign law requires disclosure the exporter must find a legal basis for the export under the EU DPD. Additionally, the public interest exception will only apply where the transfer is also in the interest of the EU such as in regard to tax or customs.⁹⁷ As expressed by the UK Information Commissioner this is a very high standard to be met, which will only apply in exceptional circumstances.⁹⁸

The new DPR proposal was presented in January 2012 in order to address shortcomings in the 1995 Data Protection Directive. In some areas such as cooperation between national DPA the proposal clarified and improved the existing framework, however, other important issues such as the classification of a party as controller or processor have not been resolved. Furthermore, the proposal has also added some new interpretative challenges, by adding new terminology such as «in the context of an establishment».⁹⁹

The Regulation aims at protecting the personal data of natural persons, being processed by partly or wholly automated means.¹⁰⁰ It also exempts EU institutions as well as natural persons which only process personal data for exclusively personal reasons without gainful interest.¹⁰¹

A processor or controller will be subject to the territorial scope of the Regulation, if it processes personal data in the context of an EU establishment.¹⁰² Therefore, a cloud provider being a processor of personal data will be subject to the Regulation at the place of its main establishment. It seems that in light of the current interpretation «in the context of» the Regulation would apply to a cloud provider’s worldwide processing operations once it has an establishment in the form of an administration in the EEA.¹⁰³ This will deter non EU cloud providers to set up establishments in form of offices or other administrative entities in the EU.¹⁰⁴

Additionally, a controller outside the EU which processes personal data related to the provision of goods or services in the EU or for the monitoring of its citizens will now also be subject to the DPR. Invariably a non EU cloud provider will be in some form targeting EU customers through the internet with its cloud services. It is therefore pivotal to determine if the provider is acting as a controller or mere processor. Generally a private individual will not have a say in how a service is rendered. For example Apple products require the use of a personal data transfer to be activated giving no choice as to submit personal information if one wants to use the device. Hence in such scenarios the cloud provider will be a controller. In comparison a processor outside the EU will only be governed by the Regulation, if a member state law applies by virtue of international public law.¹⁰⁵

The situation of cloud providers undertaking less than processors has so far not been resolved. These providers will be classed as processors under the Regulation and subject to even more burden then they are under the DPD. This includes appointing a Data Protection Officer and conducting an Article 33¹⁰⁶ impact assessment which requires at least an evaluation of the risk and the implemented technical security measures.¹⁰⁷ Also Article 28¹⁰⁸ prescribes extensive record keeping requirements. Imposing such obligations and their costs on a cloud provider in a very competitive IaaS market seems to go beyond what is necessary to meet the legitimate objective of protecting personal data. A new category of entities with even less obligations than processors should be introduced for cloud providers which only supply the infrastructure but do not have any involvement in what is happening on their servers.

The new approach in the data protection jurisdiction with its focus on «targeting» rather than on «means or equipment» seems to be a more practical solution. Nevertheless the concept of «offering» brings some ambiguity in regard to its extent and requires further clarification. Also the terminology such as «only occasionally», and «monitoring» need to be further defined in order to ensure certainty for cloud providers and customers.¹⁰⁹

Though changes have been made a cloud provider using data centres in the European Economic Area (EEA) still cannot know whether it will be subject to EU data protection laws and if so, which supervisory authority would be responsible for it. This uncertainty stems from the extension of the Regulation to processing in «the context of an establishment» of a processor in the EEA.

The cloud provider might not know that its service is used by customers from the EEA in cases, in which the service is worldwide accessible and not specifically targeted to a special geographic group. The question then is what comprises «offering goods or services» to EU residents. What knowledge is required? Importantly the Regulation speaks of offering not supplying. This might be seen as implicitly requiring a certain positive action by the provider to acquire customers from the EEA. Which party has the burden of proving the applicability of the Regulation? Must the cloud provider allegedly offering services to EU residents prove that it did not do so? Requiring a cloud provider to proof, that it did not target EU residents potentially seems to impose a presumption favouring the application of the Regulation, where no such a wording can be found therein.¹¹⁰

The issue as to the contradictory interpretation of «an establishment» under the DPD has also not been resolved by the Regulation. Again it would have been wise to specify this terminology so as to define it as «having an establishment in» a country to avoid the argument under the new Regulation, that a «controller is ‹established in› the EEA, but is not processing personal data ‹in the context› of the activities of any of its EEA establishments».¹¹¹ Once a processor processes personal data in the context of its establishment in the EU its worldwide processing is subject to the Regulation.¹¹² It is fully conceivable that the EU law makers want to extend the data protection laws internationally in cases, in which personal data of EU residents are processed or otherwise utilised.¹¹³

The basic structure of the framework on trans-border data flow has remained the same as under the DPD. Only minor adjustments and clarifications have been implemented into the new proposed Regulation. The grounds on which a trans-border transfer of personal data can occur are the following:

The definition of what was considered an «adequate» privacy framework remained unclear under the old Data Protection Directive thus complicating a determinative and reliable assessment. Under the proposed Regulation the old Article 26 DPD has been expanded to include international organisations. Additionally the considerations for an adequacy determination have been clearly defined in Article 41 (2) thereby adding more certainty but also more restrictions to the process. The Commission is required to publish a list with adequate and also non-adequate countries and institutions.¹¹⁴

As long as no determination as to the adequacy has been made by the Commission the controller or processor can satisfy the data protection requirements as to data protection by adducing appropriate safeguards in a legally binding instrument.¹¹⁵ Such safeguards can take the form of BCR in accordance with the requirements in Article 43¹¹⁶, standard clauses adopted by the Commission or Supervisory Authority (declared valid by the Commission) or contractual clauses authorised by the Supervisory Authority (ad hoc). The BCR and standard clauses will not require any further authorisation.¹¹⁷ If the parties develop their own contractual safeguards they must seek prior authorisation according to Article 34(1)¹¹⁸ from the supervisory authority.¹¹⁹ As a last resort, if the appropriate safeguards cannot be provided for in a legally binding instrument, the processor or controller can seek approval by the supervisory authority before carrying out a transfer.¹²⁰

The supervisory authority approves binding corporate rules. These rules must include certain obligations, liabilities and rights as set out in Article 43 (2).¹²¹ They address the main issues highlighted by the Article 29 Working Party including the type of transfer, the use of personal data, and information where the data is to be processed. An EU party to a BCR will now be responsible for breaches caused by any other member of the group that occur outside the EU.¹²² Additionally, a data protection officer must be designated, who is responsible for monitoring compliance within the group of undertakings.¹²³ The proposed requirements for BCR form the basis on which companies wanting to use the BCR framework can develop their own rules. It ensures a minimum standard and gives certainty as to what is required for approval.

The new Article 44¹²⁴ mirrors the Article 26 DPD provision whilst further clarifying the alternative grounds for a transfer of personal data to third countries. As previously informed consent by the data subject it will waive the necessity of acquiring approval. Furthermore, the exception for the performance of a contract in the interest of the data subject is clarified as it now expressly extends not only to contracts with natural but also legal persons.¹²⁵ This may further open the door for controllers-processor transfers. A transfer will also be exempt in cases, where there are important grounds of public interest or the transfer is necessary in relation to a legal claim.¹²⁶ Such public interest must be recognised by EU law or the law of the member state to which the controller is subject.¹²⁷

A new important addition has been made by introducing an exception for the pursuit of a legitimate interest by the controller or processor. In order to use this exception the transfer must not be frequent or massive and the controller or processor is required to conduct an assessment of all the surrounding circumstances and if necessary to adduce appropriate safeguards. In conducting such an assessment the party must consider the factors mentioned in Subsection 3 of Article 44.¹²⁸ However, such a solution will likely only be used in exceptional situations as it requires detailed documentation and notification to the supervisory authority.¹²⁹ In addition the exclusion of massive and frequent transfers seems to diminish its usefulness for a cloud provider. The question remains why such a restriction has been inserted, where the focus of the Regulation is on the protection of personal data. The quantity and frequency do not affect the aim of keeping personal data safe.

New requirements were introduced including a contractual obligation of the controller to seek approval before using a sub-processor. As this is general practice, especially in multi-layered cloud services (i.e. SaaS running on IaaS in EEA), imposing such a restriction will likely deprive the users of cloud computing technologies of some of its main advantages.¹³⁰ Article 30¹³¹ imposes additional security obligations on processors. These requirements apply to cloud providers being processors despite the fact that they may not know that the controlling customer is processing personal data as they are only supplying the capabilities for various possible processing activities.

Furthermore, the processor is required to process the data as instructed by the controller and is subject to liability if these instructions are not followed.¹³² In practice, the processor will not actually determine how or what is processed as the controller generally carries out the processing on the processors systems without the processors active involvement going beyond the mere supply of resources.¹³³ The definition of processor should be amended in this regard or a new definition created. It seems that the Regulation does not fully address the problems processors face in the cloud. Some situations such as processing undertaken by the processor only for security purposes are not addressed. It remains unclear if a processor would become a controller because of such processing activities despite the fact that such an interpretation could seriously imped data security as a processor will thus refrain from taking such beneficial action.¹³⁴ The proposed Regulation could have an adverse effect on the growth of cloud computing in the EEA as it imposes additional burden on processors thus reducing their potential profit margin.

The Regulation allows for compensation paid by the controller or processor who causes damage to a data subject through a breach of the Regulation.¹³⁵ In addition, the supervisory authorities may impose administrative sanction for non-compliance with the Regulation of up to 1 million Euro.¹³⁶ These sanctions will act as a strong incentive for cloud providers to either comply with their obligations under the law or to not do business in or with the EU.

In many cases the authorities may not have sufficient resources or personnel to properly monitor compliance with trans-border data flow regulation. For example, one study found that eleven out of twenty-seven national data protection authorities in the EU member states were unable to carry out the entirety of their tasks because of a lack of financial and human resources.¹³⁷ Users of a cloud service will increasingly have problems to enforce their rights where data is stored or processed in another country.¹³⁸ In light of these developments the OECD is advocating a closer co-operation between privacy law enforcement authorities.¹³⁹

Increasingly large data collections are perceived as a threat to individual as well as national security. However, some big data collections are based on legal sources aiming at enhancing security to the benefit of all. The most prominent example is the US Patriot Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) of 2001.¹⁴⁰ Once the Act was passed by US Congress concerns as to the effects on the European data protection laws emerged.¹⁴¹

In essence the Act allows US authorities to overrule the Safe Harbor framework and access any data stored in the US once a terrorism allegation is raised. Ultimately it opens the door for «fishing expeditions» as US agencies can demand any information a US company has stored without any actual evidence of a crime. This applies to all data stored in any form. Critics suggest that these laws prevent the data protection level from being considered «adequate» under the DPD standard.¹⁴² However, for example the Austrian Data Protection Commission has not yet followed this reasoning and allows such transfers to occur as they do not require approval under the Austrian data protection law.¹⁴³

As seen with the Patriot Act above, similar questions arise where data is transferred to a third country under a BCR framework. The companies despite adhering to a strict data protection standard might have no choice than to surrender personal data to governmental authorities. Such a case is of special concern where for instance the personal data of a human rights activist could be accessed by a totalitarian regime in a country in which a processing server is situated. In light of such scenarios it would seem prudent to implement a universal standardized assessment of a countries data protection standard. Such an assessment would allow the setting up of a «black list» or even the development of an elaborate certification system. Ultimately a customer would then be able to self-assess what standard of protection a cloud provider achieves and if to allow further subcontracting.

Information, including personal data is a crucial business asset which must be managed in a responsible way. Due to the growing complexity of this topic, companies including cloud providers have realized the need for their own strategic information management to ensure data security.¹⁴⁴ It is being realized that «if data protection and management are to be effective, the obligations to protect and secure data must attach to the data itself and must be met wherever it’s stored or processed.»¹⁴⁵ The ability to tag data is important in this context. It allows linking data to specific information such as its origin and use. Knowing this information allows the application of the home country’s data protection law as well as a determination to where the data can be sent legally.¹⁴⁶ Additionally it enables a cloud provider to determine what law applies to a specific data even when the home jurisdiction of the data subject changes over time.

A standardized system of data tagging would be advantageous to cloud providers. With it an automated system could read the tagging and apply the required standard of protection by routing the data to server locations fulfilling the required data protection standard. Furthermore, a cloud sub processor (IaaS, PaaS, SaaS) could at any given time ascertain what data its being processed and thus what level of data protection it is required to fulfill.

Some countries such as Australia follow such an approach which can be enforced technically through tagging. The Australian legislator passed a Bill in December 2012 which will put increased pressure on entities transferring personal data to another country. An Australian party sending the data abroad will need to take reasonable steps to ascertain the security level maintained oversees and take appropriate precautions in order to ensure the data’s protection. Importantly the exporter will be liable for any breach, even committed by a third party abroad.¹⁴⁷ This might in some instances even be the case where reasonable steps have been taken to ensure data protection. It therefore seems that the Australian approach has moved away from a location based to a more security based solution.

Such a conclusion can be drawn from the use of the wording «disclosure» as opposed to «transfer» as well as the statements made by the Privacy Commissioner who expressed that a breach will not have occurred in a transmission in which no third party has gained access. Furthermore, this interpretation seems to be in line with the ultimate aim of the legislation namely the protection of unauthorized use of personal information. It is to be hoped that the industry takes this new law as an incentive to develop safe transfer and processing methods which will ultimately solve the issues surrounding trans-border transfers. In the context of cloud computing this would allow a cloud provider to self-assess what type of service it is offering and how to ensure the safety of the data appropriate to its business.¹⁴⁸ To what extent foreign governments can still gain access to data remains to be seen.

---

 

Prof. Rolf H. Weber is Chair Professor for International Business Law at the University of Zurich, Switzerland, Visiting Professor at the University of Hong Kong, Hong Kong and attorney-at-law (Zurich). The author is engaged as co-investigator in the research project «In Search of a Technological Framework for the Protection of Personal Data», supported by the General Research Grant of the University of Hong Kong. Address: University of Zurich, Rämistrasse 74/38, 8001 Zürich, Switzerland. E-mail: rolf.weber@rwi.uzh.ch.

Dominic N. Staiger is Assistant to Prof. Weber at the University of Zurich. The author has written his Master thesis on the effects of EU data protection laws on cloud computing. E-mail: dominic.staiger@rwi.uzh.ch.