This is one of those great posts that gets to combine cloud computing law with privacy law with political intrigue. Before I get too far in, I want to set out my own caveat. In my opinion, there is a data war brewing between the United States, EU, and China and everyone if vying for the top dog spot. The basis of this is the fact that each faction views the protection of data very differently and they each want to be the best. To just give you a surface level scratch of the differences I'll simplify (which is one of the things I do best): US is pro-capitalism / free market and free flow of information, even private data; EU is much more pro-individual and retention of private data, even at the detriment of businesses; China is much more pro-state and focuses on keeping data managed. Each entity thinks that they are completely right and they are trying to work together (except for China, who doesn't seem to care what anyone else thinks), but really they each have an ultimate goal of obtaining dominance of their position. Interestingly, I believe that the EU is seeking its dominance by applying economic pressures (something we've used for generations), and is having the most luck. Business are being forced to comply and are doing so in order to maintain market share. It is, nevertheless, very much a "cold war" between US and EU on the data protection front. And, as was anticipated, it is now entering into the realm of cloud computing law.
Before I delve into the ruling, I need to explain some concepts that I haven't put out here before. First, is that each member country of the EU has their own Data Protection Administration (DPA) that governs and rules over the access and permission to access private, individual data. In 1998, EU issued the European Directive on Data Protection that, among other things, prohibits the transfer of personal data to non-EU countries unless they haven't met the EU "adequacy" standards to protect the data. This directive actually causes great consternation in business as well as the litigation arena, privacy litigation or otherwise, because it limits what a U.S. defendant can legitimately produce. In a country where discovery in a lawsuit is often viewed as a fishing expedition in which one drains the lake and simply picks the fish up off the bottom, this limitation on access to data has caused and is causing businesses sleepless nights and making lawyers rich. Enter the U.S. Safe Harbor framework. This is essentially a compliance mechanism devised (supposedly) through joint efforts between the U.S. and EU that businesses can opt into by self-certifying that they comply. The main areas of focus are transfer of data, notice to the data holder, transfer to third-parties, access to data, security measures, and data integrity. If a business properly complies with this self-certification they will be deemed "adequate".
I know you've read all of this and said "What does any of this have to do with cloud computing law, you dolt!". To which I would reply, "ouch" and then go on to explain that yesterday, Germany's DPA made a ruling on the use of cloud computing and the implications to the European Directive. Most importantly, the DPA determined that clouds located outside the EU are per se unlawful, even if the EU has issued an adequacy decision in favor of the foreign country. Thus, if your cloud is based anywhere other than the EU, it is unlawful to store private EU data there (and in case your curious, everything is private data in the EU's eyes). Of course, the decision goes on to state that you can avoid this result if you apply German rules on data processing and using the EU-approved model contract for controller-processor data transfers. Basically, if you want to follow our rules and use our contract, you can do it.
What is even more interesting is that the DPA determined that the U.S. Safe Harbor is not adequate to protect information in the cloud. Thus, these companies that go through the self-certification process, still can't host cloud data (sorry Google). The reasoning is that even though one entity may have self-certified, the inherent nature of the cloud is that data is accessible to third-parties and those parties are not adequate.
This leaves the ultimate question of "what does this mean for cloud computing" The obvious answer is that it will force companies that want to utilize the cloud to either (a) adopt the EU rules and contracts or (b) enter a binding corporate rule that complies with the EU rules (which is another option the German DPA suggested). This will, ultimately, increase the costs associated with using the cloud and will likely have a cooling effect on pushes on that front. OF course, the developments that I will be watching from the cheap seats as an technology lawyer is what response the U.S. takes. Will it rely on businesses to police themselves and comply as they choose or will it try to enforce rules to keep the Safe Harbor alive. And, if Germany makes this type of ruling on the cloud now, essentially obliterating the Safe Harbor Framework, can Safe Harbor survive? Or more importantly, should Safe Harbor survive?
Before I delve into the ruling, I need to explain some concepts that I haven't put out here before. First, is that each member country of the EU has their own Data Protection Administration (DPA) that governs and rules over the access and permission to access private, individual data. In 1998, EU issued the European Directive on Data Protection that, among other things, prohibits the transfer of personal data to non-EU countries unless they haven't met the EU "adequacy" standards to protect the data. This directive actually causes great consternation in business as well as the litigation arena, privacy litigation or otherwise, because it limits what a U.S. defendant can legitimately produce. In a country where discovery in a lawsuit is often viewed as a fishing expedition in which one drains the lake and simply picks the fish up off the bottom, this limitation on access to data has caused and is causing businesses sleepless nights and making lawyers rich. Enter the U.S. Safe Harbor framework. This is essentially a compliance mechanism devised (supposedly) through joint efforts between the U.S. and EU that businesses can opt into by self-certifying that they comply. The main areas of focus are transfer of data, notice to the data holder, transfer to third-parties, access to data, security measures, and data integrity. If a business properly complies with this self-certification they will be deemed "adequate".
I know you've read all of this and said "What does any of this have to do with cloud computing law, you dolt!". To which I would reply, "ouch" and then go on to explain that yesterday, Germany's DPA made a ruling on the use of cloud computing and the implications to the European Directive. Most importantly, the DPA determined that clouds located outside the EU are per se unlawful, even if the EU has issued an adequacy decision in favor of the foreign country. Thus, if your cloud is based anywhere other than the EU, it is unlawful to store private EU data there (and in case your curious, everything is private data in the EU's eyes). Of course, the decision goes on to state that you can avoid this result if you apply German rules on data processing and using the EU-approved model contract for controller-processor data transfers. Basically, if you want to follow our rules and use our contract, you can do it.
What is even more interesting is that the DPA determined that the U.S. Safe Harbor is not adequate to protect information in the cloud. Thus, these companies that go through the self-certification process, still can't host cloud data (sorry Google). The reasoning is that even though one entity may have self-certified, the inherent nature of the cloud is that data is accessible to third-parties and those parties are not adequate.
This leaves the ultimate question of "what does this mean for cloud computing" The obvious answer is that it will force companies that want to utilize the cloud to either (a) adopt the EU rules and contracts or (b) enter a binding corporate rule that complies with the EU rules (which is another option the German DPA suggested). This will, ultimately, increase the costs associated with using the cloud and will likely have a cooling effect on pushes on that front. OF course, the developments that I will be watching from the cheap seats as an technology lawyer is what response the U.S. takes. Will it rely on businesses to police themselves and comply as they choose or will it try to enforce rules to keep the Safe Harbor alive. And, if Germany makes this type of ruling on the cloud now, essentially obliterating the Safe Harbor Framework, can Safe Harbor survive? Or more importantly, should Safe Harbor survive?
Powered by Compendium
"The Data Protection Authority for the German federal state of Schleswig-Holstein ("Unabhängiges Landeszentrum für Datenschutz - ULD", the "DPA") has published in June 2010 a paper about cloud computing under German data protection law. The most doubtful statement is that the usage of clouds outside the EU might be in violation of German data protection law.
In this analysis I give an overview over some statements of the paper, explain the legal background and analyze the DPA's position."
http://www.thomashelbing.com/en/analysis-data-protection-authority-use-non-eu-cloud-might-violate-german-data-protection-law