A Cl rtic loud cle 2 d Co 29 W omp Work putin king ng O g Pa Opin ...

A<strong>rtic</strong>le <strong>29</strong> <strong>Work</strong><strong>king</strong>Party<strong>Cl</strong>oud<strong>Co</strong>m<strong>putin</strong>g OpinionnCSA Legaal InformationCenterSponnsored Research

A<strong>rtic</strong>le <strong>29</strong> <strong>Work</strong>ingParty <strong>Cl</strong>oud<strong>Co</strong>m<strong>putin</strong>g Opinion:Blowto Safe Harbor?CSALegal Information CenterSponsored ResearchINTRODUCTIONThe <strong>Cl</strong>oud Security Alliance is a not‐for‐profit organization with a mission to promote the use of best practices forproviding securityassurance within <strong>Cl</strong>oud <strong>Co</strong>m<strong>putin</strong>g, and to providee education on the uses of<strong>Cl</strong>oud <strong>Co</strong>m<strong>putin</strong>g to helpsecure all other forms of c<strong>omp</strong>uting. The <strong>Cl</strong>oud Security Alliance is ledd by a broad coalition of industry practitioners,corporations, associations and other key stakeholders. CSA sets the pace as the industry leader in research, bestpractices and certification for the trusted c<strong>loud</strong> ecosystem.The CSA Legal Information Center is an expert‐led community resource for global legal issues impacting c<strong>loud</strong>c<strong>omp</strong>uting. Our mission is to provide unbiased information about thee applicabilityof existing laws and also identify lawsthat are being impacted by technology trends and may require modification. The CSA Legal Information Center includeswhitepapers, webinars, an advice column and in‐person events.The CSA Legal Information Center is locatedat: https://c<strong>loud</strong>securityalliance.org/research/clic//The CSA Legal Information Center is supported by our founding sponsor and corporate member Box. Founded in 2005,Box provides a secure content sharing platform that both users and ITT love and adopt. <strong>Co</strong>ntentt on Box can be sharedinternally and externally, accessed through iPad, iPhone, Android, TouchPad and PlayBook applications, andextended toopartner applications such as Google Apps, NetSuite and Salesforce. Headquarteredd in Palo Alto, CA, Box is a privatelyheld c<strong>omp</strong>any andis backed byventure capital firms Andreessen Horowitz, Draper Fisher Jurvetson, Emergence CapitalPartners, Meritech Capital Partners, Scale Venture Partners, and U.S. Venture Partners. To learn more about Box, pleasevisit www.box.com.All trademarks, copyrights and logos are theproperty oftheir respective owners.Author Acknowledgment© 2013 FrancoiseGilbert ‐ IT Law Group – All Rights ReservedFrancoise Gilbert, JD, CIPP/US, focuses her legal practiceon information privacy and security, c<strong>loud</strong> c<strong>omp</strong>uting, and dataagovernance. She was listed as one of the country’s top legal advisors on privacy matters in a recent industrysurvey and,for several years, has been recognized by Chambers, Best Lawyers, ass leading lawyer in the field of information privacyand security. For the past two years, Ethisphere has identified her as “an attorneywho matters” in the fieldofinformation privacy and security.Gilbert is the author and editor of the two‐volume treatise Global Privacy & Security Law (3,000 pages; Aspen Publishers,Wolters Kluwer Law and Business) (www.globalprivacybook.com), which analyzes the data protection laws of 65countries on all continents.She is the managing attorney of the IT Law Group (www.itlawgroup.com) and serves as the general counselof the <strong>Cl</strong>oudSecurity Alliance. She also keeps a blog on domestic and international data privacyand securityissues(www.francoisegilbert.com). (650) 804‐1235 fgilbert@itlawgroup.com2013 CLOUD SECURITY ALLIANCE | 1

A<strong>rtic</strong>le <strong>29</strong> <strong>Work</strong>ing Party <strong>Cl</strong>oud <strong>Co</strong>m<strong>putin</strong>g Opinion:Blow to Safe Harbor?CSA Legal Information CenterSponsored ResearchA<strong>rtic</strong>le <strong>29</strong> <strong>Work</strong>ing Party <strong>Cl</strong>oud <strong>Co</strong>m<strong>putin</strong>g Opinion:Blow to Safe Harbor?by Francoise Gilbert, JD, CIPP/USThe A<strong>rtic</strong>le <strong>29</strong> Data Protection <strong>Work</strong>ing Party—which includes representatives of the data protection authorities of eachof the European Union member states—recently issued an opinion on c<strong>loud</strong> c<strong>omp</strong>uting that could impact U.S. c<strong>loud</strong>providers. The opinion, published July 2 as Document WP 196, 1 analyzes the applicable data protection laws andobligations for c<strong>omp</strong>anies providing, or using c<strong>loud</strong> c<strong>omp</strong>uting services in the European Economic Area (EEA). Itidentifies data protection risks that are likely to result from the use of c<strong>loud</strong> c<strong>omp</strong>uting services, and provides guidanceon how to manage a c<strong>loud</strong> c<strong>omp</strong>uting contract.The most significant aspect of the opinion is its negative evaluation of the ability of Safe Harbor self‐certification to meetthe requirement of national laws implementing the 1995 EU Data Protection Directive.While they do not have the force of law, opinions of the A<strong>rtic</strong>le <strong>29</strong> <strong>Work</strong>ing Party 2 have a significant influence over theways c<strong>omp</strong>anies operate and the privacy choices they make. Businesses operating in the European Economic Areashould keep in mind that the data protection authority of the country, or countries, in which they operate are highlylikely to follow the guidance set forth in a <strong>Work</strong>ing Party’s opinion. 3 Thus, it is important that they operate within theguidelines provided in the opinions and other writings of the A<strong>rtic</strong>le <strong>29</strong> Data Protection <strong>Work</strong>ing Party. 4Risk analysis and contractual provisionsFor businesses and governmental administrations wishing to use c<strong>loud</strong> c<strong>omp</strong>uting services, WP 196 recommends thedata controller (the data owner) first conduct a c<strong>omp</strong>rehensive and thorough risk analysis of the proposed c<strong>loud</strong>service—including, in pa<strong>rtic</strong>ular, an evaluation of the risk to the data that would be held in the c<strong>loud</strong>. This due diligencerequires actions by the purchaser of the c<strong>loud</strong> services, as well as cooperation from the providers of the c<strong>loud</strong> services.The second part of the opinion provides guidance on the contractual arrangements that regulate the relationshipbetween a data controller and a c<strong>loud</strong> service provider with respect to data privacy and security. According to WP 196,the contract should provide appropriate transparency with respect to data handling practices. It should also ensureisolation, “intervenability” (the data subject’s ability to exercise their rights) and portability of personal data.Appropriate security measures should provide the tools necessary for ensuring availability, integrity and confidentiality.Cross‐border data transfers and Safe HarborBecause national data protection laws in the European Economic Area create significant barriers to cross‐border transferof data, WP 196 analyzes, at length, how these restrictions affect c<strong>loud</strong> c<strong>omp</strong>uting. The opinion casts significant doubtson the ability of Safe Harbor self‐certification 5 to meet the data protection requirements in the EEA. It states: “Sole selfcertificationwith Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protectionprinciples in the c<strong>loud</strong> environment. ... [C]<strong>omp</strong>anies exporting data should not merely rely on the statement of the dataimporter claiming that he has a Safe Harbor certification. ... [T]he c<strong>omp</strong>any exporting data should request evidence1 http://ec.europa.eu/justice/data-protection/a<strong>rtic</strong>le-<strong>29</strong>/documentation/opinion-recommendation/files/2012/wp196_en.pdf.2 http://ec.europa.eu/justice/data-protection/a<strong>rtic</strong>le-<strong>29</strong>/index_en.htm.3 http://ec.europa.eu/justice/data-protection/a<strong>rtic</strong>le-<strong>29</strong>/documentation/opinion-recommendation/files/2012/wp196_en.pdf.4 http://www.c<strong>omp</strong>uterweekly.com/news/1280089878/Google-changes-Street-view-to-meet-privacy-obligations.5 http://www.c<strong>omp</strong>uterweekly.com/blogs/it-fud-blog/2011/03/in-the-past-week-ive.html.2013 CLOUD SECURITY ALLIANCE | 2

A<strong>rtic</strong>le <strong>29</strong> <strong>Work</strong>ing Party <strong>Cl</strong>oud <strong>Co</strong>m<strong>putin</strong>g Opinion:Blow to Safe Harbor?CSA Legal Information CenterSponsored Researchdemonstrating that these principles are c<strong>omp</strong>lied with. … It might be advisable to c<strong>omp</strong>lement the commitment of thedata importer to the Safe Harbor with additional safeguards, ta<strong>king</strong> into account the specific nature of the c<strong>loud</strong>.”This negative assessment of the viability of Safe Harbor self‐certification as a way to meet the adequacy requirement ofEEA national data protection laws is detrimental to the adoption of c<strong>loud</strong> c<strong>omp</strong>uting—it is likely to slow down itsadoption in Europe because most c<strong>loud</strong> providers are U.S.‐based. If, as stated in the opinion, the Safe Harbor principlesmay not guarantee the data exporter the necessary means to ensure that appropriate security safeguards have beenapplied by a U.S. c<strong>loud</strong> provider (as may be required under the national data protection laws of the EU Member States),then both U.S. data importers and EEA data exporters may be left with no certainty on how to proceed and morequestions about what will satisfy the EEA regulators.<strong>Cl</strong>oud c<strong>omp</strong>uting contractsThe recommendations on c<strong>loud</strong> c<strong>omp</strong>uting contracts go significantly beyond the current provisions of most c<strong>loud</strong>service agreements. While the opinion recommends obtaining information about server location and the use orengagement of subcontractors, c<strong>loud</strong> clients have had significant difficulty obtaining this information and have generallybeen unable to control the use of subcontractors. While the opinion favors the use of liability provisions, most contractsfor c<strong>loud</strong> services do not include any significant penalties for breach of contract. In existing contracts, a c<strong>loud</strong> provider’sliability is usually limited to direct damages and capped at the amount paid for the services for the few months thatpreceded an incident (usually two to 12 months). Most c<strong>loud</strong> contracts also do not address data retention or datadisposal. Provisions that address data retention, if any, are frequently limited to granting the c<strong>loud</strong> provider the right todelete all data within a short time after the end of the relationship.It’s not <strong>cle</strong>ar what effect the <strong>Work</strong>ing Party’s opinion will have on U.S. c<strong>loud</strong> providers, or the extent to which U.S. c<strong>loud</strong>providers will adjust their operating terms in order to meet these guidelines. However, if U.S. c<strong>loud</strong> providers want tocontinue to attract EU‐based clients, they will have to address the recommendations of WP 196, especially those relatedto cross‐border data transfers—at least in connection with their sales in the European Economic Area. Will they want orbe able to keep different sets of terms for their contracts signed in the United States, when many of their clients areglobal c<strong>omp</strong>anies who want to sign global deals?// This a<strong>rtic</strong>le was first published by TechTarget2013 CLOUD SECURITY ALLIANCE | 3