Outsource Magazine

In Part One of this article, we looked at current data protection issues inherent within cloud computing. Here, we look at the trend towards cloud usage in spite of those issues, plus the data protection developments to watch out for in 2012.

Take up, and up and up…

A recent survey¹ of 1,987 companies across Europe has shown that investment in cloud solutions is increasing.  Currently, 31 per cent of organisations in Europe have data in a private cloud and 17 per cent in a public cloud.  

Ninety-four per cent of those surveyed said they had suffered application and data loss over the previous year. A majority conceded their data was, generally, inadequately protected, with only 27 per cent admitting they have a formal and comprehensive disaster recovery plan in place.

Poor data protection strategies (primarily attributed to a lack of both senior management support and budgets) were also identified and acknowledged by participants.  

By way of contrast, those surveyed displayed high levels of confidence in the safety of their data retained in the cloud – 75 per cent of those using a private cloud and 81 per cent of those using a public cloud said they were confident their data would be safe in the event of a disaster.

For many, it confirms that the cloud is no longer viewed as the enemy of data protection, and is increasingly seen as a particularly useful tool for back-up and disaster recovery purposes.

Cloud computing service providers (CSPs) will be glad to hear that only six per cent of users surveyed had decreased their data protection and disaster recovery spend, compared to 27 per cent who had increased their spending (67 per cent maintaining the same level of investment).

Even more encouraging for CSPs, 34 per cent of users stated an intention to increase their use of the cloud as part of data protection plans in the coming year.

Customer compromises? Or pragmatism-over-protection in an uncertain world?

As Part 1 of this article discussed, data protection issues inherent in the cloud are well known, but not necessarily well understood, so to presume increased take-up speaks for itself (from a purely economic perspective) would be to ignore very real concerns both customers and CSPs know they should have.  

However, how those concerns are dealt with is where the cloud becomes something of a conundrum.  

A knowledgeable but insufficiently wary customer who understands there are inherent data protection risks may presume the CSP dealing on standard terms has all the data protection issues covered.

At the other end of the spectrum, a CSP not fully understanding the limits of their own potential exposure dealing with a knowledgeable customer may be persuaded to take on unlimited, and potentially very expensive, data protection liability. But depending upon the circumstances, that liability might more correctly remain the user’s responsibility under the law.  

Where both CSP and user treat data protection as a top business priority and appreciate that ultimately their objectives converge – even with a certain amount of mutual reliance on both sides and a healthy dose of pragmatism – the legal landscape may not be particularly helpful in assisting either party.  

At present, those providing or using cloud computing services (CCSs) are faced with a patchwork of ‘fixes’ that attempt to deal with the requirements set down by current data protection legislation. Commentators almost universally agree that, in a digital age, the present law is fragmented; outdated compared to advancements in technology; and, basically, unfit for purpose.  

By way of example, we might look at the present legally-binding corporate rules (BCRs) system which was set up to assist in data transfers with countries not pre-approved by the European Commission.

The idea behind BCRs was as an expedient intra-company alternative to the pre-written EU Model Contract Clauses supplied by the European Commission. Companies are invited to submit their data protection processes to the relevant local data protection watchdog with the aim of speeding up the cross-border data protection approval process.

In fact, the process is made cumbersome because approval must be given on a state-by-state basis anywhere the BCR is used, by way of a formal transfer notification process in each EU member state (and only about 17 currently accept them). The result is that most companies revert to the EU Model Contract Clauses instead.

The EU proposals

Recognition of the issues inherent in the cloud (finally) led the European Commission to run an EC Consultation on Cloud Computing from May to August 2011.

All interested parties were asked to provide comments on various questions, including data protection and liability and cross-border situations.  

By November 2011, Viviane Reding, the EU’s Justice Commissioner, had announced plans to change the rules on BCRs, stating: “The situation under the current Directive means that your one set of rules must be checked by multiple authorities with different – and at times maybe contradictory – practices in place…I see this legal fragmentation as a costly administrative burden…companies should be able to transfer their data freely and safely – anywhere and in conformity with the law…the rules will cover all types of business models: from a paper-based filing system to an intricate internal organisation or the most complex cloud computing system. These improvements will make life easier for businesses and help improve their reputations.”

On 25 January 2012, the EC released a series of data protection legislative texts and documents in draft form.

Previously leaked documents circulated at the end of last year met with considerable disapproval, and changes were subsequently made to those proposals to soften the perceived harsh effects the leaked proposals would have on business.

So the Commission does now appear to be listening to both individuals and businesses. Any solutions that might arise from the recent draft legislation, however, are still at least two years away, if indeed they are viable, and if these proposals make it into law.  

The proposed legislative reform as it will affect the cloud

The main changes to the data protection regime, which will particularly affect those providing or using the cloud, are:

• A Regulation not a Directive. The previous law is in the form of a Directive and each member state had to turn that Directive into its own law, leading to an inconsistent and sometimes conflicting approach across the whole EU involving different standards, regulators and added bureaucracy. The proposed Regulation will instead automatically come into force across all 27 EU member states effectively ensuring a much more harmonised approach. This is great news for both CSPs and users operating multi-jurisdictionally, both across the EU and globally cross-border with the EU, as it provides certainty on the law.
• Breaches of data protection. The maximum fines of up to €1m or two per cent (as opposed to the five per cent originally mooted) of worldwide turnover may be imposed for serious breaches (currently capped at £500,000).  Notification of a breach must be carried out "without delay and, where feasible, not later than 24 hours after having become aware of it" (a change from the straight ‘24 hours’ requirement originally proposed).  Previously notification was only compulsory in the telecoms sector, and for other sectors was otherwise discretionary, but it is proposed will in the future be made obligatory across the board. Data processors must notify data controllers ‘immediately’ once a breach has been ‘established’. Clearly, this imposes a greater burden on CSPs and users supplying services to third-party end users. There is no clarity at present as to what action post-notification a regulator will take.  Scepticism has already been expressed, for example by the UK’s Information Commissioner, as to the effectiveness of this requirement if the regulator will then lack the necessary ‘teeth’. The lack of ‘teeth’ could of course lead to a loss of confidence in the benefits of onerous and frequent notification obligations.
• Data protection officers. Any employer employing more than 250 permanent employees must have a data protection officer to advise on data protection issues, monitor policies and check adherence with the law. It is impossible to predict how this will affect the cloud particularly, but certainly larger companies will need to become more aware of their data protection obligations. Whether this leads to even greater cloud take-up is not known, but will likely depend on the outcomes of risk assessments undertaken in each instance.
• Right to be forgotten. This will be a potential minefield for both CSPs and their customers alike, and goes considerably further than the current right to make subject access request. Individuals will have the right to be able to request that any information stored about them is deleted "without delay", and to withdraw consent (which will have to be explicit) at any time. This will cause great difficulties and undoubtedly increased costs and liability to any organisation processing personal data, in particular for social networking sites such as Facebook, LinkedIn and Twitter, as well as for direct marketing companies, and news and publishing businesses. There is a limited right to retain such data where it is necessary for historical, statistical or research purposes or where it is in the public interests to do so. However, any organisation that has made personal data public, and which is subsequently subject to a request to be forgotten, will be required to inform third parties of the request and "take all reasonable steps, including technical measures" to have the data deleted.
• Data portability. Allows individuals to transfer personal data from one system to another more easily. Good news for individuals, but how will this work in practice?
• Main establishment principle. Where a company has a presence in more than one EU member state, the supervisory authority in their ‘main establishment’ location will be the competent authority for monitoring their activities throughout the Union. This will make life easier for multi-jurisdictional CSPs who are headquartered in the UK and so will fall under the UK’s Information Commissioner’s Office.
• International Data Transfers. Technically, it should prove easier for both CSPs and users to use BCRs as a result of the introduction into the Regulation of obligations of cooperation and consistency between Member States.

Conclusions

If adopted in its present form, the proposed EU Data Protection Regulation will result in a significant overhaul of the legal framework surrounding data protection and the European Commission estimates will save businesses across the EU €2.3 billion per annum. Implementation is scheduled for late 2014.  

In the round, there will be a strengthening of the data protection rights of individuals. CSPs may find they therefore need to become more flexible towards the demands of users providing third-party end user services as legal obligations in respect of the individual increase, and this may result in a shift by the customer away from the larger organisations such as Google and Amazon towards smaller CSPs who can provide a more responsive and bespoke service.

The other effects, such as a greater harmonisation of laws and a lessening of administrative burdens due to fewer requirements being imposed by data protection authorities on an individual basis are good for everyone, but companies generally (whether CSPs or users) will find they have to take on greater burdens elsewhere, for example in the way of more robust compliance processes, the employment of data protection officers, or in the event of data protection breaches greater fines. 

¹ See Insights: Data Protection and the Cloud September 2011 from CA Technologies at http://www.arcserve.com/gb/lpg/insights.aspx

About the Author

Michelle Sherwood is a partner within the Commercial and Technology Unit at national law firm Shoosmiths, working on a wide range of commercial matters with a specialism in IT. Michelle advises a variety of businesses on non-contentious commercial matters. Her areas of specialism include: IT contracts, e-commerce, software licences, convergent technologies and the internet , agency agreements, distributor agreements, confidentiality agreements, manufacturing agreements, property management agreements, outsourcing agreements, haulage contracts, supply agreements (including key raw materials and supply of services), and warehousing & distribution agreements.

Emma Cartwright is a solicitor in Shoosmiths' Commercial & Technology Unit specialising in commercial, IT and IP work. She works for a broad range of clients from global firms, top 10 FTSE 100s and large corporates to SMEs and start-ups providing advice across a broad range of sectors including: IT; telecoms; software, games and internet; media and entertainment; retail; gas; energy; insurance; banking; shipping; pharma; food; tobacco; and employment/consultancy industries.