eulaw

Cloud computing is rapidly becoming a buzzphrase in IT-reliant businesses. Its proponents include some of the largest technology companies in the world. But while enterprises may be able to save money by moving into the cloud it is difficult to see how they can do so with their customer’s personal information without breaching EU data protection law.

Household names like Google, Amazon and Microsoft are racing each other to create rival global platforms for the storage and manipulation of data. They have sent their marketers out amongst us to proclaim the Good News- Cloud Computing will reduce costs and improve service when compared to the traditional self-built and run server rooms most significant organisations are used to.

McKinsey Consulting helpfully offered a definition of Cloud Computing in a recent report on the topic : “Clouds are hardware based services offering compute, network and storage capacity where; hardware management is highly abstracted from the buyer, buyers incur infrastructure costs as variable OPEX, and infrastructure capacity is highly elastic”.

Or, as the rest of us might understand it, that you get to sub-contract out part, some or most of your storage and information processing requirements to an already vastly tooled up company and you access it as you need it across the internet.

Clouds, being amorphous, fuzzy and everywhere, were chosen as the perfect metaphor for this kind of service. But a metaphor can obscure the reality of what’s being offered- to send data out to external companies and store it in their datacentres across the world, without any transparency as to what jurisdictions the data now resides.

Ireland has a particular interest in the development of cloud computing. Google, Microsoft and Amazon have all located major data centres around Dublin. It has been mooted that having these services available will enable Ireland’s entrepreneurs launch global web-based businesses without having to make enormous capital investment.

The difficulty arises when we apply the cloud computing model, developed in the US, to data relating to people in the EU. There is a gap in privacy standards between the two jurisdictions, with the EU protecting its citizens’ personal data in legislation.

Personal Data is defined by Directive 95/46 as “any information relating to an identified or identifiable natural person” and processing same as “collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction”.

Ireland’s Data Protection Acts implement this European law into local legislation. The Irish Data Protection Commissioner helpfully defines a Data Controller so that you might more readily recognise if you are one; “A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information.” So, the controllers are the people who have the responsibility for the data as it is being processed, no matter where or by whom. The entities they pass the data on to to be dealt with in a specific way are defined as data processors. Cloud computing providers would fall into this class.

But though Irish enterprises work under these European-wide legislative protections of our personal data, the cloud computing model is less sympathetic to our data controllers’ responsibilities.

The FAQ for Amazon’s Cloud offering, called S3, baldly announces that “Amazon S3 allows customers of Amazon S3 to store their data in the EU; however, it is up to the customers of Amazon S3 to ensure that they comply with EU privacy laws.” Furthermore, their Terms of Service states, in all caps for emphasis, that they do not warrant “THAT THE DATA YOU STORE WITHIN THE SERVICE OFFERINGS WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED.”

This ‘as-is’ approach clashes fundamentally with the responsibility of a Data Controller to ensure the security of the data they pass on to a data processor. There is the additional complication that, unlike Amazon, not all the cloud computing service providers will promise to keep the data uploaded from the EU in the EU. The result is the possibility of breaching the laws which prevent EU citizen’s personal data being exported to jurisdictions with less stringent protections.

The Irish Data Protection Commissioner’s office is under-resourced, having only a handful of investigations officers for the entire country. It is hardly likely that he will prioritise clamping down on cloud computing providers who are creating high-value employment in Ireland. Nonetheless, for Irish entrepreneurs and IT professionals who are considering taking the cloud computing route , it is important that they do so with an awareness of the difficulties it could throw up later in a due diligence situation.

Buying or selling a company is like a house purchase. Before the buyer closes the deal, they’re going to want to be reassured that the last owner didn’t do anything that might see them inheriting a legal headache. It may only be when the first wave of early-adopter companies start to be acquired that we will get a clear picture of the full cost of moving to cloud computing.

WHAT ARE YOU LOOKING AT?, originally uploaded by nolifebeforecoffee.

There is a suggestion in the Irish Times that Facebook Inc may be considering locating a European base of operations in Ireland. In that context it may be useful to consider the current situation regarding Facebook, its attendant applications and their use of Irish and

European users’ Personal Data. The main question is whether all of Facebook’s behaviour is in compliance with Europe’s Data Protection Law, and the extent to which that law may apply to either Facebook Inc or any of the controllers of the Applications which rely on its systems.

This discussion is intended to be readable by a non-lawyer but it is inescapable that some law has been quoted. Please bear with us though the legislative turbulence.

Data Protection’s Roots
The EU’s Data Protection Directives were introduced to eliminate potential inhibitions to trade arising from differing degrees of Data Protection in Member States. Directive 95/46 explicitly recognises the right to privacy contained in EU law and in the European Convention on Human Rights (ECHR). Breaches of that general right to Privacy are only acceptable if justified under the exceptions allowed for in Article 8 of the ECHR. See this informative posting by Thomas Otter for more background.

The Directives and the implementing Acts are intended to protect the personal data of EU citizens in a uniform manner across the EU. Personal Data is defined by Directive 95/46 Art 2(a) as

any information relating to an identified or identifiable natural person

What is the meaning of Processing in the context of the Directives?

Directive 95/46 defines it as including, but not being limited to

collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction

Directive 95/4 Art (3)(2)(e) allows an exception for

processing of data carried out by a natural person in the exercise of activities which are wholly personal or domestic, such as correspondence and the holding of addresses.

It should be clear that a PR person dealing with their address book falls outside this exemption, but that it allows for private people to keep a gmail address book, and even perhaps to check it against membership of Facebook, provided that action is entirely personal or domestic. If a person is in a business where networking or keeping connections was required for their work, it is likely that this would fall outside the remit of the above exemption.

Part of The Establishment
Directives are high level legislation which set out what each member state must ensure is law in their jurisdiction. It is up to each member state to bring their laws into line with those aims in whatever form is most suitable for their legal system. In Ireland, the Data Protection Acts set out to whom their provisions apply. In Section 3B, they include entities established in the state. Facebook seems to fall within one of the definitions of an entity established in Ireland. (Section 3B (a)(ii))

makes use of equipment in the state for processing the data otherwise than for the purpose of transit through the territory of the State

I think one such piece of equipment, given the earlier quoted definition of processing as including “dissemination or otherwise making available” personal data, is sitting on my desk.

Facebook Inc already has an office in London. This also puts them within the alternate definition of “establishment” ( in the UK) in Section 3A (a) as having

an office, branch or agency through which he or she carries on any activity

But, one of the difficulties for transnational companies is that the Directive doesn’t allow them to pick just one EU country and comply with its Data Protection laws. Directive 95/46 Recital 19 puts an onus on a Data Controller established in multiple territories to fulfill the obligations of all those states.

One of Ireland’s obligations is that if a data controller is outside the EEA (which Facebook Inc is) and the data is processed inside this state (which, we’ve suggested above, happens with Facebook data) they must “designate a representative established in the State” (per the Data Protection Acts Section 3B(c)). I have not been able to find if Facebook has designated anyone as their representative in Ireland.

Consent by the person whose personal data is processed does not remove the duty to register as a data Controller or Processor.

Safe Harbour?
Thomas Otter, whose excellent article on Facebook and Data Protection I linked to above, refers to Facebook Inc as claiming “safe harbour” status. This is a method by which companies and organisations working in countries which have not been deemed to have adequate protection for data may export the data of European citizens to those countries. In effect these organisations pledge to meet the requirements of the Data Protection Directives themselves.

US Companies who want this status must register with the US Department of Commerce and have a Privacy Policy which complies with the terms of the Data Protection Directives. The problem for Facebook Inc is that they seem to have grown so quickly that their systems haven’t caught up with their compliance requirements in this area. For example, as reported by Channel Four News late last year, Facebook will resist requests to delete the Personal Data it holds when asked to do so by the data subject. Alan Burlison was the source of that report, and he outlines on his blog the responses he got from Facebook, and then, following his complaints, from the UK Information Commissioner and from Truste, a 3rd party who certifies compliance with European Safe Harbour requirements.

Here’s the response he initially received;

If you deactivate, your account is removed from the site. However,
we save all your profile content (friends, photos, interests, etc.), so
if you want to reactivate sometime, your account will look just the
way it did when you deactivated.

After Channel Four News came and interviewed him, he received a follow-up email;

We have permanently deleted your account per your request. We do
not retain any information about your account once it is deleted,
and thus deletion is irreversible.

This shows that compliance with the Data Protection principle that a person has a right to have information stored about them amended or erased is technically possible. It just isn’t policy. Which would put Facebook’s real data handling policies at odds with the claim to be a Safe Haven. Which in turn would raise the question of whether it is lawful for it to pass that data outsi0de EEA borders. Which, of course, is exactly what it potentially does every time a developer for the Facebook Platform creates an application.

Failure to comply with the provisions of the Data Protection Act is a criminal offence. If European users suffer a loss arising from unlawfully held personal data they would have grounds for an action against Facebook Inc. Facebook’s privacy policy shows that it is aware of the Data Protection Directives. This potential financial risk is something which they will know or ought reasonably to know about, it can be presumed. I can’t speak for Californian law, but here the common law burden of Director’s duties to their companies may leave those directors personally liable for losses which arise from a breach they ought to have reasonably avoided.

Applications, Complications

In all of this discussion, I’ve treated the Facebook Inc database as a single, unitary item. But, of course, pieces of it are passed to third parties when a Facebook member agrees to install an application. This agreement in total consisting of not unselecting a tickbox beside the statement “Allow [Application Name] to access my information.” It is arguable that this wouldn’t, by itself, be enough to constitute genuine consent.

Where are these third parties based? Certainly some of them are in Europe. We’re not privy to the terms of any given agreement between Facebook and an Application controller. Nonetheless, questions need to be raised about the data protection standards of the entities or people controlling these applications. Are they registered with the local Data Protection Commissioner in each state they are established? Are they all registered as Safe Harbours if they are based in the US? If not, what liability may attach to the developers or their employers arising from these applications in the case of any future claims?

Endnote
Data Protection law is a relatively new field. There is not a great deal of caselaw clarifying these matters. This puts anyone trying to apply it to a real world situation in the unhappy position of attempting to interpret the legislation- a task best left to judges. Nothing I say here should be taken as legal advice.

THE VIEWS AND COMMENTS EXPRESSED HEREIN ARE THOSE OF, AND PERSONAL TO, THE WRITER, AND ARE INTENDED FOR GENERAL DISCUSSION PURPOSES ONLY. THEY ARE NOT INTENDED TO BE RELIED UPON BY ANY PARTY. NO REPRESENTATION OR WARRANTY IS GIVEN AS TO THE ACCURACY OR CORRECTNESS OF SAME, NOR ARE THEY REPRESENTED AS CONTAINING (OR AS A SUBSTITUTE FOR) LEGAL ADVICE OR ASSISTANCE. NO LIABILITY WHATSOEVER (WHETHER IN CONTRACT, NEGLIGENCE, NEGLIGENT MISSTATEMENT OR OTHERWISE AT ALL) IS ACCEPTED TO ANY PERSON ARISING OUT OF ANY RELIANCE ON THESE VIEWS.