If personal data is transferred outside certain European countries, the provisions of the eighth Principle come into play. Storing data on a cloud provider’s system abroad counts as a transfer, even if the data is not intended to be used anywhere outside the UK.
As discussed above, it is quite common for a cloud application to be provided by a chain of subcontractors. It is necessary to examine the entire chain in order to assess whether the eighth Principle is engaged.
The eighth Principle aims to achieve an equivalent level of protection for data transferred abroad to that it would receive within the UK.
This level of protection is automatically provided if the jurisdiction to which the data is transferred is within the European Economic Area, because each of those countries has legislation based on the same European Directive (95/46/EC). The European Economic Area comprises the European Union plus Iceland, Liechtenstein and Norway.
Beyond that, a slowly-increasing number of territories have legislation that has been assessed by the European Commission as providing an acceptable level of protection and, as a special case, the US has negotiated the ‘Safe Harbor’ scheme – discussed in detail below.
Jurisdictions where the requirements of the eighth data protection principle are automatically met (as of October 2014) are shown below:
Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovenia, Slovakia, Spain, Sweden, UK
EEA, outside EU
Iceland, Liechtenstein, Norway
Approved by EC
Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay
US, but only where the Safe Harbor scheme applies
Transfers to almost all of Europe are therefore automatically compliant with the eighth Principle, one way or another, but very few others. A few countries, including Australia, Hong Kong and Singapore, for example, have their own data protection laws but these have not been approved by the EC.
• Consent of the Data Subject.
• Necessity in connection with a contract (or prospective contract) between the Data Subject and the Data Controller or a contract with another party at the request of the Data Subject or in their interests.
• Necessity for reasons of substantial public interest.
• Terms “of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects”.
• When “authorised by the Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects”.
“Adequate safeguards” can be provided through the use of one of the four sets of model contract clauses that have been approved by the EC8. Two of these are designed for use when a Data Controller is transferring data to a Data Processor (one of which is no longer acceptable for new contracts). However, most cloud services are not offered on terms that incorporate the EC model clauses.
Intra-company transfers can be protected through binding corporate rules (BCRs) that have been approved by the Information Commissioner. These would not, of course, be relevant to cloud computing where the recipient overseas is a Data Processor, but they could apply where a company has a private cloud located wholly or partially overseas.
Other contractual arrangements may also suffice to provide adequate safeguards, and in the case of cloud services based on standard terms and conditions, this may be one of the few options available. The onus, as ever, is on the Data Controller to demonstrate that appropriate steps have been taken and that the terms and conditions do provide adequate safeguards.
If you are relying on Data Subject consent you must make your Data Subjects fully aware that you intend to transfer their data abroad, so that they can make their own decision on whether the risk is acceptable. In most cloud computing situations consent is unlikely to be a practicable option.
Necessity in relation to the performance of a contract is unlikely to be an acceptable claim in respect of cloud computing, because it can always be argued that equivalent cloud services could have been obtained from providers within the EEA.
Some commentators would seriously question whether the Safe Harbor scheme in the US provides an adequate basis for data protection compliance when using cloud services. The scheme was designed to provide a basis for transferring data between the US and Europe that did not require the US government to put a data protection regime in place. Among its claimed drawbacks are:
• It is largely self-assessed and self-policed; it has no statutory backing.
• The mechanisms for redress can be cumbersome and expensive.
• It only covers data types that are subject to Federal Trade Commission or Department of Transportation oversight. HR data, for example, is not covered.
• Most entries in the Safe Harbor register9 – with a few notable exceptions – refer to data that the US company holds about individuals abroad who are direct customers, but do not refer explicitly to any personal data held on behalf of customer organisations as part of a cloud service or to the cloud provider’s role as a Data Processor.
• Some investigations have uncovered companies claiming to be signed up to Safe Harbor when, in fact, they are not, while other complaints suggest that US companies make use of personal data in ways that are not covered by their Safe Harbor statements. In 2014 the then European Union justice minister said that the Safe Harbor agreement “may not be so safe after all” and would be reviewed.
Despite this, the agreement is accepted by the EU as providing an acceptable level of protection, and few people worry about the finer points. If a cloud provider based in the US is signed up to Safe Harbor, therefore, the risk of being found in breach of the eighth data protection principle appears to be very small.
Some government data, however, is required to be held within the EEA, or even just within the UK, and some Data Controllers prefer not to rely on Safe Harbor. In these cases, a cloud service where the data is guaranteed to be held only within Europe would be preferable.
Until recently this was easier said than done. Many of the big providers either refused to say where their data was held (for ‘security’ reasons), or explicitly stated that it would be held in the US. Now, though, many have accepted that there is a commercial advantage in providing at least the option for data to be held only within the EEA, and it is rare to find a service that holds all its data in the US, come what may.
It is also worth pointing out that data comes under the protection of the EU Data Protection regime as soon as it is held within Europe, even if it originates outside Europe, relates to Data Subjects outside Europe, and is essentially used only outside Europe.
8 Explained in detail on the Information Commissioner’s website.