The regulatory environment in Europe for data centre and IT services businesses has changed dramatically, perhaps forever. Privacy concerns, data sovereignty and location of data are transforming data centre strategy. Recent announcements by Microsoft and Amazon regarding European data hubs are clear evidence that regulation has driven a significant shift in data centre operation, particularly for cloud. Overlapping regulation creates uncertainty, but opportunity for those who can understand the environment.
Safe Harbor is dead for data transfers between the USA and the European Economic Area. On 6th October the Court of Justice of the European Union (CJEU) issued its decision in the case brought by Maximilian Schrems against Facebook (Judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner) and found the US Department of Commerce’s Safe Harbor scheme invalid for transfers of data to Europe. Data centres, cloud vendors and social media companies are typical users of Safe Harbor.
The CJEU’s decision arose as a result of a complaint against Facebook (Facebook uses Safe Harbor). Mr Schrems obtained information from Facebook that they were sharing his personal data with security agencies in the US, which he regarded as a breach of his rights under applicable data protection laws. He asked the Irish Data Protection Commission to investigate Facebook (as they are a data controller in Ireland) for unlawfully processing his data in the US in breach of their Safe Harbor certification. Although the Irish Data Protection Commission did not feel that it had the authority to question Safe Harbor, the CJEU found that the Safe Harbor Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.
For the time being, the US Department of Commerce seems to continue to administer the Safe Harbor programme, including “processing submissions for self-certification to the safe harbor framework”.The EU Regulation has granted an informal three month period following which they will start enforcement actions against organisations that have not yet taken the appropriate measures. Safe Harbor 2.0 looms, but will be a tougher regime which will force businesses to consider it alongside other data transfer solutions.
WHAT DOES THIS MEAN FOR DATA CENTRE BUSINESSES?
This will depend on the services the business provides. Many colocation businesses will not have any access to data, or share customer personal data with other data centres and therefore will not process or transfer personal data. However, other data centre businesses operate by providing infrastructure-as-a service or other so-called “cloud” services. Many of these businesses will have detailed compliance requirements to review in the light of the decision. These will include:
Establishing whether they act as Data Processor for customers;
What their preferred data transfer solution will be; and consider moving from Safe Harbor to either Model Contracts or Binding Corporate Rules to adduce adequacy of rights in respect of personal data;
in this regard the communication dated 6 November 2015 from the Commission to the European Parliament and Council on the transfer of personal data from the EU to the United States of America (COM(2015)566) sets out the appropriate measures that businesses can take to transfer data safely under approved data solutions
Auditing contracts with third party vendors who use Safe Harbor.
EU C-SIG CLOUD CODE OF CONDUCT
Safe Harbor is only one component of data regulation in Europe. The General Data Protection Regulation will reach final form around the end of 2015 and will come into force in 2017, it is anticipated. In addition, alongside this, the Cloud Select Interest Group, a special interest sub group chaired by the European Commission, has created a code of conduct on cloud computing. This is a voluntary standard which is designed for cloud operators to demonstrate that they are compliant with data protection law and practice. The focus of the Code is on transparency to enable cloud providers to self-assess their services and to provide transparency on the supply chain used to host cloud services, including data centre facilities. This will inevitably result in detailed due diligence questionnaires and contractual terms requiring flow down of transparency obligations to colocation providers from customers. The Code requires:
- Transparency on locations of data processing;
- Allocation of liability between processors and the supply chain;
- Special requirements for processing of special categories of data including sensitive financial or health data;
- Specific requirements on international transfers and law enforcement access requests. The Article 29 Working Party (an advisory body on data protection including representatives of the Commission and Supervisory Authorities in each EU Country) has commented on this draft regulation (Opinion 02/20151C/SIG adopted 22nd September 2015). The opinion of the advisory body takes the same approach as the European Court in the Safe Harbor case and the draft Data Protection Regulation relation to the primacy of individual rights of privacy, and in seeking to restrict access by law enforcement authorities on international transfers of data. As well as requiring information on the location of processing the Article 29 Working Party comment “the current draft of the code is only superficial on the matter of law enforcement of government access requests …” this issue is a major one in relation to data protection and cloud computing. The recommendations of the working party require that data processors shall communicate legally binding requests for disclosure of personal data by law enforcement authorities to the controller unless otherwise prohibited and in any case transfers of personal data by a processor to any public authority “cannot be massive, disproportionate and indiscriminate in a matter that will go beyond what is necessary in a democratic society.”
In some sectors, there is also the beginning of an explicit acknowledgement of the data centre. A recent consultation paper on Outsourcing to the Cloud and other third-party IT Services (November 2015) issued by the UK Financial Conduct Authority last provides guidance in relation to the use of Cloud. This provides 14 areas that regulated firms must consider when outsourcing to cloud and IT services. These are generally common sense approaches to security, data protection and access for regulators, but the approach is more sophisticated - acknowledging that multitenant environments and data centres do not always require access from regulators because of the nature of the services provided. For larger operators specific requirements to monitor concentration risk for outsource providers and to restrict the ability of service providers including data centre operators to terminate contracts with regulated firms will require a specific reconsideration of risk profiling for the operators.
There is a significant risk of the various initiatives overlapping creating potentially inconsistent standards.
INVESTIGATORY POWERS BILL
For those businesses who act in the capacity as internet service providers in the UK the draft Investigatory Powers Bill will require careful attention as it proceeds through Parliament. The recent Paris attacks also risks fast tracking this legislation, with a consequent reduction in scrutiny. This bill was published on 4th November. The bill requires communications service providers to keep internet connection records (this is the “who” “where” “when” “how” and “with whom” of communication) for a maximum period of 12 months - equivalent to the metadata that communications companies are required to maintain on call records containing metadata on who accessed what/when. The legislation also includes a controversial proposal regarding encryption which may have the effect of requiring end to end encryption to be broken to allow the content of messages subject to a legal process to be read. This means that providers of communication services including “over the top services” (such as Whatsapp or Snapchat) are likely to be in difficulty as regards this regulation. The collection and transfer of bulk data is under severe scrutiny from this legislation. The Government has taken the unusual step of issuing a guidance as part of this Bill, such is its sensitivity.
Safe Harbor is therefore the tip of the iceberg of wider shifts in data regulation. These initiatives are also part of a wider digital single market which will see further reform of telecommunication laws and more specific rules on data that platforms and intermediaries can process in future.