European Reservations?

German state data protection authorities have recently criticized both cloud computing and the EU-US Safe Harbor Framework. From some of the reactions, you would think that both are in imminent danger of a European crackdown. That’s not likely, but the comments reflect some concerns with recent trends in outsourcing and transborder data flows that multinationals would be well advised to address in their planning and operations.

In April, the Düsseldorfer Kreis, an informal group of state data protection officials that attempts to coordinate approaches to international data transfers under Germany’s federal system, called on the US Federal Trade Commission to increase its monitoring and enforcement of Safe Harbor commitments by US companies handling European personal data. On July 23, Dr. Thilo Weichert, head of the data protection commission in the northernmost German state of Schleswig-Holstein (capital: Kiel), issued a press release provocatively titled “10th Anniversary of Safe Harbor – many reasons to act but none to celebrate.” Dr. Weichert cites an upcoming report by an Australian consultancy (Galexia) asserting that hundreds of American companies claiming to be part of the Safe Harbor program are not currently certified, and that many Safe Harbor companies fail to provide information to individuals on how to enforce their rights or refer them to costly self-regulatory dispute resolution programs. Dr. Weichert urges a radical solution: “From a privacy perspective there is only one conclusion to be drawn from the lessons learned – to terminate safe harbor immediately.”

Dr. Weichert also attracted international attention with another press release issued this summer, entitled (translating loosely) “Data protection in cloud computing? So far, nil!” The press release refers to his recently published opinion on “Cloud Computing und Datenschutz,” which is deeply skeptical about the ability of cloud customers to assure compliance with European data protection laws.

European Context

The European Union’s venerable Data Protection Directive, adopted 15 years ago, has had a huge impact on data privacy and security practices in the European Union and in the countries outside the EU, ranging from Russia to Canada to Japan, that have adopted national data privacy laws strongly influenced by the Directive. The Directive’s comprehensive approach to personal information privacy, based on widely accepted principles of fair information practices, contrasts with the US approach of legislating conditions on the collection and use of personal information only in specific contexts such as Social Security Numbers, credit reporting, financial accounts, and electronic health records. While the two systems sometimes produce similar results, the mismatch between Euro-style comprehensive data privacy laws and the detailed but sectoral regulation in the United States creates some challenges for organizations that conduct business across borders.

The EU Directive (Articles 25 and 26) directs member states to prohibit the transfer of personally identifiable data to countries whose laws are not deemed sufficiently similar, unless some other approved means of assuring adequate protection is employed. One response to the problem of assuring privacy protection overseas was the adoption of EU-approved standard contract clauses or “model contracts,” which were recently updated to better address the trend toward outsourced subprocessing (including cloud computing). Another was the EU-US “Safe Harbor” framework developed jointly by the European Commission and the US Department of Commerce, under which American companies can publicly certify compliance with a standard set of Safe Harbor Privacy Principles approved by the European Commission and enforced by American regulators, predominantly the Federal Trade Commission.

Some data protection officials in Europe have questioned whether these legal alternatives have been wholly effective in assuring the confidentiality and security of personal information from Europe that is stored or processed in the United States or other countries. Social networking and the popularity of cloud computing models for outsourcing data storage and processing have heightened these concerns, since there is often less clarity about where personal data are stored and by whom. Such concerns underlie the recent pronouncements by the German data protection authorities.

Behind the Drama

Dr. Weichert shows a flair for drama in calling for the immediate end of Safe Harbor and characterizing cloud computing users as scofflaws. His press release on Safe Harbor acknowledges that his radical proposal is unlikely to be adopted because “nobody in the EU seems to have the courage” to disrupt the close economic relations with the US. He complains that Google, Facebook, and other American companies encourage millions of Europeans to share personal information, without effective supervision or recourse. Dr. Weichert wants to reopen negotiations on the Safe Harbor principles and at least strengthen the enforcement mechanisms. An upcoming EU consulting report on Safe Harbor is likely to provide some ammunition for that argument, as it reportedly criticizes the FTC for taking action against only seven companies in the ten-year history of Safe Harbor, despite thousands of complaints.

On cloud computing, Dr. Weichert points out that customers do not always know where their data resides and who is handling it, making it impossible to assure compliance with the notice, security, and transborder obligations of data controllers under the national laws transposing the EU Data Protection Directive. Individual data subjects are supposed to be informed of material facts concerning the processing of their data, and this is usually interpreted to mean, among other things, that they must be told if the data are being processed outside the EU in countries with dissimilar legal protections for personal information. In such cases, the data controller is also responsible for assuring an adequate level of protection through model contracts, Safe Harbor, binding corporate rules, informed consent, or other approved methods. Where a cloud services provider is acting as a “processor” of the data on behalf of the European customer or data “controller,” which is typical in cloud computing arrangements, the data controller has an obligation under the national version of Article 16 of the EU Directive to conduct due diligence in selecting a provider and engage the provider with a written agreement that (a) forbids the processor from acting on the data other than according to the controller’s instructions and (b) requires the processor to maintain appropriate technical and organizational security measures. Dr. Weichert questions whether this routinely happens when a customer signs up for cloud services that are, in fact, provided in a variety of changing locations and sometimes by layers of different companies providing hosting facilities or software as a service (SaaS) applications.

Putting the Criticism in Perspective

State and national data protection authorities in Europe remain legally obliged to allow data transfers to Safe Harbor companies in the US, as the Safe Harbor decision was adopted through a legislative procedure requiring approval by the European Commission, consultation with the European Parliament, and a weighted majority vote by the member state governments. Any revision of the Safe Harbor decision must follow a similar process, even assuming the US were willing to reopen discussions on the jointly administered program. Thus, modifying or terminating the program would require extensive debate and negotiation. Meanwhile, state or national authorities can legitimately confirm that a company is currently certified under Safe Harbor, but they cannot prohibit data transfers simply because the parties rely on Safe Harbor rather than model contracts or another legal basis for transborder data flows from Europe.

Moreover, the Safe Harbor program has successfully attracted nearly 2000 American companies, including those that represent some of the largest trans-Atlantic data flows, and it is now paralleled by a virtually identical US-Switzerland Safe Harbor Framework. US and European authorities meet periodically to discuss the program and coordinate efforts to promote and enforce it. The Department of Commerce and the FTC are both engaged with European data protection authorities in this process, and any perceived gaps in enforcement are likely to be addressed in this dialogue rather than in an overhaul of the Safe Harbor Privacy Principles themselves. In a public conference on Safe Harbor held in Washington last November, European data protection authorities expressed satisfaction that the program had raised the awareness of American companies handling European personal information and helped ensure compliance on the part of the European entities collecting and using the data.

Similarly, although several data protection authorities have highlighted potential compliance problems with cloud computing solutions, none have taken legal or administrative action to prevent European companies from using them (not even in Schleswig-Holstein). Dr. Weichert participates in the Düsseldorfer Kreis, where his office takes the lead on examining insurance industry issues, but the group has not issued an opinion on the application of transborder data protection mechanisms to cloud computing. His comments, which have not been officially endorsed by other regulators, should be viewed as a caution to European cloud customers rather than as a legal or enforcement opinion.

Lessons for Global Companies

The German state authorities' comments come at a time when national data protection authorities in Europe are debating precisely how the EU Data Protection Directive should be updated to reflect developments in technology and information practices since the Directive was adopted 15 years ago. The European Commission had announced its intention to review scores of written comments submitted in a recent consultative process and then propose legislative revisions later this year. But the national DPAs, meeting with the Commission last month, prevailed on the Commission to postpone any proposals until mid-2011, according to an August 2 announcement by CNIL, the French data protection commission, which was later confirmed by EU Commissioner Viviane Reding. The Commission and the national authorities are reportedly concerned about divergences in national approaches in implementing the Directive and want to examine how best to apply the general principles of the Directive in an increasingly global, networked, and distributed computing environment.

Global companies must continue to assure compliance (and market acceptance) as they collect consumer data from users in Europe and handle European employee data in centralized enterprise resource management systems or outsourced applications. Safe Harbor is an efficient and widely accepted option for the companies themselves and for many of their vendors, and cloud services are often practical and cost-effective. However, given the concerns of European authorities (and possibly of European consumers and legislators), companies should carefully consider how to implement these solutions in a compliant manner:

• Keep Safe Harbor certifications up to date (they must be renewed annually) and make sure they accurately disclose the range of data transfers to be covered

• Conduct the required annual assessment of Safe Harbor compliance

• Publish a Safe Harbor privacy policy with conspicuous provisions for resolving individual questions and complaints

• Verify that US vendors (including cloud service providers) are Safe Harbor certified, or alternatively use EU-approved standard contract clauses

• Keep European personal information, especially sensitive data, out of any cloud or outsourcing arrangements with vendors that cannot or will not confirm compliance, recognizing that some vendors refuse to divulge their locations or sub-contractors

• Follow Dr. Weichert’s advice (and ours) to include a Security Service Level Agreement, Information Security Schedule, or other specific security requirements in any outsourcing or cloud agreement that involves European personal data.