In April, the U.S. Department of Commerce’s International Trade Administration (ITA) issued a document clarifying the application of the U.S.-EU Safe Harbor Framework to cloud computing (the clarification). The ITA believes the Safe Harbor framework is “comprehensive and flexible enough” to cover cloud computing in the same way as other data transfers.
ITA reminded those certified to Safe Harbor that EU law requires data controllers to enter into a contract with any data processor even if the controller will rely on Safe Harbor. These contracts should prescribe the processor’s roles and responsibilities, with one of the benefits of safe harbor being that the contract does not need to include the standard contractual clauses and does not need to be authorised by any of the EU Member States.
The clarification points out that there are no additional requirements under Safe Harbor for cloud providers, or that controllers must undertake before relying on Safe Harbor, particularly since the Article 29 Working Party’s specific recommendations for cloud service providers are non-binding.
The ITA also reminds processors certified to Safe Harbor that transfers of data to sub-processors located outside a European Commission-designated ‘adequate protection’ country are possible only on the basis of a written contract requiring the sub-processor to provide the minimum level of protection required under the Safe Harbor Privacy Principles.
ITA further notes that data controllers cannot simply rely on a processor statement of Safe Harbor certification. Data controllers need to ensure that the Safe Harbor self-certification is current and conducts due diligence to ensure that the principles are being complied with.
ITA is convinced that Safe Harbor will remain an officially recognized means of demonstrating adequacy under the proposed General Data Protection Regulation (the Regulation), and pointed to a number of official statements by EU officials and to the wording of the draft General Data Protection Regulation.
The ITA also referred to the “Five Myths Regarding Privacy and Law Enforcement Access to Personal Information in the European Union and the United States” to assuage concerns about the application of the U.S. Patriot Act to the processing of data in the cloud.
Notwithstanding the ITA’s clarification document, a number of EU national data protection authorities remain sceptical of Safe Harbor, and the Germany authorities, the Dusseldorf Kreiss in particular, issued guidelines a few years ago, informing controllers on the additional checks they needed to make on U.S.-based service providers to ensure compliance with the Safe Harbor Framework.