European Reservations?
German state data protection authorities have recently criticized both cloud computing and the EU-US Safe Harbor Framework. From some of the reactions, you would think that both are in imminent danger of a European crackdown. That’s not likely, but the comments reflect some concerns with recent trends in outsourcing and transborder data flows that multinationals would be well advised to address in their planning and operations.
In April, the Düsseldorfer Kreis, an informal group of state data protection officials that attempts to coordinate approaches to international data transfers under Germany’s federal system, called on the US Federal Trade Commission to increase its monitoring and enforcement of Safe Harbor commitments by US companies handling European personal data. On July 23, Dr. Thilo Weichert, head of the data protection commission in the northernmost German state of Schleswig-Holstein (capital: Kiel), issued a press release provocatively titled “10th Anniversary of Safe Harbor – many reasons to act but none to celebrate.” Dr. Weichert cites an upcoming report by an Australian consultancy (Galexia) asserting that hundreds of American companies claiming to be part of the Safe Harbor program are not currently certified, and that many Safe Harbor companies fail to provide information to individuals on how to enforce their rights or refer them to costly self-regulatory dispute resolution programs. Dr. Weichert urges a radical solution: “From a privacy perspective there is only one conclusion to be drawn from the lessons learned – to terminate safe harbor immediately.”
Dr. Weichert also attracted international attention with another press release issued this summer, entitled (translating loosely) “Data protection in cloud computing? So far, nil!” The press release refers to his recently published opinion on “Cloud Computing und Datenschutz,” which is deeply skeptical about the ability of cloud customers to assure compliance with European data protection laws.
European Context
The European Union’s venerable Data Protection Directive, adopted 15 years ago, has had a huge impact on data privacy and security practices in the European Union and in the countries outside the EU, ranging from Russia to Canada to Japan, that have adopted national data privacy laws strongly influenced by the Directive. The Directive’s comprehensive approach to personal information privacy, based on widely accepted principles of fair information practices, contrasts with the US approach of legislating conditions on the collection and use of personal information only in specific contexts such as Social Security Numbers, credit reporting, financial accounts, and electronic health records. While the two systems sometimes produce similar results, the mismatch between Euro-style comprehensive data privacy laws and the detailed but sectoral regulation in the United States creates some challenges for organizations that conduct business across borders.
The EU Directive (Articles 25 and 26) directs member states to prohibit the transfer of personally identifiable data to countries whose laws are not deemed sufficiently similar, unless some other approved means of assuring adequate protection is employed. One response to the problem of assuring privacy protection overseas was the adoption of EU-approved standard contract clauses or “model contracts,” which were recently updated to better address the trend toward outsourced subprocessing (including cloud computing). Another was the EU-US “Safe Harbor” framework developed jointly by the European Commission and the US Department of Commerce, under which American companies can publicly certify compliance with a standard set of Safe Harbor Privacy Principles approved by the European Commission and enforced by American regulators, predominantly the Federal Trade Commission.
Some data protection officials in Europe have questioned whether these legal alternatives have been wholly effective in assuring the confidentiality and security of personal information from Europe that is stored or processed in the United States or other countries. Social networking and the popularity of cloud computing models for outsourcing data storage and processing have heightened these concerns, since there is often less clarity about where personal data are stored and by whom. Such concerns underlie the recent pronouncements by the German data protection authorities.
Behind the Drama
Dr. Weichert shows a flair for drama in calling for the immediate end of Safe Harbor and characterizing cloud computing users as scofflaws. His press release on Safe Harbor acknowledges that his radical proposal is unlikely to be adopted because “nobody in the EU seems to have the courage” to disrupt the close economic relations with the US. He complains that Google, Facebook, and other American companies encourage millions of Europeans to share personal information, without effective supervision or recourse. Dr. Weichert wants to reopen negotiations on the Safe Harbor principles and at least strengthen the enforcement mechanisms. An upcoming EU consulting report on Safe Harbor is likely to provide some ammunition for that argument, as it reportedly criticizes the FTC for taking action against only seven companies in the ten-year history of Safe Harbor, despite thousands of complaints.
On cloud computing, Dr. Weichert points out that customers do not always know where their data resides and who is handling it, making it impossible to assure compliance with the notice, security, and transborder obligations of data controllers under the national laws transposing the EU Data Protection Directive. Individual data subjects are supposed to be informed of material facts concerning the processing of their data, and this is usually interpreted to mean, among other things, that they must be told if the data are being processed outside the EU in countries with dissimilar legal protections for personal information. In such cases, the data controller is also responsible for assuring an adequate level of protection through model contracts, Safe Harbor, binding corporate rules, informed consent, or other approved methods. Where a cloud services provider is acting as a “processor” of the data on behalf of the European customer or data “controller,” which is typical in cloud computing arrangements, the data controller has an obligation under the national version of Article 16 of the EU Directive to conduct due diligence in selecting a provider and engage the provider with a written agreement that (a) forbids the processor from acting on the data other than according to the controller’s instructions and (b) requires the processor to maintain appropriate technical and organizational security measures. Dr. Weichert questions whether this routinely happens when a customer signs up for cloud services that are, in fact, provided in a variety of changing locations and sometimes by layers of different companies providing hosting facilities or software as a service (SaaS) applications.
Putting the Criticism in Perspective
State and national data protection authorities in Europe remain legally obliged to allow data transfers to Safe Harbor companies in the US, as the Safe Harbor decision was adopted through a legislative procedure requiring approval by the European Commission, consultation with the European Parliament, and a weighted majority vote by the member state governments. Any revision of the Safe Harbor decision must follow a similar process, even assuming the US were willing to reopen discussions on the jointly administered program. Thus, modifying or terminating the program would require extensive debate and negotiation. Meanwhile, state or national authorities can legitimately confirm that a company is currently certified under Safe Harbor, but they cannot prohibit data transfers simply because the parties rely on Safe Harbor rather than model contracts or another legal basis for transborder data flows from Europe.
Moreover, the Safe Harbor program has successfully attracted nearly 2000 American companies, including those that represent some of the largest trans-Atlantic data flows, and it is now paralleled by a virtually identical US-Switzerland Safe Harbor Framework. US and European authorities meet periodically to discuss the program and coordinate efforts to promote and enforce it. The Department of Commerce and the FTC are both engaged with European data protection authorities in this process, and any perceived gaps in enforcement are likely to be addressed in this dialogue rather than in an overhaul of the Safe Harbor Privacy Principles themselves. In a public conference on Safe Harbor held in Washington last November, European data protection authorities expressed satisfaction that the program had raised the awareness of American companies handling European personal information and helped ensure compliance on the part of the European entities collecting and using the data.
Similarly, although several data protection authorities have highlighted potential compliance problems with cloud computing solutions, none have taken legal or administrative action to prevent European companies from using them (not even in Schleswig-Holstein). Dr. Weichert participates in the Düsseldorfer Kreis, where his office takes the lead on examining insurance industry issues, but the group has not issued an opinion on the application of transborder data protection mechanisms to cloud computing. His comments, which have not been officially endorsed by other regulators, should be viewed as a caution to European cloud customers rather than as a legal or enforcement opinion.
Lessons for Global Companies
The German state authorities' comments come at a time when national data protection authorities in Europe are debating precisely how the EU Data Protection Directive should be updated to reflect developments in technology and information practices since the Directive was adopted 15 years ago. The European Commission had announced its intention to review scores of written comments submitted in a recent consultative process and then propose legislative revisions later this year. But the national DPAs, meeting with the Commission last month, prevailed on the Commission to postpone any proposals until mid-2011, according to an August 2 announcement by CNIL, the French data protection commission, which was later confirmed by EU Commissioner Viviane Reding. The Commission and the national authorities are reportedly concerned about divergences in national approaches in implementing the Directive and want to examine how best to apply the general principles of the Directive in an increasingly global, networked, and distributed computing environment.
Global companies must continue to assure compliance (and market acceptance) as they collect consumer data from users in Europe and handle European employee data in centralized enterprise resource management systems or outsourced applications. Safe Harbor is an efficient and widely accepted option for the companies themselves and for many of their vendors, and cloud services are often practical and cost-effective. However, given the concerns of European authorities (and possibly of European consumers and legislators), companies should carefully consider how to implement these solutions in a compliant manner:
• Keep Safe Harbor certifications up to date (they must be renewed annually) and make sure they accurately disclose the range of data transfers to be covered
• Conduct the required annual assessment of Safe Harbor compliance
• Publish a Safe Harbor privacy policy with conspicuous provisions for resolving individual questions and complaints
• Verify that US vendors (including cloud service providers) are Safe Harbor certified, or alternatively use EU-approved standard contract clauses
• Keep European personal information, especially sensitive data, out of any cloud or outsourcing arrangements with vendors that cannot or will not confirm compliance, recognizing that some vendors refuse to divulge their locations or sub-contractors
• Follow Dr. Weichert’s advice (and ours) to include a Security Service Level Agreement, Information Security Schedule, or other specific security requirements in any outsourcing or cloud agreement that involves European personal data.
Mexico's New Data Protection Law
Mexico has joined the ranks of more than 50 countries that have enacted omnibus data privacy laws covering the private sector. The new Federal Law on the Protection of Personal Data Held by Private Parties (Ley federal de protección de datos personales en posesión de los particulares) (the “Law”) was published on July 5, 2010 and took effect on July 6. IAPP has released an unofficial English translation. The Law will have an impact on the many US-based companies that operate or advertise in Mexico, as well as those that use Spanish-language call centers and other support services located in Mexico.
Like the EU Data Protection Directive and the Canadian federal PIPEDA legislation, Mexico’s data protection statute requires a lawful basis, such as consent or legal obligation, for collecting, processing, using, and disclosing personally identifiable information. There is no requirement to notify processing activities to a government body, as in many European countries, but companies handling personal data must furnish notice to the affected persons. Individuals have rights of access, correction, and objection (on “legitimate grounds”) to processing or disclosure. In the event of a security breach that would significantly affect individuals, those persons must be promptly notified. The Law also addresses data transfers, both within and outside Mexico.
A federal agency, the Institute for Access to Information and Data Protection (IFAI), will provide interpretive guidance and supervise compliance with the new law. IFAI will investigate complaints and inquiries and may launch investigations on its own initiative. In addition to administrative sanctions including warnings and fines, the law contemplates criminal prosecution of violators, with more substantial fines and the possibility of imprisonment for those responsible for a security breach or for fraudulent or deceptive collection and use of personal data.
The Law regulates private parties that “process” personally identified or identifiable data, with exceptions for credit reporting agencies (which are already covered by separate legislation) and individuals recording data exclusively for personal use. Definitions largely track those of the EU Data Protection Directive, including a very broad definition of “processing” that includes any collection, use, storage, or disclosure of data. The Law also uses the concepts of “data controller” and “data processor” as found in the EU Directive, respectively signifying entities that decide to process personal data and entities that carry out processing on their behalf.
The Law departs from the EU Directive, however, in reflecting the habeas data concept found in several Latin American constitutions and statutes: the individual to whom personal data relates is treated as the “data owner.” The individual’s legal rights derive largely from this concept of ownership and the associated right to control whether and how personal data is used.
“Sensitive data” gets some additional protections under the Law, as it does in Europe. As defined in the Law, sensitive data denotes information that touches on the most intimate aspects of a person’s life or involves a serious risk of discrimination. This includes but is not limited to “special categories” of data listed in the EU Directive: race or ethnicity, health, sexual preference, religious or philosophical beliefs, political views, and trade union membership. The Mexican law expressly adds genetic data to this list but does not include special treatment for criminal records as the EU Directive does.
The Law incorporates eight general principles that data controllers must follow in handling personal data: legality, consent, notice, quality, purpose limitation, fidelity, proportionality, and accountability. The Law also addresses data retention: personal data must be deleted when no longer necessary for the purposes set out in the privacy notice and applicable law.
Notice and Consent
Data controllers must furnish a privacy notice indicating what data is collected and for what purposes. If the data is collected directly from the individual, the privacy notice must be delivered at the same time (if not earlier) and in the same format. If the data is collected electronically, however, the data controller can choose to give only the identity and purposes of collection and a mechanism for obtaining the full privacy notice. Where the data has not been collected directly from the individual, the data controller must still provide a privacy notice and notification of changes in the privacy notice.
Data controllers can request authorization from IFAI to forego some or all of the notice requirements where, for example, the data collection is old or the cost of providing notice would be disproportionate.
The privacy notice must include the identity of the data controller, the purposes of processing, the individual’s options for limiting use or disclosure of the data, the procedures for access and correction by the individual, any contemplated transfers of the data, and procedures for notifying individuals about any subsequent changes in the privacy notice. The notice must expressly state if it concerns any sensitive data.
Consent usually can be tacit (opt-out) so long as there is sufficient notice. However, processing sensitive data or information about personal finances and assets requires express consent (opt-in); this must be recorded in writing (or electronically with authentication) in the case of sensitive data.
Consent is not required if
• the data controller is legally obliged to process the information
• the data is publicly available
• the data has been anonymized
• the data is necessary to fulfill obligations under a legal relationship between the data controller and the individual (such as employment or payment processing)
• there is an emergency that could harm the individual
• a health care professional needs the data to provide medical attention and the individual cannot give consent
• a competent government body issues a resolution waiving the consent requirement.
Security and Breach Notice
Data controllers are responsible for maintaining physical, technical, and administrative security measures to protect personal data from loss, alteration, and unauthorized disclosure or use. The measures must at least equal those taken to protect the data controller’s own information. Potential harm, the likelihood of security breaches, the sensitivity of the data, and technological developments are all to be taken into account in crafting appropriate security measures.
Security breaches that “materially” affect property or personal rights must be reported immediately to the affected individuals.
Data Transfers
Transferring personal data to a third party (other than for processing on behalf of the data controller) will typically require an agreement that the transferee will assume the same obligations as found in the privacy notice provided by the transferor. A data transfer requires the consent of the individual except where the transfer
• is pursuant to a law or treaty
• is necessary for medical purposes
• is made to a parent company or affiliate “operating under the same internal processes and policies” (Art. 37 (III))
• is necessary to fulfill a contract in the interest of the individual
• is necessary or legally required to protect a public interest or in the administration of justice
• is necessary to exercise a judicial claim or defense
• is necessary to maintain a legal relationship between the data controller and the individual.
The Law does not establish a formal procedure for approval of foreign data transfers. It appears that data controllers should be able to move data within a corporate group without individual consent, inside and outside Mexico, so long as the parent or affiliate does not handle the data in a manner contrary to the privacy notice furnished by the affiliate in Mexico.
Impact on US Companies
Many US companies have subsidiaries or distributors in Mexico, and data concerning Mexican employees, customers, and business contacts is often transferred to the US company for recordkeeping, contract fulfillment, business planning, market analysis, and other management purposes. Privacy notices in Mexico should mention these purposes and transfers, and the Mexican company may need to obtain opt-in consent in the case of sensitive and financial information. The US company must then handle data consistently with the privacy notice delivered by the Mexican affiliate or distributor, to avoid creating problems for the Mexican firm. For unrelated companies, data transfers should be covered by contractual terms that specify the relevant restrictions and provide for notice to the individuals unless an exception applies.
US companies also often contract with Mexican firms for Spanish-language call centers, customer support services, or outsourced data processing. Once customer data is processed by the Mexican company, it is subject to the Law, regardless of the location of the customers. US companies using such services in Mexico may expect that their vendors will increasingly refer in contracts to their own obligations under the Law and may require cooperation from the US companies in responding to privacy-related complaints and security breaches in Mexico.
Corporate groups operating in Mexico or using data-centric services in Mexico will need to stay abreast of IFAI decisions and changing business practices resulting from the new Law.
Observations on the Dept. of Commerce's Privacy Inquiry
Earlier in the week, I referenced the U.S. Department of Commerce’s Notice of Inquiry concerning “Information Privacy and Innovation in the Internet Economy” (the “Inquiry”). DataGuidance.com recently did a short article on the Inquiry in which I am quoted. I have now had a chance to review the document in more detail and believe that this Inquiry and the report that it generates has the potential to usher in a paradigm shift and reshape the privacy environment as it relates to commerce. Unfortunately, it also has the potential to be a frustrating exercise involving entrenched special interests banging their heads against a wall in a political forum. Nonetheless, whether the Inquiry ends up yielding any legislation, industry standards, best practices or a strategic frame work for privacy, the document itself reflects some of key challenges faced at the intersection of privacy and commerce. This post outlines some of my observations after reading the Inquiry.
Some thoughts and observations in no particular order:
- The Hard Questions. This Inquiry seeks to tackle practically all of the “hard questions” in privacy as it relates to commerce. Its breadth is impressive.
- Balance Between Commerce and Privacy. Based on how it is written, the topics discussed and the framing of the questions, it is clear that the DOC seeks to find the proper balance between commercial innovation/burden and individual privacy. It is interesting that these questions are being considered in a commercial context rather than from a “civil rights” point of view. This is consistent, of course, with the U.S. approach. However, considering that one of the issues it addresses is international privacy laws and regulations, it begs the question of whether the lack of consistency in privacy regulations globally (and difficulties related thereto) is “baked into the cake.”
- The Multiplicity of Privacy Laws. One of the key business problems the Inquiry seeks to explore is compliance with privacy laws and jurisdictional conflicts. The Inquiry ask questions about the multi-jurisdictional nature of handling person information, both on a national and state level within the United States, and on an international level with the rest of the world. It also provides a series of questions that seek to explore the effectiveness of the U.S. sectoral approach to privacy regulation. The compliance burden arising out of multiple (and sometimes conflicting) privacy regulatory regimes has vexed and continues to vex multinational corporations that handle personal information.
From a commercial and compliance point of view this issue is extremely important. The reality is that for multinational companies (which these days can be very large and very small -- a website that is accessible by foreign data subjects could put a company in the "multinational" category), because of transborder data flow, it is extremely difficult, if not impossible (when actual cost is taken into account), to even know what laws apply to the organization. In fact, the legal environment is constantly changing due to new laws at multiple jurisdictional levels, and due to organizational changes concerning the type, handling and location of personal data interacting with a company. Even if companies have the ability to ascertain what laws apply to them, compliance is also very difficult and expensive (and some would maintain again that it is impossible to achieve 100% compliance).
Based on the questions posed the Inquiry seems to recognize the disconnect between applicable privacy laws based on arbitrary and imaginary borders, and the completely borderless environment in which information exists in commerce. Will Commerce conclude that the multiplicity of privacy and security laws is an impediment or obstacle to the growth of the global economy? It will be interesting to see if the coming report will have recommendations on how to harmonize existing regulatory regimes while still addressing privacy issues important to particular countries.
- Cloud Computing and Borderless Data. Speaking of ethereal data processing-related concepts, the Inquiry specifically references cloud computing and web-based services, and appears to address the reality that in the 21st century data is borderless, but laws based on arbitrary location-based jurisdictional triggers are not.
- Notice & Consent Model Outdated? The Inquiry also appears to recognize concerns about the weaknesses of the current notice and consent privacy regime, and inquires about a “use-based” consumer privacy model. A used-based model recognizes the view that privacy is context-based rather than static. A use of information in one context may be consistent with the data subject’s expectation of privacy, but the same information may violate privacy in another context. Putting up pictures on Facebook of a late night out with friends and sharing with those friends does not violate privacy principles, but allowing the data subject’s employer to see those photos might. It is not clear, however, whether a “use-based” system would provide more effective protection or whether it could be done cost-effectively without massive standardization and cooperation between a multiplicity of entities that might handle personal information in the midst of a transaction. To achieve this type of regime, which effectively gives the data subject more control over its data, technology solutions may be necessary. Coincidentally, as discussed below, the Inquiry also asks questions concerning the role of technology in protecting privacy.
- The Role of Technology in Managing and Protecting Privacy. The Inquiry asks questions about “privacy-enhancing technologies” that would allow data subjects to manage the information they are sharing, allow for the auditing of compliance with privacy policies and expressed user preferences, and provide privacy notices to individuals concerning the use or disclosure of their personal information. To the extent that PETs empower individual data subjects, the challenge of course is getting data subjects to understand how they can use these technologies, and providing notice of what will happen to their personal information if they fail to do so. One interesting question in the Inquiry relates to whether technology designers are proper incentivized to build privacy-related functionality into the design of their technology. I think this question gets to the crux of one of the key problems with PETs: if the technologies are not already built into the business processes from the start, is it feasible and cost-effective to implement efficacious PETs.
- Recognition of the Small-Medium Business Challenges. The Inquiry poses a series of questions concerning the impact of privacy and compliance on small/medium businesses and start-ups. I think this issue is often overlooked in terms of how commercial innovation might be stifled by privacy requirements that are too costly. Much of the innovation over the past 20 years has come from start-up companies utilizing the efficiencies of information technology and the Internet. Do strict privacy requirements dissuade entrepreneurs from starting their companies or pose insurmountable obstacles due to compliance expenses? Some would argue that innovation has not been stifled by pointing to the existence of Facebook, Twitter, MySpace, all of which are pushing the boundaries of privacy. However, this begs the question because the existence of these companies is, in part, why the Inquiry is necessary. Beyond start-ups, the reality is most small businesses (even your local laundry mat) store, process and transmit personal information of some sort. Can laws and standards be created that are "one-size-fits all?" If not, considering the volume of small businesses in the U.S. (compared to large companies), if you exempt or limit the obligations of small businesses, are you leaving a massive privacy consumer privacy gap?
Overall, the ultimate impact of the Inquiry is unclear. The Inquiry specifically indicates that it is not being circulated for the specific purpose of creating legislation. However, it is possible that useful recommendations or guidance could come out of the DOC’s eventual report that could serve as the basis of future regulation, best practices or standards that relate to privacy in the context of modern commerce. It also must be recognized that this Inquiry is happening right in the middle of the political area. There will be entrenched and wealthy special interests on both the commerce and consumer side that will seek to influence the DOC and its report. The report will be less useful if it simply yields the same positions that have been espoused by various interests on either side of the spectrum. The hope is that the DOC report will get beyond the status quo and offer guidance and the foundations for public policy (and law) that actually move the ball forward and serve to address the significant privacy challenges the consumers and the commercial community face.
EU Adopts New Standard Contract Clauses for Foreign Processors
Last Friday, the European Commission adopted new "controller-processor" standard contractual clauses ("SCCs" or "model contract") to protect personal data transferred from Europe to a data processor located outside the EU/ EEA. Existing contractual arrangements are grandfathered, but any new contracts with data processors must include the new version of the SCCs.
The principal change from the 2002 controller-processor SCCs is that processing contractors are now obliged to obtain prior written consent from the customer before subcontracting any of the processing, and the subcontractor must be contractually bound to the same obligations that apply to the contractor.
Article 25 of the EU Data Protection Directive directs member states to prohibit the transfer of personal data to countries lacking similar legal protections, unless one of several limited exceptions applies or approved safeguards are in place. EU-approved standard contract clauses between the data "exporter" and data "importer" are a common means of legitimizing data transfers to locations outside the European Economic Area -- the European Union plus Iceland, Liechtenstein, and Norway. (SCCs are not used where the transfers are to a US company that participates in the international Safe Harbor program, or to a company relying on informed consent, nationally approved Binding Corporate Rules, or one of the other "derogations" under Article 26 of the Directive.)
The European Commission has approved two alternative sets of SCCs for use in transferring personal data to a data "controller" outside the EEA, and in 2002 the Commission approved a set of SCCs to be used when transferring data to a "processor." The distinction between controllers and processors is not always clear in practice, but the basic concept is that a controller makes decisions about what data to collect and how to use it, while a processor merely performs operations on data only on behalf of the controller and according to its instructions. Business process outsourcing in a non-EEA country such as the United States or India is a common context for using SCCs to protect employee and customer information or other personal data furnished by a European company.
The concern addressed in the new controller-processor SCCs is that processors today often subcontract some processing, storage, and technical support functions to third parties. This is particulary common in cloud computing, where several entities might be involved in handling and storing the data. The new SCCs are designed to ensure that the company that remains responsible as the data controller in Europe is informed about any proposed subcontracting, and that all parties handling the data are subject to the same obligations of confidentiality and security.
The full text of the decision and the new SCCs are not yet posted on the Commission's website. (They will ultimately appear on the "Model Contracts" page.) A Commission spokesman described the decision on Friday, however, as follows:
"According to the newly adopted Decision, where a data importer (processor) intends to subcontract any of its processing operations performed on behalf of the EU data exporter (controller), it must first obtain the prior written consent of the data exporter. The written contract will impose the same obligations on the sub-processor as those imposed on the data importer under the standard contractual clauses."
The Commission reportedly will not require companies with existing controller-processor SCCs to replace those agreements with the new SCCs. New processing agreements, however, must use the new set of controller-processor SCCs if they are to serve as a legal basis for data transfers outside the EEA.
