recent work

Legality Risk to Cloud Computing on the horizon?

When the European Parliament Civil Liberties, Justice and Home Affairs (LIBE) Committee called for the immediate suspension of data flows “to any organization that has self-certified its adherence to the US Safe Harbor Principles” there was a very sharp intake of breath of data protection compliance officers across Europe.  If your company uses Google Docs or Salesforce or any other Safe Harbor company, your legal right to use that service for processing personal information could be in jeopardy.

_ _ _ _ _ _

It is common knowledge that it is unlawful to process personal information outside of the European Economic Area unless sufficient safeguards are in place to protect that information.  In practice processing includes every conceivable activity you can think of that you would do with data: collecting it, storing it, transmitting it, retrieving it, backing it up …. even deleting it is an act of data processing.  The Data Protection Act 1998 also sets out that it is the data controller’s responsibility to ensure that the safeguards in place are sufficient – and the data controller is of course very likely to be YOU.

If you are using one of the many cloud computing services like Dropbox, Apple, GoogleDocs, CrashPlan, Office365, Zoho, Zapier, Survey Monkey, Mail Chimp etc. etc. to process information about your staff or customers or prospects, then you are very likely to be deemed in law to be the Data Controller.  The responsibility for the data that you are processing sits squarely with you.  Any data loss, accidental destruction, malicious theft, or unauthorised access by snoopers is your problem and your responsibility.  And if you haven’t any robust evidence of having undertaken due diligence to access the suitability of the safeguards in place of the company who is processing data on your behalf (i.e. the cloud service provider), then heaven help you.  You may have a £500,000 fine heading your way!

So what are considered to be “sufficient safeguards” and how do you go about undertaking and documenting due diligence?  Most people think that data protection safeguards are exclusively about IT security – about firewalls, tunnels, password controls, tokenisation, encryption etc. – but that’s is only part of the picture.  It’s actually only 12.5% of the problem to be precise!  More of that later.  There are also varying degrees of due diligence that you need to apply to ANY data sharing/data processing agreement/practice (including but not exclusively cloud computing services) – also more of that later.

Fortunately there has been a scheme in place since 2000 that has been approved by both the European Union and the United States of America (where many cloud services actually process your cloud based data).  Ironically most users of cloud computing services have never even heard of “Safe Harbor” – the mechanism which may offer them some degree of protection against prosecution in the UK!

So when the European Parliament Civil Liberties, Justice and Home Affairs (LIBE) Committee called for the immediate suspension of data flows “to any organization that has self-certified its adherence to the US Safe Harbor Principles” there was a very sharp intake of breath of data protection compliance officers across Europe.  If your company uses Google Docs or Salesforce or any other Safe Harbor company, your legal right to use that service for processing personal information could be in jeopardy.  To be clear, that’s not to say that you would be breaking the law if you carried on using the cloud service – but you would have to undertake and be able to evidence more robust and rigorous due diligence in order to defend your position and decision to use the service.

This is definitely one to watch.  There have been several reports in the press that the European Commission has decided not to suspend Safe Harbor, and repeated calls for its suspension by LIBE and other groups following each successive revelation about systematic snooping and unauthorised access of data by the US National Security Agency (NSA).  Perhaps it is time to start putting in place your own due diligence measures (which I’d suggest is good practice anyway) just in case – because if Safe Harbor IS suspended – it will have unimaginably massive repercussions for businesses in the UK.