The US Department of Commerce's International Trade Administration (ITA) has provided some clarification regarding how the US-EU Safe Harbor Framework applies to cloud computing.
The ITA does not believe that cloud computing represents an entirely new business model or presents any unique issues for the Safe Harbor. The ITA clarifies that the existing Safe Harbor Privacy Principles are comprehensive and flexible enough to address the issues raised by the cloud computing model.
The ITA's guidance states:
- The U.S.-EU Safe Habor applies to cloud service provider agreements (i.e. agreements that involve the transfer of personal data from the EU to organisations established in the U.S).
- A cloud service provider is required to enter into a contract even if it is Safe Harbor-compliant and is receiving personal data merely for processing.
- Safe Harbor does not require that the contract incorporates the EU standard contractual clauses. The EU standard contractual clauses represent an alternative to Safe Harbor certification, not an additional requirement.
- The Commission has not issued any new requirements regarding Safe Harbor that would reduce the value of certification to cloud service providers.
- The ITA notes that Article 29 Working Party Opinion on Cloud Computingrecommends that "companies exporting data should not merely rely on the statement of the data importer claiming that he has a Safe Harbor certification", but instead should "obtain evidence that the Safe Harbor self-certifications exist and request evidence demonstrating that their principles are complied with". The ITA points out that the Opinion is non-binding. In addition, the U.S. Department of Commerce maintains a public list of organisations which have self-certified their compliance with Safe Harbor. EU data controllers can easily and authoritatively verify whether a given U.S. data processor appears on the list and whether their status is "Current" or "Not Current".
- Additional requirements cannot be imposed exclusively on U.S. service providers processing personal data transferred from the EU simply because they satisfy the "adequacy" requirement through Safe Harbor certification (i.e. the same basic rules apply to all cloud service providers whether they are located in the EU or an "adequate" country, or Safe Harbor-compliant).
- Member State data protection authorities must recognise Safe Harbor certification as a valid means of demonstrating that a service provider ensures an 'adequate' level of data protection.
- The Commission's draft Data Protection Regulation expressly states that existing 'adequacy' findings will be recognised, which means that Safe Harbor should continue to offer eligible U.S. organisations an accepted means of demonstrating 'adequacy'.