Cloud Computing Finds U.S.-Sanctioned Shelter in the U.S.-EU Safe Harbor Program
On April 12, 2013, the U.S. Department of Commerce’s International Trade Administration (“ITA”) released a guidance document designed to clarify how the U.S.-EU Safe Harbor Framework applies to cloud computing, concluding that the existing Safe Harbor Privacy Principles are sufficiently comprehensive and flexible to address the privacy and data security issues raised by transferring personal data in the cloud.
European Union’s Data Protection Directive
The European Union’s 1995 Data Protection Directive (“Directive”) regulates the processing of personal data within the European Economic Area (“EEA”) as a means to safeguard individual citizens’privacy.
Under the Directive, personal data may be transferred to third countries (non-EEA member states) only if that country provides an “adequate” level of protection. Most notably, the United States is not on the list of countries that meet the EU’s “adequacy” standard for privacy protection, stemming in part from the fact that U.S. privacy law is based on a combination of sector-specific legislation and self-regulation rather than general, overarching legislation along the lines of the Directive and relevant Member State laws. Accordingly, an organization that does its processing in the cloud may be violating EU law if the data goes to a server outside of the EU to prohibited countries, such as the United States.
In order to provide a means for U.S. companies to comply with the Directive (and thereby ensure continued trans-Atlantic transactions), the U.S. Department of Commerce, in consultation with the European Commission, developed a “Safe Harbor Program” designed to protect accidental information disclosure or loss.
U.S. companies can opt into the program and self-certify as having “adequate” privacy protections, provided they adhere to the following fundamental Safe Harbor principles:
- Notice. Organizations must notify individuals about the purposes for which they collect and use their information.
- Choice. Organizations must give individuals the ability to opt out of the collection and forward transfer of their data to third parties.
- Onward transfer. Organizations may only transfer information to a third party if the third party subscribes to the Safe Harbor principles, or is subject to the Directive. Alternatively, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Safe Harbor principles.
- Access. Individuals must be able to access information held about them, and correct or delete it if it is inaccurate
- Security. Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration, and destruction.
- Data Integrity. Data must be relevant and reliable for the purpose it is to be used.
- Enforcement. There must be effective means of enforcing these rules, verifications that an organization’s commitments to adhere to the Safe Harbor principles have been implemented, and obligations to remedy problems arising out of failure to comply with the principles.
In the guidance document, the ITA expressed its view that the EU’s recognition of Safe Harbor’s adequacy for data protection purposes is applicable to cloud service provider agreements (i.e., agreements that involve the transfer of personal data from the EU to organizations established in the U.S.).
The guidance document is the U.S. Department of Commerce’s official response to the Article 29 Data Protection Working Party Opinion published last year, which suggested that Safe Harbor self-certification may not by itself provide sufficient data protection in the cloud environment. The Working Party is an independent advisory body on data protection and privacy comprised of representatives from each European data protection authority, the European Commission, and the European Data Protection Supervisor. While its opinions are not binding and do not constitute legal obligations, they are highly persuasive for EU data protection authorities and courts.
Defending the Safe Harbor Program as an officially sanctioned mechanism to ensure an adequate level of data protection, which was previously approved by the European Commission and which cannot be unilaterally dismantled by an advisory board of European regulators, the ITA concludes in its guidance document that:
- Safe Harbor does not require that cloud service provider agreements incorporate the EU standard contractual clauses for mere processing of data. Such clauses represent an alternative to Safe Harbor certification, not an additional requirement, as either option would allow a service provider to ensure an “adequate” level of data protection.
- The Commission has not issued any new requirements regarding Safe Harbor that would reduce the value of certification to cloud service providers. Nevertheless, the ITA notes that the Article 29 Working Party Opinion on Cloud Computing (“Art. 29 WP”), while non-binding, is nonetheless worth examining. The Art. 29 WP recommends that “companies exporting data should not merely rely on the statement of the data importer claiming that he has a Safe Harbor certification,” but instead should “obtain evidence that the Safe Harbor self-certifications exist and request evidence demonstrating that their principles are complied with.”
- Member State data protection authorities must recognize Safe Harbor certification as a valid means of demonstrating that a service provider ensures an adequate level of data protection.
- Compliance with Safe Harbor will remain an officially recognized means of demonstrating that an eligible U.S. organization ensures an adequate level of data protection while EU data protection reform currently before the European Parliament — to replace the existing Directive with a General Data Protection Regulation — proceeds.
The guidance document is not intended to address (let alone alleviate) all possible concerns of those companies contemplating transferring personal data subject to the Directive to cloud service providers in the United States. Nevertheless, it does offer both current and prospective participants in the U.S.-EU Safe Harbor program with an official pronouncement that, at least in the U.S. Department of Commerce’s view, the protections afforded by the Safe Harbor Framework apply equally to both cloud-based and non-cloud based service providers. Of course, whether the European Commission ultimately shares this opinion, and whether, therefore, the Harbor is deemed safe on both sides of the pond, remains to be seen.
To read the complete text of the ITA’s guidance document, click here.