Last month Microsoft adopted the first international cloud privacy standard. Described as marking a major milestone for cloud privacy, the standard in question ISO/ IEC 27018:2014 "establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII)…for the public computing environment". If adopted more widely could this lead to greater confidence in data security and privacy in cloud computing?
Microsoft has announced that the controls under this standard have been adopted in relation to Azure, Office 365 and Dynamics CRM Online.
The standard seeks to protect privacy in a few key ways:
- PII will only be processed in accordance with customer instructions;
- Transparency about the provider's policies on the return, transfer and deletion of the customer's data; and
- Adherence to important security safeguards.
Security of cloud based services has for a while been a major concern for customers and data protection regulators alike. This move by such a high-profile cloud provider can only be seen as a positive step for customers. Time will tell whether other cloud providers follow suit and whether European data protection regulators think the new cloud privacy standard will be enough to meet stringent European security requirements for transferring personal data outside of the European Economic Area (EEA).
Although the new cloud standard will give customers some comfort in terms of their cloud providers having adequate security in place to protect personal data and data protection policies and procedures, the standard will not replace the approved mechanisms for transfers of personal data outside of the EEA. Such mechanisms include Safe Harbor (if transferring to the US), European Commission approved model contracts and Binding Corporate Rules. In reality, model contracts are currently most relevant to cloud providers transferring their customers' personal data to multiple countries and sub-contractors around the world.
Although model contracts still remain a firm favourite (particularly with data controller customers), they have their limitations (as described below). Increasingly demanding customers and regulators, combined with the proposed new Regulation requirements that will impose compliance obligations directly on data processors, means we are likely to see increased applications by cloud providers for the processor Binding Corporate Rules which were given the seal of approval in 2013 by the European Commission's data protection working party (the Article 29 Working Party).
Model contracts
Any widespread adoption of ISO 27018 would complement one of the exceptions to the prohibition on transferring personal data outside of the EEA: the adoption of model clauses.
However model clauses do not offer the complete get-around solution. In this respect, a couple of notable opinions were issued by the Data Protection Working Party in 2014.
First, there is a glaring gap in the scenarios captured by the available model clauses. The working party identified this in their March 2014 opinion (Working document 01/2014 on Draft Ad hoc contractual clauses "EU data processor to non-EU sub-processor"). All of the model clauses focus on Non-EEA data transfers by data controllers. There are no model clauses for EEA processors sub-contracting the processing to non-EEA processors.
Where the sub-processing was to take place in the US, previously some confidence was taken from the Safe Harbor Scheme, a self-certification scheme for US companies. But this is now the subject of scrutiny. Indeed, some German data protection authorities (taking a leaf out of the Irish data protection regulator's book) have issued proceedings against US companies for alleged non-compliance with Safe Harbor. More on this from our data protection experts in Germany: "Rescuing personal data from an uNSAfe Harbour: European Data Protection Regulators start taking things into their own hands".
So to address this compliance headache, the Working Party suggested amendments/supplements to the model clauses in its March 2014 opinion. While initially seen as a positive step in the right direction, the draft clauses received criticism for being un-commercial and burdensome and, at the time of writing, have not yet been adopted by the European Commission. While this decision may be disappointing in terms of implementation it may still inspire confidence that Europe has registered that the problem exists. Our data protection team will be watching this space with interest.
Streamlining the data protection authority cooperation process is the focus of the second opinion: "Working Document Setting Forth a Co-operation Procedure for Issuing Common Opinions on "Contractual Clauses" Considered as compliant with the EC Model Clauses".
An additional obstacle to the approval of model contracts is that some data protection regulators require the contracts to be approved by them. Whether this is the case will depend on what countries are involved (not all European regulators require approvals) and also what personal data is to be transferred and why (some regulators only require approvals for certain data transfer types).
For countries where these approvals are needed, this can lead to multiple DPAs approving the same model clauses where companies from multiple member states are involved in data transfer activity. The cooperation process therefore aims to harmonise the process of assessment between data protection authorities where identical model clauses are used by group companies in different member states.
Essentially the process involves the nomination of a lead DPA by the "Company". The selection can be justified by reference to location including that location in which contractual clauses and processing purposes and means are decided, for example. Data protection authorities do however have the discretion to decide the most appropriate data protection authority to act as the lead DPA.
The lead DPA will take charge of analysing whether the proposed contract conforms with the model clauses.
A system of "mutual recognition" (which has been compared with the procedure for the adoption of Binding Corporate Rules) will then kick in as the review procedure. Where there are more than 10 countries in which transfers are to take place, two DPAS will act as reviewers and where there are less than 10, one DPA will act as a reviewer.
The decision on conformity will be communicated to the other DPAs in a draft letter which will be signed on behalf of all competent DPAs (provided that they agree with the decision) and sent to the "Company".
It will be interesting to see this procedure working in practice. It could contribute to a welcome simplification of the procedure for intra-group personal data transfers using model contracts.