In this second article of our cloud computing and privacy series (see our first article here), we consider the general data protection legal framework that applies to cloud computing in certain key Member States(1).
It clearly results from our cross-jurisdictional analysis of key Member States that the issues of privacy and data protection are of paramount importance when considering cloud computing. This is logical as the provision of IT services over the Internet leads in many instances to the processing of personal data. This poses recurrent issues relating to the applicable law, the determination of the controller and the processor and their corresponding roles, cloud services contracts put in place, and the international transfer of data.
Without aiming to reiterate the legal analysis provided in many academic and learned studies and articles, the following sections examine whether EU and national authorities provide specific guidance or decisions on the subject of cloud computing and privacy.
Guidance on cloud computing and data protection provided by public authorities
The 'Article 29 Working Party' (the "Working Party") has issued numerous opinions on different aspects, many of which are relevant to cloud computing.
Among such opinions issued by the Working Party, the following are particularly relevant:
- Opinion 05/2014 on anonymisation techniques onto the web(2) (discussed in our upcoming fourth article);
- Opinion 03/2014 on personal data breach notification(3) (discussed in our upcoming fifth article);
- Opinion 03/2013 on purpose limitation(4);
- Opinion 15/2011 on consent(5);
- Opinion 8/2010 on applicable law(6); and
- Opinion 4/2007 on the concept of personal data(7).
More importantly, the Working Party published an opinion dedicated to cloud computing(8). Opinion 05/2012 on Cloud Computing (link), adopted on 1 July 2012, analyses all relevant issues for cloud computing service providers ("CSP") operating in the European Economic Area (EEA), and their clients, specifying all applicable principles from the EU Data Protection Directive (95/46/EC) and the ePrivacy Directive 2002/58/EC (as revised by Directive 2009/136/EC) where relevant(9).
In addition to the EU general and specific guidance applicable to cloud computing, the question arises as to whether national data protection authorities have adopted specific guidance on the applicability of their local data protection legislation to cloud computing.
Most local data protection authorities ("DPA") have issued data protection guidance dedicated to cloud computing. Only a very few DPA have not issued cloud-specific data protection guidance, including Belgium, Denmark (there are however cloud–specific decisions of the Danish DPA, see below), Finland and Poland.
Also, those countries that have issued general guidance on cloud computing (see our first article here) all cover data protection aspects (e.g., Belgium and Denmark). Moreover, the absence of dedicated guidance on data protection in a cloud environment does not mean that other guidance published by local DPA's in such countries on more general topics does not apply to cloud computing, in just the same way that the data protection guidance at the EU level is also relevant to cloud computing. Several other countries provide tailored guidance by local authorities on privacy and data protection in a cloud environment.
In general, this national guidance does not provide divergent views from the ones set out in the aforementioned Working Party Opinion 05/2012 on cloud computing.
For instance, in the Czech Republic the Czech Data Protection Office issued on 7 August 2013 its official position on the Protection of Personal Data within Cloud Computing Services (link). Such document, which almost entirely corresponds to the Working Party Opinion 05/2012, includes (i) definitions of the terms "Cloud Computing", "IaaS", "SaaS", "PaaS", "Public cloud", "Private cloud" and “Hybrid cloud", (ii) definitions of the data controller and the data processor, (iii) explanation on how the adequacy of the level of protection is assessed, (iv) rules regarding the transfer of personal data outside Czech Republic, and (v) explanation of Standard Contractual Clauses and Binding Corporate rules.
In Spain, the Spanish DPA has also provided guidance in 2013 on privacy and cloud computing with two specific guides: the "guide for clients using Cloud computer services"(link) and the "guide for Cloud service providers" (link).
The major findings of the Spanish Guidelines are summarised as follows:
- CSP's shall be considered as data processors;
- The customer shall be informed of the identification of services and the outsourcing company (including the country in which it develops its services if international data transfers are to take place);
- The customer can make decisions as a result of the intervention of subcontractors, i.e. it may terminate the agreement or refuse that the sub-contractors are appointed; and
- The CSP and subcontractors shall enter into a contract that includes guarantees equivalent to those included in the contract with the customer.
In the United Kingdom, the ICO published on 27 September 2012 a set of guidelines for businesses in relation to cloud computing (link). In addition to addressing the application of the rules contained in the Data Protection Act 1998 to the processing of information in the cloud, the ICO guidance runs through the three main types of cloud deployment models (private, community and public) and considers which role will be filled by the customer and provider. As the cloud customer will be making the decisions on the purposes and manner in which the data are processed, it will generally be the data controller and therefore it will be ultimately liable for compliance with the Data Protection Act. However, the precise role of the CSP should be reviewed on a case-by-case basis to determine whether it is processing personal data to such an extent that it could be operating as a data controller in its own right. The ICO guidance then highlights the key areas, which should be considered by organisations looking to move to the cloud, such as (i) the formalisation of the relationship, (ii) the auditing/monitoring the CSP, (iii) the protection of data (with for instance an encryption algorithm), (iv) data retention and deletion, (v) the further processing, and (vi) the use of cloud services from outside the UK (see our more detailed article on the ICO guidance here).
National case-law relating to cloud computing and data protection
In addition to the guidance of the Working Party and several national data protection authorities across the EU, any judicial and administrative decisions on the matter are also of importance.
Where a particular decision does not specifically concern cloud computing it may still apply to such situation. It is therefore necessary to take into consideration the entire body of case-law available. This is for instance the case at EU level with the Court of Justice of the European Union (the "CJEU"). The CJEU has currently not issued any decision on data protection and cloud computing. It remains that several decisions are worth being taken into account. This is the case for instance for the Lindqvist (case C-101/01), Google Spain (case C-131/12) and Heinz Huber (C-524/06) judgments. In this context, it should be reminded that judgments of the CJEU apply throughout the EU.
The same logic applies in each Member State, where local decisions of the data protection authorities or the administrative and judicial courts may be relevant.
Our in-depth analysis of the current legal situation in key Member States shows that two countries have cloud-specific decisions: Denmark and Spain.
Case-law in Denmark
Since 2011, the DPA in Denmark (Datatilsynet) has in a few cases dealt with cloud computing from a data protection perspective. In particular, topics relating to the obligations as data controller and data processor, security issues and transfer of personal data to third countries outside the EEA are covered in several decisions related notably to Dropbox, a driver's license system, Google Apps and Microsoft's Office 365.
More specifically, the Google Apps case with Odense Municipality is probably the most well-known case brought before the Danish DPA. The Danish DPA rejected Odense Municipality’s application to use the cloud service "Google Apps" to store data in relation to its public schools. Odense Municipality stated that data would be transferred initially to Google Ireland Limited; Google subsequently informed the DPA that it holds all data in numerous data centres worldwide, including in the United States and Europe. Accordingly, data would initially be shared between Denmark and Ireland and then between Ireland and potentially every other country in which Google operates data centres (be it the United States, within the EEA or others). The Danish DPA's view was that any Google data centres in the United States would be covered by the EU-U.S. Safe Harbour Framework; thus Odense Municipality was permitted to store data there as well as in Ireland. However, the Danish DPA decided it must assume that data would be transferred not only to Ireland and the United States, but also to all the other countries in which Google maintains data centres, including those neither in the EEA nor the United States (and thus not covered by Safe Harbour). It therefore deemed that Odense Municipality would not comply with current legislation because it was not proposing to enter into a contract based on the European Commission’s standard contractual clauses with Google’s individual data centres. Further the Danish DPA found that Odense Municipality had not conducted a sufficient risk evaluation, and that the data processor agreement which was to be entered with Google, did not comply with the legal requirements, most notably because it could be changed unilaterally by Google.
The other very relevant case from the Danish DPA, the Office 365 case, relates to the IT University of Copenhagen's request for use of Office 365 as e-mail solution for the University's students and employees. The Danish DPA restated the same arguments as in the Odense Municipality case but since Microsoft was more open to enter into a contract based on the European Commission’s standard contractual clauses, the outcome was different. Even though the Danish DPA's decision in the Office 365 case is not a seal of approval for cloud computing in the public sector, it shows a path when using cloud computing in the public sector.
Case-law in Spain
In Spain, the Supreme Court was compelled to examine several issues relating to claims against the Spanish Data Protection Regulation (the "Royal Decree 1720/2007" of 21 December 2007).
In its ruling of 15 July 2010, the Spanish Supreme Court dismissed the claimant's challenge as it considered that the data processor's duty to inform the data controller of its identifying data before proceeding with the subcontracting is applicable. Furthermore, it considered that the subcontractor must not only be identified, but that said identity of the subcontractor must also be notified to the client. The reason for this need to notify is that CSP's are considered to be data processors and the client is considered the data controller.
Moreover, the Spanish Supreme Court established that if third party processors are involved in the provision of cloud services, additional aspects must be guaranteed:
- The customer shall be informed of the identification of the outsourcing company (including the country where it develops its services if international data transfers are to take place);
- The customer can make decisions as a result of the intervention of subcontractors, i.e. it may terminate the agreement or refuse that sub-contractors are appointed;
- The CSP and subcontractors shall enter into a contract that includes guarantees equivalent to those included in the contract with the customer (back-to-back agreements).
The Spanish DPA has also applied the above criteria in other resolutions such as that regarding a Microsoft Office 365 cloud solution data transfer (9 May 2014), where it considered that the company fulfils the aforementioned requirements (link).
Case-law in the United States
One of the areas of key concern for cloud vendors and customers currently is the interplay between EU data protection rules and laws in other countries which seemingly conflict, particularly in respect of government or court ordered access to information about individuals held on servers in the EU. Given the US origin of many of the largest cloud vendors, the size of the US market and revelations about NSA surveillance and information gathering, the position in the US continues to be watched closely.
The highest profile case is the Microsoft Warrants case, where on 31 July 2014, Chief US District Judge Loretta Preska ruled against Microsoft's appeal against a warrant to disclose emails and other records in a particular MSN email account(10). Judge Preska ruled that the location of the data (in Dublin) was not relevant because Microsoft still "controlled it" and was therefore liable to provide it under warrant pursuant to the US Stored Communications Act. Microsoft decided not to comply with the order, voluntarily putting itself in contempt, and is continuing to seek ways to appeal the decision.
Apple, Cisco, Verizon and AT&T all filed Amicus briefs in support of Microsoft's appeal on the basis that finding in favour of the US Government would conflict directly with EU data protection laws. Viviane Reding, former EU Justice Commissioner, has said that "the extraterritorial application of foreign laws (and orders to companies based thereon) may be in breach of international law and may impede the attainment of the protection of individuals guaranteed in the [European] Union".
The case will continue but what is certain for now is that the lack of clarity and the potential conflicts of laws present real challenges for US cloud vendors and their customers or potential customers.
The information given in this document concerning technical, legal or professional subject matter is for guidance only and does not constitute legal or professional advice.
This series of articles has been made possible thanks to the CoCo Cloud project (www.coco-cloud.eu) funded under the European Union’s Seventh Framework Programme, and of which Bird & Bird LLP is a partner. Said project aims to establish a platform allowing cloud users to securely and privately share their data in the cloud.
Our next article will address the "security requirements and guidance" in the cloud computing context.
(1) Our study examined the particularities of national laws on key specific issues in ten selected EU Member States, i.e., Belgium, Czech Republic, Denmark, Finland, France, Germany, Italy, Poland, Spain and the United Kingdom ("Key Member States").
(2) Article 29 Working Party, 'Opinion 05/2014 on Anonymisation Techniques onto the web' adopted on 10 April 2014 (WP216).
(3) Article 29 Working Party, 'Opinion 03/2014 on Personal Data Breach Notification' adopted on 25 March 2014 (WP213).
(4) Article 29 Working Party, 'Opinion 03/2013 on Purpose Limitation', adopted on 2 April 2013 (WP203).
(5) Article 29 Working Party, ‘Opinion 15/2011 on Consent’ adopted on 13 July 2011 (WP187).
(6) Article 29 Working Party, ‘Opinion 08/2010 on Applicable Law’ adopted on 16 December 2010 (WP179).(7) Article 29 Working Party, ‘Opinion 4/2007 on the Concept of Personal Data’ adopted on 20 June 2007 (WP136).
(8) In addition, it shall be mentioned that the Berlin International Working Group on Data Protection in Telecommunications published on 24 April 2014 a Working Paper on Cloud Computing - Privacy and data protection issues – "Sopot Memorandum" – (link).
(9) See Article 29 Data Protection Working Party, ‘Opinion 05/2012 on Cloud Computing’ adopted on 1 July 2012 (WP 196), 1.
(10) For the magistrate's decision, see In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., __ F. Supp. 2d. __, 2014 WL 1661004 (SDNY 25 April 2014)