The US Department of Commerce (“USDOC”) has issued an opinion statement aimed at clarifying how the US-EU Safe Harbor framework for data protection agreements applies to cloud computing services (“Statement”). The Statement is intended to respond to concerns raised by European Union (“EU”) data protection authorities and the Article 29 Working Party (“AWP” - an independent EU advisory body comprised of representatives from such authorities) and clarifies that, in the view of the USDOC, Safe Harbor continues to offer a legitimate option for transferring personal data to compliant US organisations irrespective of whether they are operating in the cloud environment or not.
The term ‘cloud computing’ is broad and encompasses an increasingly comprehensive range of computing services provided from off-site remote data centres on a service basis and accessed by users over the internet. In addition to flexibility, cloud computing is commercially attractive as customers only pay for the amount of computing resources used and can significantly reduce the costs of investing in computer hardware and software.
Transfer of data to third countries
The EU Data Protection Directive (95/46/EC) prohibits the transfer of personal data from within the European Economic Area (“EEA”) to third countries unless adequate levels of protection have been established. There are various ways of ensuring adequate protection, such as limiting data transfers only to third countries with a data protection regime recognised as adequate by the EU (the so-called ‘White List’ countries), implementing data transfer agreements incorporating Commission-approved Model Clauses, and adopting Binding Corporate Rules for intra-group transfers,.
Given the historical differences between the US and EU data protection regimes, the US has never been recognised as offering sufficiently adequate safeguards by the EU and therefore is not on the White List. To minimise the potentially adverse impact on trade between the EU and US, in 2000 the USDOC and the European Commission therefore developed the Safe Harbor framework to facilitate transfers of personal data from the EEA to US organisations which voluntarily agree to comply with standard Safe Harbor principles for the protection of personal data (“Safe Harborites”).
In the Statement, the USDOC states its view that the EU’s recognition of Safe Harbor’s adequacy for data protection purposes will apply to cloud service provider agreements and, more specifically, that:
- Safe Harborites are still obliged to enter into contracts with EU data controllers which offer sufficient “technical security and organizational measures” and require the Safe Harborite (acting as data processor) to act only pursuant to the data collector’s instructions;
- transfers of personal data to Safe Harborites does not require the parties to conclude a data transfer agreement incorporating Model Clauses; and
- the Safe Harbor regime is binding on all EU Member States and by extension the three EEA Member States of Norway, Liechtenstein and Iceland.
The USDOC goes on to address the issues raised in the opinion published by the AWP on cloud computing in July 2012 (“AWP Opinion”) regarding the extent to which customers of cloud services can rely on Safe Harbor. Emphasising the non-binding nature of the AWP Opinion, the USDOC sets out responses to the following AWP concerns:
Safe Harbor is limited to US organisations:
- USDOC response: transfers to sub-processors in third countries (without adequate data protection regimes) can be Safe Harbor compliant provided that the processor and sub-processor agree in writing to provide at least the same level of data protection as is required by the Safe Harbor standards.
Safe Harbor sole self-certification alone may not be sufficient for EU data collectors to rely on, and evidence of the provider’s compliance with Safe Harbor should be obtained:
- USDOC response: the USDOC maintains a public list of processors with current Safe Harbor certification which can be used by EU data controllers to verify Safe Harbor compliance.
Safe Harbor does not act as a substitute for failing to comply with an EU Member State’s national law on data protection:
- USDOC response: compliance with Safe Harbor does guarantee adequate standards, and no additional obligations can be placed on Safe Harborites simply because they are located outside the EU.
Safe Harbor does not guarantee EU data exporters that appropriate security measures have been applied by US cloud providers, as cloud computing raises specific security risks. It may be advisable for EU data collectors to obtain additional safeguards:
- USDOC response: Safe Harbor requires that “reasonable precautions” be taken while leaving the specifics up to the contracting parties. This approach, the USDOC asserts, echoes the “appropriate technical and security measures and organisational measures” required by the Data Protection Directive, and is therefore sufficient.
The USDOC also addresses the effect that the proposals for EU data protection reform, currently before the European Parliament, will have on the Safe Harbor framework. The Statement emphasises that:
- current drafts of the reform proposals respect existing adequacy findings, meaning that Safe Harbor would continue to provide a means for Safe Harborites to demonstrate that they offer adequate protection; and
- whilst there has been discussion of introducing a two-year sunset clause on existing Safe Harbor agreements this is by no means final, and even if adopted would not enter force until at least 2016.
The USDOC has clarified that, in its view, the protection afforded by Safe Harbor applies equally to data transfers from EEA data collectors to Safe Harborites regardless of whether the relevant US organisations are providing cloud services. What is perhaps most surprising is the USDOC’s dismissal of the AWP’s concerns, particularly as the AWP is comprised of representatives from the EU data protection authorities and, consequently, its opinions are influential in the enforcement of national data protection law.
In essence, the USDOC has affirmed that, in its view, adherence by EEA data controllers to the letter of the law in data protection agreements will suffice to provide Safe Harbor protection. This may be true for the time being. However, in the event that the sunset clauses being debated in the EU Parliament are adopted then the situation could change quite dramatically as any successor arrangement to the Safe Harbor regime negotiated between the US and EU will need to satisfy what are likely to be significantly more onerous EU data protection requirements under the new regime.