Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

According to the DPA, clouds located outside the European Union are per se unlawful, even if the EU Commission has issued an adequacy decision in favor of the foreign country in question (for example, Switzerland, Canada or Argentina).  A Commission adequacy decision does not confer “agent” status, which normally would privilege such transfers, on entities located in the adequate jurisdiction.  The recipient entities remain “third parties” which means that a transfer in the legal sense takes place and therefore a legal basis is required.  The potential legal basis under German law (“fulfillment of contract” or “balancing of interests test”), however, requires that the transfer is also “necessary.”  The DPA is of the opinion that there are no arguments that the use of a cloud located outside the EU is compulsory. 

This result may be avoided, however, if the German rules on commissioned data processing are applied by analogy and by using an EU-approved model contract for controller-processor data transfers, so long as the German requirements for data processor agreements are also followed. 

The DPA’s opinion further states that self-certification to the U.S. Department of Commerce’s Safe Harbor framework alone does not provide an adequate level of protection in the cloud context.  Accordingly, reliance on certification to the Safe Harbor should not be used to circumvent the more strict EU legal requirements applicable to cloud computing. 

In addition, the DPA indicates that, because SAS 70 Type II Certificates used by some cloud providers do not contemplate the material and procedural interests of data subjects, such certifications offer only partial compliance with German legal requirements for commissioned data processing. 

The opinion concludes by suggesting that binding corporate rules are also an appropriate tool for companies seeking to implement a cloud solution.

For further information on the opinion, please contact Dr. Jörg Hladjk in the Brussels office of Hunton & Williams.

The decision was rendered by the Düsseldorfer Kreis, a working group comprised of the 16 German federal state DPAs responsible for the private sector.  The DPAs concluded that German data exporters may not rely exclusively on the U.S. Department of Commerce’s list of entities that have self-certified to the Safe Harbor program when determining whether a U.S. data importer ensures an “adequate” level of protection for personal data under German law.  According to the decision, prior to transferring data from Germany to the U.S., German data exporters must verify whether a self-certified data importer complies with certain minimum Safe Harbor requirements in practice.  German data exporters must:

• Check to see when the data importer’s Safe Harbor certification took place.  A certification that is more than seven years old is considered invalid.
• Ensure that the data importer complies with its Safe Harbor obligation to provide notice of the data processing to the relevant individuals (notice principle).
• Document the assessment and be able to provide proof upon request by a DPA. 

If a data exporter has doubts regarding the data importer’s Safe Harbor compliance following such an assessment, the DPAs recommend using standard contractual clauses or binding corporate rules to ensure adequate protection.  In addition, the resolution states that a data exporter should inform the DPA if it determines that the a data importer’s Safe Harbor certification is no longer valid, if the required notice of processing is not being provided to individuals, or if other violations of the Safe Harbor principles are discovered during the assessment.
 
Under German law, data exporters that fail to carry out the required assessments may be held liable and face sanctions if they transfer data to a U.S. data importer that does not have an adequate level of data protection.  It is therefore crucial for German data exporters to evaluate the Safe Harbor status and compliance posture of U.S. data importers by conducting appropriate due diligence prior to any data transfers to the United States. 
 
For further information on the German DPA resolution, please contact Dr. Jörg Hladjk in the Brussels office of Hunton & Williams.

The new law, an addition to the state’s breach notification statute, provides that if a processor or business fails to take reasonable care to guard against unauthorized access to payment card account information in its possession or control, and that failure is the cause of the breach, the processor or business is liable to the relevant financial institution for reasonable actual costs related to the reissuance of payment cards to Washington residents to mitigate “potential current or future damages” to them.  Similarly, a vendor will be liable to the financial institution for these costs to the extent the damages were caused by the vendor’s negligence.

The law contains a number of safe harbors.  For example, there is no liability if the account information was encrypted at the time of the breach.  Also, an entity is not liable if its compliance with the Payment Card Industry Data Security Standard  (“PCI DSS”) was validated by an annual security assessment that took place no more than one year prior to the breach, even if that security assessment is subsequently revoked.

A final version of the latest amendments has not yet been made public, but the BNA has circulated a copy of what is purported to be the final draft, which includes changes to provisions related to service providers.  First, the definition of “service provider” has been modified to (1) clarify that “any person” who “stores” personal information through the provision of services will fall within the definition’s scope (the term “stores” was not included in the prior version’s definition), and (2) remove the express exclusion of the U.S. Postal Service from the term “service provider.”

The “safe harbor” provision with respect to existing service provider contracts also has been revised.  Pursuant to the regulations, businesses that are subject to the regulations generally must require by contract that third-party service providers implement and maintain appropriate security measures for personal information.  While the previous version of the regulation stated that “any contract a person has entered into with a third party service provider prior to March 1, 2012, shall be deemed in compliance . . . notwithstanding the absence in any such contract of [this requirement], so long as the contract was entered into before March 1, 2010,”  the new version provides that “until March 1, 2012, a contract a person has entered into with a third party service provider to perform services . . . satisfies [this provision] even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.”  The revision clarifies that the deadline for updating service provider contracts entered into prior to March 1, 2010 is March 1, 2012, and any contracts entered into after March 1, 2010 must comply with the regulations upon execution.

The European Union Data Protection Directive requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the EU has made a determination that the laws of the recipient jurisdiction are substantially equivalent to those of the EU, and thus provide “adequate” protection for personal data.  Because the EU has determined that laws of the United States do not meet its adequacy standard, the U.S. Department of Commerce and the EU developed the Safe Harbor Framework, which went into effect in November 2000.  The Safe Harbor Program allows participating U.S. companies under the jurisdiction of the FTC or the U.S. Department of Transportation to transfer personal data lawfully from the EU.  To join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with seven principles that have been deemed to meet the EU’s adequacy standard.  To maintain its certification to the Safe Harbor program, a company must re-certify on an annual basis that it continues to comply with the seven principles. The Department of Commerce maintains a list of all currently-certified companies.

The proposed FTC settlement agreements highlight that companies certified to the Safe Harbor program should verify that their certifications remain current.  If companies wish to cease Safe Harbor membership, their representations, including those in website notices and marketing materials, should be promptly updated to avoid deceptive representations to consumers.  In all cases, the defendant companies had let their memberships lapse; exhibits to the FTC's complaints included pages from their websites, in which the companies continued to purport Safe Harbor membership.

The European Union Data Protection Directive requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the EU has made a determination that the laws of the recipient jurisdiction are substantially equivalent to those of the EU, and thus provide “adequate” protection for personal data.  Because the EU has determined that laws of the United States do not meet its adequacy standard, the U.S. Department of Commerce and the EU developed the Safe Harbor Framework, which went into effect in November 2000. The Safe Harbor Program allows participating U.S. companies under the jurisdiction of the FTC or the U.S. Department of Transportation to transfer personal data lawfully from the EU.  To join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with seven principles that have been deemed to meet the EU’s adequacy standard.  A company under the FTC’s jurisdiction that self-certifies to the Safe Harbor principles but fails to implement them may be subject to an enforcement action under Section 5 of the FTC Act, which prohibits deceptive trade practices. 

In this case, the FTC successfully argued that, regardless of the company’s data protection practices, falsely claiming to be Safe Harbor certified could constitute a violation of the FTC Act in and of itself.  The defendants have been ordered to appear on September 25, 2009 to show cause why the court should not enter a preliminary injunction prohibiting further violations.

According to the Guidelines, disclosure of personal data pursuant to foreign court proceedings must comply with applicable laws and treaties ratified by France, including the Hague Convention of March 19, 1970, which enables a contracting State to declare that it will not execute letters of request issued for the purpose of obtaining pre-trial discovery. In France, any judge receiving a letter of request from a foreign authority must verify that such a request is admissible under French law and, in particular, must refuse the request if it poses a threat to State sovereignty or security. In this respect, a French blocking statute (the July 27, 1968 Act) prohibits disclosure of any information of economic, commercial, industrial, financial or technical nature as part of foreign legal proceedings unless the disclosure complies with applicable treaties and laws. Any breach of this statute is punishable by imprisonment of six months and a fine of €18,000.

In addition, companies based in France that disclose documents containing personal data must also comply with the requirements of the French Data Protection Act of January 6, 1978, or risk heavy criminal sanctions for failing to do so. Data controllers are not required to file a specific “discovery” notification as long as their data processing activities have been regularly filed with the CNIL. Nevertheless, there must be a legal basis for any transfer of personal data to the U.S., and companies must notify the CNIL of such transfers. In some cases, the data controller may rely on the “establishment, exercise or defense of a legal claim” exception contained in Article 69.3 of the French Data Protection Act as a legal basis for a single and limited transfer of all relevant information relating to a particular litigation. Otherwise, the CNIL’s authorization is required for sizeable and frequent transfers of personal data that are based on an adequate safeguard (i.e., Safe Harbor, model clauses or binding corporate rules). Further, adequate safeguards must be put in place to cover onward transfers, such as when transferred data being stored in the U.S. are further disclosed to a judicial authority (i.e., court order) or to other third parties (e.g., model clauses or a letter of engagement to abide by the Safe Harbor principles).

More information on these Guidelines can be found (in French) at www.legifrance.gouv.fr

The challenges discussed in the Working Document have considerable practical implications for companies, which are increasingly caught between U.S. requirements that personal data be retained and transferred to the United States for litigation purposes, and European legal restrictions on such retention and transfers. These challenges are not just theoretical, as in December 2007 the French Supreme Court (Cour de cassation) upheld a €10,000 criminal fine against a French attorney for collecting information as part of U.S. discovery proceedings. The Working Document is available here.

The Working Document identifies four data-related stages during the litigation process—retention, disclosure, onward transfer, and secondary use—and stresses that the “use of personal data at each of these stages will amount to processing” and “will require an appropriate condition to legitimate the processing.” It is tempting to focus only on the issues raised by transferring personal data to the United States, but collecting, storing, and analyzing personal data within Europe also require legal justifications and careful attention.

According to the Working Document, “it is unlikely that in most cases consent would provide a good basis for processing.” Instead, the Working Document points to Article 7(f) of the EU Data Protection Directive—processing necessary for the purpose of a legitimate interest of the controller or a third party—as a more likely basis for complying with U.S. civil discovery laws. The Working Document also leaves open the possibility that Article 7(c) of the Directive—compliance with a legal obligation—might also work, since some member states may impose a legal obligation to comply with the orders of foreign courts. However, a foreign legal obligation alone is insufficient to provide a legal basis for data processing under the Directive.

“Sensitive” personal data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life) could only be processed with unambiguous consent or if “necessary for the establishment, exercise or defence of legal claims.” Given the Working Party’s generally negative view towards consent or legal necessity as a basis for data processing in the discovery context, a practical solution to the issue of processing sensitive personal data still seems remote.
 
In addition to requiring a legitimate basis for each stage of data processing in connection with civil discovery, the Working Document also stresses other key data protection requirements that must be complied with. For example, under Article 6, personal data must be “processed fairly and lawfully, collected for specified, explicit and legitimate purposes and not used fort incompatible purposes.” Personal data must also be “adequate[,] relevant and not excessive in relation to the purposes for which they are collected and/or further processed.”

The Working Document notes that compliance with these provisions may require “filtering” of personal data while still in Europe to limit the data to those relevant to a civil discovery demand, and may require “the services of a trusted third party in a Member State.”

Transparency is another key requirement stressed in the Working Document, which states that “in the context of pre-trial discovery this would require advance, general notice of the possibility of personal data being processed for litigation.” Additional notice would be required if data are actually produced as part of a judicial proceeding.

The Working Party also stressed the rights of access, rectification and erasure, and suggested that before complying with civil discovery orders, and during the trial itself, data subjects must have access to their data and an opportunity to “access and rectify incorrect, incomplete or outdated personal data prior to the transfer.”

Finally, the Working Document highlights the need to provide continuing security for personal data.

On the specific issue of transferring data to a third country (e.g., the United States) for production, the Working Party would require compliance with Safe Harbor, a data transfer agreement based on standard contract clauses approved by the European Commission, or a set of binding corporate rules that have been approved by the relevant Member States’ data protection authorities. The Working Document notes that compliance with a request under the Hague Convention would always “provide a formal basis for a transfer of personal data,” but goes on to observe that not all member states have signed the convention, many who have signed have entered reservation against the discovery provisions, and U.S. courts have been reluctant to follow Hague Convention procedures.

The Working Document is noteworthy for its thoroughness and moderate tone. While the Working Document is signed by Article 29 Working Party president Alex Türk of the French Data Protection Authority (the CNIL), the process that led to the Working Document included a subcommittee of the Working Party led by Dr. Alexander Dix, who has carefully studied the issues and who was a featured participant in the High-Level Workshop on U.S. Civil Discovery and European Data Protection co-sponsored by the Centre for Information Policy Leadership at Hunton & Williams, LLP, in October 2008. Many of the recommendations also appear to reflect the careful, moderate arrangements that Dix has negotiated or approved as Data Protection and Freedom of Information Commissioner of Berlin—calling for broad notice, a limited scope of data retention, close scrutiny within Europe, the negotiation with U.S. courts for appropriate limitations and protective orders, and continuing obligations that follow the data.

That said, the Working Document is likely to face three limitations. First, there are a number of issues it explicitly defers consideration of, for example, document retention and production in criminal and regulatory investigations and practical litigation management systems that store broad swaths of data to facilitate the retention and analysis of data in response to discovery requests.

Second, while Dr. Dix and his colleagues have developed significant understanding of the complex issues surrounding civil discovery and have provided guidelines noteworthy for their “balance” and “proportionality”—two words that appear frequently in the document—it is not clear that U.S. courts, unfamiliar with basic data protection concepts, will be similarly diplomatic in their outlook. Instead, U.S. judges may well perceive some of the recommended steps to accommodate privacy interests as time-consuming and burdensome at best, or as a threat to their judicial authority at worst. So translating the Working Party’s broad guidelines into practical reality may be the greatest challenge ahead.

Third, the Working Document explicitly notes that its guidelines are an “initial consideration” of how to manage the issues surrounding pre-trial discovery, but that resolving those issues is “beyond the scope of an Opinion by the Working Party” and can “only be resolved on a governmental basis, perhaps with the introduction of further global agreements along the lines of the Hague Convention.” The Working Document might best be understood as a first step—an important first step to be sure—towards a more distant goal.

The Working Document concludes with an “an invitation to public consultation with interested parties, courts in other jurisdictions and others to enter a dialogue with the Working Party.”

Hunton & Williams actively advises clients on compliance with the EU Data Protection Directive generally and in connection with civil discovery and internal and criminal investigations. If we may be of service, or for further information about the Working Document, contact Chris Kuner or Bridget Treacy.