Privacy and Data Security Risks in Cloud Computing

Posted on February 5, 2010 by Hunton & Williams LLP

Cloud computing raises complex legal issues related to privacy and information security.  As legislators and regulators around the world grapple with the privacy and data security implications of cloud computing, companies seeking to implement cloud-based solutions should closely monitor this rapidly evolving legal landscape for developments.  In an article published on February 3, 2010, Lisa Sotto, Bridget Treacy and Melinda McLellan explore U.S. and EU legal requirements applicable to data stored by cloud providers, and highlight some of the risks associated with the use of cloud computing.

Tags: , , , , , , , , , , , , , , , , , , , , ,

EU Approves New Standard Contractual Clauses for Transfers to Data Processors

Posted on February 5, 2010 by Hunton & Williams LLP

On February 5, 2010, the European Commission adopted a new set of standard contractual clauses (“SCCs”) for transfers of personal data from data controllers in the EU to data processors outside the EU.  View the European Commission press release.  The clauses were negotiated over several years between the European Commission and a group of business associations led by Brussels-based Hunton & Williams partner Christopher Kuner, who is chair of the Task Force on Privacy and Data Protection of the International Chamber of Commerce.

Despite the growing popularity of other mechanisms that provide a legal basis for complying with the EU legal restrictions for transferring personal data outside the EU (such as binding corporate rules), the use of SCCs remains indispensable.  In many situations SCCs are the only “off the shelf” data transfer solution that can be used and implemented on short notice.  The Commission already published a set of SCCs for transfers to data processors that were approved in 2001, but companies have found that they do not always take business realities into account.  The SCCs can be burdensome to use in practice, in particular for the following reasons:

  • The existing SCCs do not contemplate the possibility that a data processor outside the EU may need to transfer personal data to another data processor, which happens very often in practice.
  • The SCCs can require the application of data security requirements from multiple EU Member States.
  • Many Member States impose bureaucratic formalities (notarization of signatures, annual updates, etc.) on use of the clauses.
  • There can be practical problems when using the clauses with multiple parties.
  • The SCCs contain a mandatory arbitration clause to which many companies have objected.

Although the Commission did not adopt many of the suggestions made by the business associations, thus diluting the value of the new clauses, the new SCCs do have some important advantages over the existing controller-to-processor clauses.  For example:

  • For the first time in EU data protection law, the new clauses provide a legal basis for processor-to-processor transfers.  Under the clauses, such transfers may be carried out when (1) the original data controller consents in writing, and (2) the same data protection obligations are imposed on the subprocessor as are imposed on the original data importer.  The original data importer remains liable for any data protection violations by the subprocessor.
  • The arbitration clause has been deleted.

There are two further important points with regard to the new clauses:

  • The new clauses must be used for new or changed transfers to data processors; i.e., the existing SCCs for controller-to-processor transfers may no longer be used for such transfers (but existing SCCs remain in effect).
  • The SCCs cover transfers from the EU to a data processor outside the EU, but not transfers from a data processor in the EU to a subprocessor outside the EU, although data protection authorities “may” allow use of the new clauses in such situations as well.

The full text of the new SCCs has been published in the Official Journal of the European Union.  Christopher Kuner will provide a detailed analysis in the near future.
Tags: , , , , , , , , , ,

Swiss Court Declares Transfers of Banking Data to U.S. Authorities Illegal

Posted on January 11, 2010 by Hunton & Williams LLP

On January 8, 2010, the Swiss Federal Administrative Court (“Bundesverwaltungsgericht”) published a decision that declared the transfer of banking data to U.S. law enforcement authorities by the Swiss bank UBS to be illegal.  In late 2009, UBS transferred the data of over 300 customers suspected of evading U.S. taxes to the U.S. Department of Justice and Internal Revenue Service following an order issued by the Swiss Financial Market Supervisory Authority (“Finma”) pursuant to an agreement Finma reached with the U.S. authorities.

In its decision, dated January 5, the Court found that Finma overstepped its legal authority in ordering the data transfer.  Although strictly speaking the Court’s decision was based on Swiss constitutional, administrative and banking secrecy law, rather than data protection law, the decision contains extensive discussion about the fact that the data transfer significantly impaired the customers’ privacy rights as guaranteed by the Swiss constitution and by human rights instruments to which Switzerland is a party.  The Swiss government reportedly is considering whether to appeal the decision to the Swiss Supreme Court, and the decision could have important implications for demonstrating the legal difficulties of transferring personal data from Europe to U.S. law enforcement authorities.  Lawyers acting for some of the defendants were also reportedly preparing to file criminal charges against UBS executives and Finma employees for transferring the data illegally.

The Court's decision (in German) is available here.
Tags: , , , , , , , , , ,

French Data Protection Authority Issues Guidelines on Personal Data Transfers Pursuant to U.S. Discovery Obligations

Posted on August 21, 2009 by Hunton & Williams LLP

On August 19, 2009, the Official Journal published guidelines issued by the French Data Protection Authority (Commission nationale de l’informatique et des libertés (the “CNIL”)) regarding transfers of personal data carried out in the context of U.S. discovery proceedings (the “Guidelines”). The CNIL’s publication comes in the wake of a recent increase in the volume of requests made to French-based companies involved in U.S. litigation to disclose information or documents for the purposes of civil pre-trial discovery.

According to the Guidelines, disclosure of personal data pursuant to foreign court proceedings must comply with applicable laws and treaties ratified by France, including the Hague Convention of March 19, 1970, which enables a contracting State to declare that it will not execute letters of request issued for the purpose of obtaining pre-trial discovery. In France, any judge receiving a letter of request from a foreign authority must verify that such a request is admissible under French law and, in particular, must refuse the request if it poses a threat to State sovereignty or security. In this respect, a French blocking statute (the July 27, 1968 Act) prohibits disclosure of any information of economic, commercial, industrial, financial or technical nature as part of foreign legal proceedings unless the disclosure complies with applicable treaties and laws. Any breach of this statute is punishable by imprisonment of six months and a fine of €18,000.

In addition, companies based in France that disclose documents containing personal data must also comply with the requirements of the French Data Protection Act of January 6, 1978, or risk heavy criminal sanctions for failing to do so. Data controllers are not required to file a specific “discovery” notification as long as their data processing activities have been regularly filed with the CNIL. Nevertheless, there must be a legal basis for any transfer of personal data to the U.S., and companies must notify the CNIL of such transfers. In some cases, the data controller may rely on the “establishment, exercise or defense of a legal claim” exception contained in Article 69.3 of the French Data Protection Act as a legal basis for a single and limited transfer of all relevant information relating to a particular litigation. Otherwise, the CNIL’s authorization is required for sizeable and frequent transfers of personal data that are based on an adequate safeguard (i.e., Safe Harbor, model clauses or binding corporate rules). Further, adequate safeguards must be put in place to cover onward transfers, such as when transferred data being stored in the U.S. are further disclosed to a judicial authority (i.e., court order) or to other third parties (e.g., model clauses or a letter of engagement to abide by the Safe Harbor principles).

More information on these Guidelines can be found (in French) at www.legifrance.gouv.fr

Tags: , , , , , , , , , ,

Article 29 Working Party Issues Opinion on Potential Updates to Standard Contractual Clauses to Facilitate Processor-to-Sub-Processor Transfers of Personal Data

Posted on March 19, 2009 by Hunton & Williams LLP

On March 17, the Article 29 Working Party released its Opinion 3/2009 (dated March 5) on standard contractual clauses for the transfer of personal data from data controllers in the EU to data processors outside the EU. The Opinion deals with proposed changes to the European Commission's decision 2002/16 containing standard clauses for controller to processor transfers. The Opinion discusses proposals to update these clauses to accommodate data transfers to sub-processors, in light of increased global outsourcing. Although not mentioned in the Opinion, the March 17 Opinion is based on the proposal made in October 2006 to the European Commission by three business groups (the International Chamber of Commerce (ICC), the American Chamber of Commerce to the European Union (AmCham EU) and the Federation of European Direct and Interactive Marketing (FEDMA)). Christopher Kuner, partner at Hunton & Williams, has been leading the ICC work. The proposal of the three business groups would amend the existing clauses from 2002 to bring them into line with business realities. The proposal is available here.  Opinion 3/2009 is available here.

The clauses are quite important for business, as they provide a legal basis for transferring personal data from the EU to data processors in other countries, and are often used in, for example, outsourcing contexts. Among the changes proposed by the three business groups was a new clause that for the first time would provide a legal framework for data transfers from one processor to another. This situation can occur, for example, when a data controller in the EU outsources the processing of personal data to a data processing company in the US, which in turn outsources the processing to a company in India. So far, European data protection law has lacked any discussion of the conditions under which such a transfer could be made between data processors. It is a significant development that the Working Party Opinion recognized this possibility.
 
Some of the other clauses proposed by the Working Party seem unrealistic and unworkable, such as requiring audits by data protection authorities in countries outside the EU, or requiring that the contract between the data processor and the subprocessor, be governed by the law of the country of the data exporter in the EU. ICC and the other business groups will work with the European Commission with the goal of ensuring that the final clauses approved by the Commission are drafted in a way that makes them useable in the real world. The final Commission decision on the clauses is not expected for a few months.
Tags: , , , , , , , , , , ,