Archive for September, 2011

In defence of the cloud

Posted on September 30th, 2011 by

What should we make of recent reports about the banning by the Dutch government of non EU-based cloud services and the launch by leading providers of EU-only clouds?  Is this fierce European protectionism or sensible data protection?  If anything, these developments show a trend towards restricting cloud computing services geographically, so that the fuzzy Internet cloud becomes a series of neatly divided gas bubbles.  However, instead of a technological uproar against such an aberration, there seems to be a quiet acceptance based on legal constraints and half baked security arguments.  Is data protection being cited once again as the justification for stifling technological progress?  That would not be surprising, but it is somewhat unfair and clearly unnecessary.

A Dutch government minister has been quoted saying that US cloud service providers will be excluded from public sector contracts due to fears that the USA Patriot Act may be used to obtain data unlawfully.  So to avoid a potential conflict between the data demands of one country and the data protection obligations of another, a drastic decision appears to have been made.  What this decision seems to forget is that European data protection law already has in place the necessary mechanisms to allow justifiable disclosures of data across jurisdictions and to mitigate the risk of data misuse by the recipient.  It is actually not true that complying with a legal obligation to hand over data in an non-EU jurisdiction will automatically amount to a breach of data protection law.

A commonly stated barrier to engage cloud service providers is precisely those providers’ unwillingness to engage.  A mighty cloud vendor may be a little more willing to sit at the negotiation table with a government department or a large corporation, but most other would-be clients will have no other option than agreeing to a set of standard terms and conditions.  Will such terms provide sufficient safeguards to allow a European customer to comply with its own legal requirements?  Frankly, a well drafted set of terms is quite likely to indicate the boundaries of the service and the level of security being adopted, which by and large will do the trick for European data controllers.

Beyond the contractual terms, the actual level of security in place is a critical aspect of data protection but, as it happens, it is invariably the most critical aspect for the service provider as well.  This point was very simply addressed in an article by Vivek Kundra, President Obama’s former CIO and currently a Harvard academic, published in the New York Times.  Kundra writes that cloud computing is often far more secure than traditional computing, because companies like Google and Amazon can attract and retain cyber-security personnel of a higher quality than many governmental agencies.  To put it differently, as with airlines and safety, all cloud vendors know that solid data security is their top business priority.

A tricky issue for European cloud users is of course the legal restriction on overseas transfers of personal data.  The cumbersome administrative requirements that need to be sorted out in order to legitimise those transfers are not particularly helpful.  Matters are made worse by the straight-jacket nature of the European Commission’s model clauses for data transfers.  So a cloud computing vendor will not agree to the standard contractual clauses?  Who can blame them!  This is an issue that badly needs addressing.  High hopes rest on the forthcoming EU data protection legal framework but as that could easily take half a decade to materialise, we might as well try to find a solution today.  Undoubtedly, smart cloud providers are very likely to take the lead and push for a Safe Processor Rules-type solution aimed not only at overcoming the transfer restrictions but at creating a balanced model of rights and obligations.

As Vivek Kundra puts it, the current economic crisis will only accelerate the move toward cloud services.  European data protection law should not be a barrier but a catalyst for the development of the cloud.  Conflicts of law need a common sense approach where legally required disclosures of cloud data are still proportionate and subject to privacy safeguards.  All other data protection issues can have a very positive effect on the cloud and viceversa.  If European data privacy is about balancing the free flow of information with the control by individuals of their personal information, cloud services can definitely support that balance and facilitate legal compliance whilst maximising the benefits of the information economy.

This article was first published in Data Protection Law & Policy in September 2011

Making Open Data Real

Posted on September 12th, 2011 by

From the start, the Coalition Government has indicated that transparency is top of their programme. The emphasis on transparency has been underlined with the publication in August of the Cabinet Office consultation – ‘Making Open Data Real’. The proposals are hailed as setting out the most ambitious Open Data agenda of any government in the world. As such the presumption is that data about public services will be Open Data. Open Data must be able to be freely used, re-used and redistributed by anyone.

The proposals outline how the government will move to a position where most data held by public bodies and about public services will be available for re-use under the Open Government Licence, apart from in specific circumstances e.g. personal data. An Open Data agenda should, the consultation sets out, provide opportunities for accountability, choice, productivity, quality and outcomes, social growth and economic growth.

Certain significant proposals stand out (with our comments afterwards in italics):

* Introducing a new requirement that all public bodies and providers of public services proactively publish data about the services they deliver. Currently there is an obligation to progressively make environmental information accessible to the public under the Environmental Information Regulations 2004 but not otherwise

* Amending the current fees regulations under the Freedom of Information Act 2000 to facilitate the release of more data. Currently the limits for determining whether information (that is subject to a FOIA request) is held and then locating, retrieving and extracting it are 24 hours for central government and 18 hours for all other public authorities

* Ensuring through procurement rules that data collected by public service providers is stored in ICT systems that minimise the cost and difficulty of publishing data online. This would impact ICT system designers and all those providing ICT outsourcing services to government. Effectively, ICT procurements of the future would require system specifications that take account of Open Data standards

Another potential consequence of the Open Data agenda impacts those organisations working in collaboration with government to assist with public service projects. If such organisations use the data collected in relation to public services for their own purposes it is possible, under the Open Data agenda, that such data will become more publicly available regardless of the implications for the organisation’s business model. The consultation is specifically consulting on the range of organisations that the Open Data policy proposals apply to and whether certain thresholds should be set to determine the range of public services in scope.

The consultation closes on 27 October 2011 and broadly speaking invites views on:

* Enhancing a ‘right to data’, establishing stronger rights for individuals, businesses and other acts to obtain data from public bodies and about public services

* Transparency standards to enforce this right to data

* How public bodies and providers of public services might be held to account for delivering Open Data

* How government can ensure collection and publication of the most useful data

* How government can make the internal workings of government and the public sector more open

* How far is there a role for government to stimulate enterprise and market making in the use of Open Data

Hungary: One step forward, three steps back

Posted on September 2nd, 2011 by

Since there’s currently a lot of discussion at key levels within the EU about the future of data protection, you could be forgiven for assuming that any current amendments to the data protection laws of member states will embrace some of the main progressive themes up for debate. And, to a certain extent, the new Hungarian Data Protection Act 2011 has lived up to this expectation. The new law brings in a stronger Data Protection Authority with powers (currently lacking) to impose fines and conduct audits of data controllers. Additionally, the new Act plugs a gaping hole in the current Act by including the legitimate interest ground as an additional legal basis.

However, all is not entirely what it seems. For one thing, initial indications are that the drafting around the legitimate interest condition actually requires a higher test than set out in the Directive. The data controller must be able to demonstrate that obtaining consent from individuals is impossible or disproportionally expensive before he can rely on the legitimate interest condition.

Additionally, legislators have not used this opportunity to remove the existing prohibition in the Act against the sub-processing of processing operations by data processors. A prohibition which clearly makes no sense in view of the blessing sub-processing by data processors has received from the EU Commission in its Decision 2010/87/EU on standard contractual clauses.

But perhaps of most concern is the omission of binding corporate rules and ad hoc contractual clauses for international data transfers as legitimate grounds under the new Act. It seems peculiarly short sighted of Hungarian legislators to omit these grounds and thus impliedly force data controllers to fall back on explicit consent, an adequacy decision by the EU or standard contractual clauses in order to legitimise international data transfers. It is also completely out of step with the discussions elsewhere in the EU about reforming the data protection framework around international transfers.

Finally, the other significant backward step concerns the new bureaucracy around the data protection register. Certain entities – financial institutions, public utility companies and telecom service providers – will be required to obtain prior authorisation from the Data Protection Authority (by 30 June 2012) in order to process personal data. Moreover, a fee is now charged for registrations and registrations must include a description of data processing applications. These further rules will require data controllers to review and amend existing filings by 8 January 2012.

An overview of the main points from the new Act is set out below:-

* New Data Protection Authority to be responsible for enforcement of data protection and freedom of information laws in Hungary and to be granted new powers to fine and conduct audits.

* New legal bases for processing data through the introduction of (i) the legitimate interest ground and (ii) where compliance with a legal obligation is necessary.

* The prohibition on sub-processing activity by processors remains.

* New rules on data security requirements are set out including the need to control and record data transfers as well as implement disaster recovery planning.

* Binding Corporate Rules and ad hoc contractual clauses are omitted from the grounds available to make international data transfers.

* New filing rules which require (i) authorisation from the Data Protection Authority in some instances for data controllers registering on the data protection register, (ii) the payment of fees and (iii) more detailed registrations.

Happy rentrée

Posted on September 1st, 2011 by

With the summer holiday season coming to an end, it is time for the annual rentrée – back to school, back to work and back to our never ending roster of tricky yet stimulating privacy-related challenges.

And what an exciting rentrée this one is for the privacy and data protection world.  For those who have just finished putting away their swimming costumes and beach towels, here is a very quick update on what is happening right now:

  • *     The European Commission is giving the final touches to the legislative reform proposals that will eventually replace the 1995 data protection directive.  Expect big changes on applicable law, mechanisms to put people in control of their data, an emphasis on transparency, a fully blown ‘accountability package’ and innovations on adequacy for international data transfers.
  • *     France has now implemented the cookie consent rule, which seems to allow implied consent via browser settings.  For an at-a-glance look at where other EU jurisdictions are on this process and their likely stance across Europe, have a look at our cookie consent tracking table.  Also, stay tuned to the IAPP website for a forthcoming webminar on this issue.
  • *     In the meantime, the Article 29 Working Party has given its verdict on the proposed self-regulatory framework for online behavioural advertising and said that the framework does not meet the consent requirements.  However, there should still be room for a fully compliant approach that does not necessary involve bombarding Internet users with pop up windows and tick boxes.
  • *     The Article 29 Working Party is also working on streamlining further the BCR approval process in anticipation of the likely explicit recognition in the forthcoming data protection legal framework.  For a full update on what is going on, make sure you attend the BCR Masterclass on 27 September.
  • *     The DPA for the German state of Schleswig-Holstein has ordered website owners in that state to remove social plug-ins such as the ‘like’ button from their sites by the end of this month or they will face enforcement action.  Such a draconian action seems completely out of sync with what is happening in the real world and the growing uptake by businesses and organisations of social and professional networking tools.  What can possibly happen next?

Lots to come to terms with in the coming weeks…  Plus looking forward to catching up in person with those attending the IAPP Academy in Dallas.