Personal data cannot be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for rights and freedoms of data subjects in relation to the processing of personal data. This is known as the 8th Data Protection Principle (the “8th DPP”). The 8th DPP is part of the Data Protection Act 1998. The 8th DPP is enforced in the UK, by the Information Commissioner’s Office (the “ICO”).
One of the major discussion points and concerns regarding cloud computing has been the 8th DPP. Statistically cloud suppliers tend to be US-based. A number of cloud providers are unable to state where they store their data.
There are a number of derogations available from the 8th DPP. This includes Safe Harbor. The Safe Harbor program is a voluntary self-certification scheme whereby US organisations can qualify as offering adequate protection for personal data transferred to them from the EU. Due to such self-certification and perceived lack of regulatory enforcement, its value has been questioned by, amongst others, the European Commission and European Parliament.
Being on the Safe Harbor list is not itself enough to meet the 8th DPP. Businesses do not appreciate that the US suppliers need to agree to comply with the Federal Trade Commission’s (the “FTC”) seven privacy principles and / or the 8 data protection principles as part of their contractual arrangements with their EU customer. The FTC is the US’ chief consumer privacy agency.
Edward Snowden’s revelations about the NSA have brought the use of US-based ICT suppliers into sharp focus. If Edward Snowden is correct, the various data protection laws may be irrelevant to the NSA’s operational activities.
The European Parliament voted overwhelmingly in favour of immediately suspending the Safe Harbor framework between the EU and America. This followed on from a similar recommendation from the European Parliament’s Civil Liberties, Justice and Home Affairs Committee. The recent spat between the Senate’s Select Committee on Intelligence and the CIA who both accuse the other of hacking may further exacerbate the EU’s concerns about the security of personal data processed in America that were heightened by PRISM, the clandestine mass electronic surveillance data mining program launched in 2007 by NASA.
This vote was shortly after the ICO and the FTC signed a non-legally binding Memorandum of Understanding to promote increased co-operation and communication between the two agencies in their efforts to protect consumer privacy and bolster their privacy enforcement partnership. This includes mutual assistance and the exchange of information for the purpose of investigating, enforcing and/or securing compliance with covered data protection violations.
The European Parliament also approved the ICO’s draft Data Protection Regulation. The extent of their support was indicated by the European Parliament increasing the maximum fine for breaching such Regulation from the European Commission’s proposed 2% of global turnover to 5% of global turnover. The Council of Ministers amending and / or approving the draft Regulation is the only step left before the draft Regulation becomes law.
Twelve US businesses have agreed to settle FTC charges that they falsely claimed to be abiding by Safe Harbor.
The FTC recently celebrated its 50th data security settlement since 2002. Whilst this number is significantly less than the monetary penalty notices issued by the ICO, the FTC is still enforcing security breaches.
Whilst the practical effect of these developments is unclear and there are still major concerns regarding the adequacy of protection of EU citizens’ personal data processed in America following the PRISM revelations, it is positive that the FTC has taken the aforementioned actions. Businesses continue to be attracted by the cost savings cloud computing offers. Such actions give prospective users of US-based cloud services greater comfort regarding the adequacy of protection of their personal data and (contrary to ill-informed opinion) highlight that the US has and enforces data protection laws.
If Safe Harbor is suspended, it is hoped that the European Commission puts a replacement method for legitimate processing in place before any such suspension. Model Clauses and Binding Corporate Rules are insufficient for the volume of transfers entailed in cloud computing. Without such replacement, suspending Safe Harbor could be impractical and come at a financial cost for EU citizens. By contrast, the ICO and FTC recognise the nature of the modern global economy, increasing flow of personal data across borders and need for increased cross-border enforcement co-operation.
Many commentators feel that the Council of Ministers is likely to tweak, rather than re-write, the draft Regulation. The European Parliament’s press release that data protection reform is now ‘irreversible’ with Viviane Reding adding ‘strong data protection rules must be Europe’s trade mark…Following the U.S. data spying scandals, data protection is more than ever a competitive advantage for the EU’ indicates the European Parliament’s confidence that the Regulation will be adopted by the Council of Ministers.
Nathaniel Lane is a Solicitor in Michelmores’ Technology, Media & Communications Team who has an ISEB Certificate in Data Protection. For further information on this matter or data protection generally, please contact Nathaniel at email@example.com or on 0207 788 6313.