Archive for July, 2012

California Privacy Enforcement and Protection Unit Created

Posted by fgilbert on July 19th, 2012

California will increase its privacy and data protection enforcement efforts with the creation of the Privacy Enforcement and Protection Unit, announced by California’s Attorney General, Kamala D. Harris on July 19, 2012. The Privacy Unit, which will be housed in the eCrime Unit of the California Department of Justice, will combine the various privacy functions of the Department of Justice into a single enforcement and education unit with privacy expertise.

Joanne McNabb, currently Chief of the California Office of Privacy Protection, will serve as the Director of Privacy Education and Policy, and will oversee the Privacy Unit’s education and outreach efforts.

Travis LeBlanc, Special Assistant Attorney General for Technology for California will head up the enforcement division.  Six prosecutors will concentrate on enforcement of the laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government, including laws relating to cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches.

Article 29 Working Party’s Opinion on Cloud Computing: A Threat for the Industry?

Posted by fgilbert on July 16th, 2012

In its Opinion 05/2012 on Cloud Computing published as document WP 196 in early July 2012, the Article 29 Working Party identifies the data protection risks that are likely to result from the use of cloud computing services, such as the lack of control over personal data and lack of information about how, where and by whom the data are being processed or sub-processed in the cloud.  It expressly deems the Safe Harbor regime insufficient to meet the requirements of the national data protection laws.

Even though opinions of Article 29 Working Party do not have the force of law, they have a very significant influence over the ways companies operate, and the privacy choices they make.  US businesses operating in the European Economic Area should keep in mind that the data protection authority of the country or countries in which they operate are highly likely to follow the guidance set forth in a Working Party’s opinion.  Thus, it is important that they operate within the guidelines and guidance provided in the opinions and other writings of the Article 29 Working Party.

Overview

One of the most significant concerns expressed in the Article 29 Opinion on Cloud Computing is the extent to which the Safe Harbor Principles fail to address the unique ways in which cloud computing services hold and process data.  The Article 29 Working Party believes that the Safe Harbor Principles, which were conceived in a different technological environment, fail to address the unique environment in which cloud services are provided. In their view, sole self-certification with Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment.

The Opinion points to the lack of control over the whereabouts of the data held in the cloud, the lack of transparency on the security measures being adopted or the identity of the subprocessors, as threats to the protection of personal data.  It also stresses the importance of informing the data subjects about who processes their data, for what purposes, and in which locations, and how they can exercise the rights afforded to them in this respect when their data are hosted or processed in the cloud.

Due Diligence & Contract Terms

The document recommends that the cloud client select a cloud provider that guarantees compliance with EU data protection legislation derived from Directives 95/46/EC and 2002/58/EC.  It stresses that the cloud client should verify whether the cloud provider can guarantee the lawfulness of any crossborder international data transfers.

Once the cloud service provider is identified, the relationship should be recorded in a contract that affords sufficient guarantees in terms of technical and organizational measures for the cloud service.  The Opinion identifies a number of contractual safeguards to be included in the contract for cloud services.

Crossborder Transfers & Safe Harbor

One of the most important components of the Opinion is its negative analysis of the ability of most cloud providers to meet the restrictions on crossborder data transfers that are part of the EEA Member States national data protection laws.  The Opinion expresses significant concerns about the Safe Harbor’s ability to meet the requirements that the recipient of the data provide “adequate protection” consistent with that which is provided in the EU and EEA.

Among other things, the Opinion warns that the Working Party considers that companies exporting data should not merely rely on the statement of the data importer claiming that it has a Safe Harbor certification.  The company exporting data should request evidence demonstrating that their principles are complied with.  The Opinions also states that it might be advisable to complement the commitment of the data importer to the Safe Harbor with additional safeguards taking into account the specific nature of the cloud.’’

It is not clear what effect the Working Party’s Opinion in WP 196 will have on US cloud providers.  If US cloud providers want to continue to attract EU based clients, they will have to address the recommendations of WP 196, at least in connection with their sales in the European Union.  Will US customers request the same level of transparency and control?

Further analysis of WP 196 available in Francoise Gilbert’s article published by the BNA Privacy & Security Law Report, available here.