Is it legal or illegal to use american cloud services in Europe?
Patricia Ayojedi presentation about the controversial between USA an Europe regarding cloud business.
1. Cloud
Is it legal or illegal to use American
cloud services in Europe?
PATRICIA AYODEJI
Dual qualified Lawyer, England & Spain
Member of The Law Society, London &
Ilustre Colegio de la Abogacía, Barcelona
Founding Lawyer E-PDP
payodeji@icab.cat
24th February 2016
www.e-pdp.es
3. 2016 E-PDP PROTECCIÓN DE DATOS PERSONALES
CLOUD DOES NOT…
Remove our responsibility for data protection,
data security, data integrity, data confidentiality
and business continuity .
We cannot entrust or delegate these to the
cloud provider. Contractual clause invalid!
5. What you should know......
Not on a par......
Data is governed by a patchwork of state and federal laws, with new reforms added all the
time. Europe has a more harmonised regime – and there are big changes planned!
Privacy Act 1974
Guarantees three primary rights which federal agencies must abide by:
•The right to see records about oneself, subject to Privacy Act exemptions;
•The right to request the amendment of records that are not accurate, relevant, timely or
complete; and
•The right of individuals to be protected against unwarranted invasion of their privacy
resulting from the collection, maintenance, use, and disclosure of personal information.
Only applies to U.S CITIZENS OR non-U.S citizens who are permanent residents.
Judicial Redress Act 2015
Gives citizens from approved EU countries (“U.S.-allied countries”) the right to sue federal
agencies that mishandle their personal data in a similar way to rights Americans enjoy under
the Privacy Act. Americans already enjoy similar rights in Europe. The right to redress is
subject to the same restrictions U.S. citizens face under the Privacy Act, including broad
exemptions for national security.
7. 2016 E-PDP PROTECCIÓN DE DATOS PERSONALES
Charter of Fundamental Rights of the
European Union
Title II Freedoms
Article 8 Protection of Personal Data
1. Everyone has the right to the protection of personal data concerning
him or her.
2. Such data must be processed fairly and on the basis of the consent of the
person concerned or some other legitimate reason laid down by the law.
Everyone has the right of access to data which has been collected
concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an
independent authority.
8.
9. Data Protection
Directive 95/46/EC -> L.OPD 15/1999
PROTECTS PERSONAL DATA OF EU CITIZENS AS USERS OF CLOUD
& WHEN IN CUSTODY OF A CLIENT OF CLOUD SERVICES.
In process of reform! New EU Data Protection Regulation.
Expected to be formally agreed shortly and in place in 2018. ONE
SINGLE LAW, which will enter into force after a transition period
of 2 years). Higher fines–up to 4% of turnover when companies
have violated the privacy of a European.
Extended territory includes all non-EU companies with
no establishment in EU who offer goods/services
(including free of charge) to EU citizens.
Ireland will cease to be a soft option for U.S
companies.
10. Some Data Protection questions
• Do they share data with third party subcontractors? Do you know who
they are & what services are outsourced? where their servers are
located?
WhatsApp, Gmail… involve the processing of data via undetermined
servers and companies throughout the world.
• Are you sure data not used for other purposes?
• In case of breach do they have the appropriate insurance?
If our cloud provider does not provide us with certain guarantees all
responsibility for the data lies with us!
12. 2016 E-PDP PROTECCIÓN DE DATOS PERSONALES
US Safe Harbour Scheme
Turning point in international transfers to
the US....The strike down of Safe Harbour!
6 October 2015, EU Court of Justice– Schrems vs. Facebook Judgment
C-362/14 (Facebook- mass-surveillance programs by NSA. Snowden’s NSA leaks
demonstrated that European data stored by US companies was not safe from the type of surveillance
which would be considered illegal in Europe) proclaims that the 15 year old Safe Harbour, the
legal framework that American companies have used to handle European citizens’ data does
not provide an adequate level of protection and does not provide guarantees equivalent to
those established in the European Union.
Judgment invalidated the legal basis for US-EU Safe Harbour.
If your company relying on Safe Harbour it is in an illegal situation and may face
enforcement proceedings depending on the DPAs in question!!
13. AGPD : Spanish Data Protection Authority’s response to
EU Court of Justice Schrems Judgment, Madrid, 29th October
2015
In exercise of its powers the AEPD, Spanish Data Protection Authority required that at the
earliest, and in any case before 29 January 2016, that all transfers of data from Spain to
the U.S be notified or modified in the General Data Protection Registry and, if necessary,
include details of their compliance with data protection legislation.
Failing to do so within this period, the Authority may initiate proceedings, if necessary,
to temporarily suspend such international transfers.
https://www.agpd.es/portalwebAGPD/canalresponsable/transferencias_internacionales/common/Comunicacion_r
esponsables_-_Puerto_Seguro.pdf
14. The US Government’s response to Schrems
U.S. Secretary of Commerce Penny Pritzker
“…..We are deeply disappointed in today’s decision from the
European Court of Justice, which creates significant uncertainty for
both U.S. and EU companies and consumers, and puts at risk the
thriving transatlantic digital economy. Among other things, the
decision does not credit the benefits to privacy and growth that
have been afforded by this Framework over the last 15 years….”
15. How do we use American cloud services in Europe without
running afoul of EU data protection law! Alternative
compliant data transfer mechanisms .....
Data localisation- actual whereabouts of data
Choose Spanish/EU provider e.g. migrate from Georgia based Mailchimp (Privacy
policy disclose personal information to comply with court orders and subpoenas) to
Madrid based Mailrelay (data centres in EU). Basic, but effective means to influence
jurisdiction. Option for large organisations.
EU model contractual clauses
For transfers to countries or territories that do not ensure an adequate level of
protection (which now includes the USA). In Spanish & English!
Binding Corporate Rules ( BCRs )
A set of legally enforceable internal rules ( such as a Code of Conduct ) regarding
data privacy and security, to ensure that transfers of personal data outside of the EU
take place in accordance with EU rules. A valid solution. Greater flexibility
THESE OPTIONS REMAIN FORMALLY EFFECTIVE & LEGAL
16. #FLISH FLASH Successor to Safe Harbour:
EU-US Privacy Shield
2nd February 2016
http://ec.europa.eu/avservices/video/player.cfm?ref=I115848&sitelang=en
EU Commission & US Dept. of Commerce
•New living framework for transatlantic data flows with continuous process of monitoring
by EU Commission & annual review which will look at all aspects of the agreement.
•Multiple channels for EU citizens to report any “misuse” of their personal data.
Companies will have deadlines in which to respond to complaints.
•EU citizens will benefit from legal redress for privacy violations .
•Severe restrictions on indiscriminate mass surveillance of European citizens by U.S
17. EU-US Privacy Shield
The situation has not
changed since Schrems
WP29, ( body of representatives of individual European Member States’ DPAs ) EU-
US data transfers won’t be blocked while Privacy Shield details are hammered out!
Is the arrangement robust enough? Not in fact certain that will pass scrutiny of the
WP29 (quality, content, legal consequences) or the ECJ (the ultimate authority on
enforceability of the new pact).
Plenty of questions remain & a deal is not really done yet!
Uncertainty likely to prevail for some time!
18. Security
Employees remain the weakest link within an organisation!
What security measures does it have in place and does it offer levels
of security equivalent to local access?
Preventative measures for viruses, hackers, spies?
Do they keep security copies?
ISO certification?
ISO/IEC 27018 (Aug. 2014 ) code of practice to ensure cloud service providers
offer suitable information security controls to protect PII processed in public cloud
ISO/IEC 27017 Cloud specific information security controls & advice for cloud
service customers and providers. Published end of 2015. Agreement with
information security roles & responsibilities of both parties.
21. Data integrity
• Measures taken by the provider to mitigate risks
of data being involuntarily compromised?
• Who can access data? What can they do with it?
• What happens when you want to change cloud
provider? Will critical data be inaccessible? For
how long ?
2016 E-PDP PROTECCIÓN DE DATOS PERSONALES
22. Continuity: Portability & Interoperability
Ability to retrieve and shift data & services between
different cloud systems.
Portability a new right under the new Regulation
designed especially for cloud services. i.e. ability to get
structured, legible information in a format compatible
with other systems!