Archive for July, 2012

A balanced approach to the cloud

Posted on July 27th, 2012 by

Cloud computing is not a fashion or a swanky new name given to technology outsourcing.  Cloud computing is not a marketing plot to sell more Internet connections and fibre optics.  Cloud computing is not a twisted way of helping data hungry governments get their hands on corporate secrets.  Cloud computing is in fact the most obvious business application of networked computing and essentially what the Internet was created for in the first place.  However, the unstoppable growth and increasing power of cloud service providers and the suspicion of their critics have jointly contributed to a climate where controversies and horror stories abound, which is unfortunate when data protection and the cloud are in fact made for each other.

The development of cloud computing is commonly associated with the evolution of the Internet giants.  It is kind of obvious that the Internet pioneers with massive servers and an even greater vision would be the ones to spot the opportunities presented by the cloud.  The rest is now history and today, the leading cloud service providers are technology powerhouses that dictate the way businesses, governments and consumers can make the most of the information economy.  This position of power is very visible and often criticised for being incapable of accommodating requests for specific levels of data protection.

Rightly or wrongly, the cloud providers’ stance is seen by the EU data protection authorities as obstinate and the recent Article 29 Working Party Opinion on cloud computing makes that very clear.  So whilst coyly acknowledging the potential benefits of cloud computing, the Working Party firmly focuses on the risks that it presents for data protection and sets out a detailed ‘wish list’ of how to overcome them.  However, as if trying to compensate for the perceived inflexibility of the cloud providers, the Opinion of the authorities has set the bar for compliance with data protection in the context of cloud computing considerably above today’s standards.  The risk with that approach is that both customers and providers of cloud computing services may regard it as so unrealistic that rather than attempting to get close to it, they may decide to simply ignore it.

The EU data protection regulators should certainly be praised for being brave in setting their expectations.  But unfortunately some of those expectations are not only over and above the actual legal requirements, but they are also unachievable in a commercial world.  Once the potential customer of cloud services gets past the risk analysis stage – which is correctly identified by the Working Party as a crucial first step – the key element of the commercial relationship is the contract between customer and provider.  So not surprisingly, the regulators have focused their efforts on emphasising that the imbalance in the contractual power of a small controller with respect to a large service provider should not be considered as a justification for the controller to accept contractual terms which are not in compliance with data protection law.

The challenge is that if the standards for compliance involve things like getting the names of all subcontractors commissioned by the provider, being told about the locations of all data centres, getting the provider to help the customer comply with its obligations and inform that customer of changes to the cloud, plus adding an array of technical measures ranging from isolation to portability of data, compliance is simply never going to happen.  We cannot afford that to be the case when so much of the world’s information is already residing in the cloud.  Clearly, the right balance needs to be achieved by making sure that cloud customers can choose wisely and spot responsible providers, whilst those providers are encouraged to adopt the right practices.

Ultimately, it is not about who is in the strongest position to negotiate a contract, but about taking privacy and data security responsibilities truly seriously.  Aiming for a realistic level of compliance does not mean letting cloud providers off the hook.  The regulators’ frustration is more than justified when uncompromising providers try to hide behind an empty Safe Harbor registration.  Data protection is not an unachievable aim but an essential ingredient of cloud computing.  Like in all immature markets, it is still too early to distinguish fully between the good and the bad players but that is not to say that a balanced and realistic approach to the cloud will not result in an optimal level of data protection.


This article was first published in Data Protection Law & Policy in July 2012

Binding Safe Processor Rules are Go

Posted on July 7th, 2012 by

It was exactly four years ago when the term Binding Safe Processor Rules was coined. Nobody had heard about this concept before and the idea of allowing a humble data processor to take responsibility for adopting and implementing its own set of rules based on European privacy standards from which its clients could benefit to legitimise any international processing of personal data seemed ill conceived. Regulators and data protection lawyers were sceptical about the prospect of a service provider taking such a primary compliance role. However, the idea was not ill conceived and fortunately for the future of data protection, that scepticism has turned into pragmatism as the Article 29 Working Party has proved.

For those involved in international data protection, the publication by the Article 29 Working Party of a document with the elements to be found in a set of BCR for processors or Binding Safe Processor Rules (BSPR) will not have come as a complete surprise. For starters, it is patently obvious that many of those who play the role of data processors make key operational decisions about the way in which personal data is handled at a global scale. That justifies from both a public policy and a practical compliance point of view giving those processors a bigger part in relation to compliance with data protection obligations. It is precisely for that reason that the European Commission envisaged the possibility of BSPR in the draft Data Protection Regulation currently being debated in Brussels. So it was only a matter of time before the EU data protection authorities got their act together to rally behind a concept that is set to revolutionise international data protection.

The document issued by the Working Party had been in the making for quite some time and a fair amount of thinking has gone into the process of replicating the complex BCR requirements in a data processor context. The regulators knew that for BSPR to work, the requirements had to be realistic in terms of compliance responsibilities and, above all, suited to the those who do not normally have a direct relationship with the individuals whose data they process. Part of the early criticism about BSPR was due to the fact that in traditional terms, data controllers should always be responsible for complying with the law and for ensuring that the information for which they are primarily accountable is adequately protected. Therefore, the process of crafting a viable set of criteria for BSPR has involved detailed legal work and considerable imagination.

The result is a near perfect balance between what is possible and what is desirable. A key point of reference to determine whether a framework such as BSPR is ever going to fly is the potential liability of the safe processor. Aim for a zero liability approach and no controller in the land will trust you with their data. Impose an unqualified direct level of responsibility and only the bravest (or foolish) service providers will swallow it. The Working Party has gone for a tried and tested level of liability, the same one that appears in the model clauses for international data transfers approved by the European Commission. The effect is that processors will be no worse off under BSPR than under the model clauses.

An equally important measure to determine the viability of BSPR is the scope of the substantive data protection safeguards that apply to safe processors. BSPR was never going to be just about ensuring an appropriate level of security. BSPR, like BCR, are about adopting a holistic approach to responsible personal data processing and the regulators’ expectations reflect that. But the good news is that, unlike in the case of Safe Harbor, each of the privacy principles at the core of BSPR have been thought out with the processor role in mind. So safe processors will be expected to do things like being cooperative with controllers, comply with their instructions and help them honour individuals’ rights. Clearly, achieving practical data protection is very much the aim.

As the first applications for BSPR status start rolling, we will see how the data protection authorities live up to their own criteria. The work is by no means over but what four years ago was a dream, tomorrow will be the way to go for responsible global data services providers.

This article was first published in Data Protection Law & Policy in June 2012.

A belt and braces approach to the Cloud

Posted on July 4th, 2012 by

The EU’s Article 29 Working Party has published its latest Opinion, setting out its views on the key data protection issues and challenges of ‘Cloud Computing’ – a term which not only invokes debate in data privacy circles about what it is (it’s essentially the use of technologies which focus on efficient internet-based delivery of IT applications, processing services and memory space) but also the risks of such technology. The truth is, cloud services are here to stay, delivering efficiencies to a huge number of public authorities and global organisations – witness the City of Los Angeles who signed a deal with Google for the use of its cloud services to deliver more efficient public services and store data; or more recently Apple’s ‘iCloud’ service which allows its army of users to purchase, store and access media content and personal documents across their Apple devices.

Whilst acknowledging the economic and societal advantages that cloud technologies can bring, the Opinion is very keen to express the privacy risks facing public and private sector organisations when deploying cloud services and the actions they should therefore take. Indeed, the Opinion begins by highlighting those risks, emphasising the lack of control experienced by ‘cloud clients’ as they surrender their personal data to the ‘cloud providers’ and therefore their control of technical and organisational measures to ensure the availability, confidentiality and transparency of that data. (At this point, we should highlight that the Working Party generally refers to ‘cloud clients’ as data controllers – on the basis that they generally determine the purpose and outsourcing of the processing and ‘cloud providers’ as ‘data processors’ on the basis that they provide the cloud services – based on the instructions of their clients.)

The Opinion also highlights a lack of ‘transparency’ as another risk, whereby insufficient information on a cloud provider’s operations poses a risk to clients and data subjects;  on the basis that they may not be aware of potential threats to their data and therefore cannot take appropriate actions. Therefore, the Working Party highlights the need for such ‘cloud clients’ to carry out adequate risk assessments of potential cloud providers before implementation of any project.

The Opinion emphasises that even in complex cloud data processing arrangements, where parties play different roles in processing personal data, compliance with relevant data protection rules and responsibilities must be clearly allocated. The Opinion recognises that many cloud clients ‘may not have room for manoeuvre’ with regard to contractual terms when negotiating with cloud providers – particularly many of the larger providers who offer ‘standardised’ services. Nevertheless the Opinion emphasises that it is still the cloud client who assumes the role of ‘data controller’ (regardless of how small they are) and must therefore ensure that appropriate guarantees are in place to ensure compliance with data protection legislation for the duration of the agreement.

In addition to identifying compliance with the basic principles of data protection (such as transparency; purpose specification and limitation; security and erasure/anonymisation issues) the Opinion stipulates the standard provisions that the Working Party would expect to see in any contract for cloud services, including:

- the technical and/organisational measures to be implemented by the cloud provider, including clarification of the responsibilities of the cloud provider to notify the cloud client in the event of a data breach.

- relevant details of the instructions issued by the client to the cloud provider, with particular regard to applicable SLAs and penalties.

- subject and time frame of the services to be provided by the cloud provider; including the extent, manner and purpose of the personal data processing by the cloud provider.

- inclusion of a confidentiality clause, binding on both the cloud provider and its employees who may have access to the data.

- the inclusion of express provisions that the cloud provider may not communicate the personal data to third parties, even for preservation purposes, unless it is provided for in the contract that subcontractors will be used. The contract should also stipulate that sub-processors should not be utilised without the consent of the client, in line with a clear duty for the provider to inform the client of any intended changes in this regard – with the client retaining the power to object to such changes and/or terminate the contract.

- an obligation on the cloud provider to provide a list of locations where the personal data may be processed.

Finally, the Opinion recognises the need to regulate data transfers to so-called ‘third countries’ in the context of cloud services but acknowledges that, owing to the lack of a stable understanding of where data is going to be at any given time, some of the current mechanisms in place to ensure the ‘adequacy’ of such transfers are somewhat limited. In this regard, the opinion starts by rejecting the Safe Harbor mechanism as a transfer solution (on the basis that Safe Harbor certification alone cannot substitute for the relevant contractual arrangements and guarantees which may be required by Data Protection Authorities at the national level – particularly on the data security issues applicable to cloud computing – the Working Party emphasises that it does not consider the relevant Safe Harbor data security provisions to be effective in this regard).

Therefore, the Opinion leans towards the use of the 2010 Model Clauses (with its applicable sub-processor provisions) but more importantly recognises the suitability of the BCR framework; and specifically the ongoing development of Binding Safe Processor Rules (BSPR) which would allow the client to entrust their data to the cloud service provider while being assured that onward transfers for sub-processing purposes would receive an adequate level of protection.

In conclusion, whilst acknowledging the significant growth in this area and consequently the need for flexible mechanisms, the Working Party Opinion suggests a belt and braces approach which today puts European customers of cloud service providers in an awkward position. Time will tell if the Working Party’s expectations are realistic but in the meantime, the specific acknowledgement of BSPR as the future model to ensure compliance whilst allowing for the flexibilities presented by cloud computing can be seen as a step in the right direction.