A few posts ago, I wrote about the European Union’s influential 1995 Data Protection Directive and the updates to its consumer privacy rules that will soon go into effect. Over the summer, the Article 29 Working Group, which is a DPD advisory body, released a set of rules clarifying the regulatory structure around cloud providers. While the US is still working out its online consumer privacy regulations, this recent EU rulemaking sets a high bar for consumer data security: EU companies can’t eliminate basic data privacy rights by storing the personal data of their customers in the cloud.
In the language of DPD, the Working Group considers cloud providers to be “data processors”. By nailing down this designation, the rest of the existing DPD framework then falls into place. And therefore DPD obligations related to security protections, accuracy, and limits on data retention remain in effect.
A company (data controller in DPD-ese) that’s looking for a cloud provider is allowed to contract only with a service that “guarantees compliance with [EU] data protection legislation.”
Since EU companies have the ultimate responsibility (and take on most or all liabilities) for protecting customer data, it’s up to them to include the appropriate contract terms with their providers. I’ve pulled together a few of these key contract clauses from the Working Group document:
- SLAs – “objective and measurable” and should list “relevant penalties (financial or otherwise including the ability to sue the [cloud] provider in case of non-compliance)”
- Authorization – “processor [the cloud provider] is to follow the instructions of the controller”
- Access to data – “only authorized [cloud provider] persons should have access to the data”
- Consumers’ access rights – cloud provider should “support the client in facilitating exercise of data subjects’ [consumers’] rights to access, correct or delete their data
- Logging and auditing – “client should request logging of processing operations performed by the provider” and the client “should be empowered to audit such processing operations”
- Technical measures – a series of technical requirements, key among them are ones relating to availability, data integrity, confidentiality (i.e., encryption), and portability
This contracting standard is especially significant since cloud companies can be physically located anywhere, and more to the point, outside the EU. In effect, European-based companies that collect consumer data of EU citizens can’t export the data and then process it in a place with a lax consumer security environment–the cloud outsourcer must meet DPD-level standards of data protection.
In case you’re wondering whether the DPD governs US cloud providers–say Amazon or Google–the answer has, up until this Working Group cloud rules document, been a qualified “yes”. US data processors have had a unique safe harbor relationship with the EU. If they are working with an EU company, they’re allowed to self-certify themselves with respect to seven principles that mirror the DPD rules for EU-based data processors.
However the new Working Group rules say that EU companies need to obtain direct evidence from US providers “that the Safe Harbor self-certifications exists [emphasis added] and request evidence demonstrating that their principles are complied with.”
Amazon, Google, GoDaddy, and other US cloud providers: you’ve been warned!
Speaking of data privacy practices of US-based cloud providers, Rob has an interesting post on how the convenience of cloud computing has lulled consumers and companies into a one-sided relationship. And at least one well-known security analyst has described it as more like an EULA between serfs and lords. Hint: the cloud-providers are the lords.
EU countries have made a giant step towards balancing the power relationships in the digital age between cloud provider and companies. As a side effect, US cloud providers will need to change their privacy practices, at least if they want to do business in the EU.
While feudal relationships were unknown in North America, I might add that some of the DPD’s ideas would make for good business practices in US-US transactions.