Watch Special. Making sense of European Data Protection Regulations as they relate to the storage and management of content in the Cloud

Transcription

1 AIIM Market Intelligence Delivering the priorities and opinions of AIIM s 80,000 community Making sense of European Data Protection Regulations as they relate to the storage and management of content in the Cloud Underwritten in part by: aiim.org l

2 About the Paper As the non-profit association dedicated to nurturing, growing and supporting the information management community, AIIM is proud to provide this research at no charge. In this way, the entire community can leverage the education, thought leadership and direction provided by our work. We would like these research findings to be as widely distributed as possible. Feel free to use individual elements of this research in presentations and publications with the attribution AIIM 2014, Rather than redistribute a copy of this report to your colleagues or clients, we would prefer that you direct them to for a free download of their own. Permission is not given for other aggregators to host this report on their own website. Our ability to deliver such high-quality research is partially made possible by our underwriting companies, without whom we would have to return to a paid subscription model. For that, we hope you will join us in thanking our underwriters, who are: Workshare 20 Fashion Street, London, E1 6PX, UK Tel: +44 (0) sales@workshare.com Web: About AIIM AIIM has been an advocate and supporter of information professionals for nearly 70 years. The association mission is to ensure that information professionals understand the current and future challenges of managing information assets in an era of social, mobile, cloud and big data. AIIM builds on a strong heritage of research and member service. Today, AIIM is a global, non-profit organization that provides independent research, education and certification programs to information professionals. AIIM represents the entire information management community: practitioners, technology suppliers, integrators and consultants. AIIM runs a series of training programs, and provides industry certification, including the Certified Information Professional. About the author Mike Davis is an independent IT analyst, with a 31 year career in IT, specialising in information management, governance and processes. Prior to working as an analyst, for first Butler Group, then latterly for Ovum, Mike was an IT Director in the UK health service AIIM - Find, Control, and Optimize Your Information 1100 Wayne Avenue, Suite 1100, Silver Spring, MD Phone: AIIM - The Global Community of Information Professionals 1

3 Table of Contents About the White Paper About the White Paper About AIIM... 1 About the author Introduction Introduction The purpose of EU Data protection laws and regulations The purpose of EU Data protection laws and regulations... 3 The current directive and future regulation Why we need Data Protection Why we need Data Protection... 4 Data protection and what it means for businesses Data protection and what it means for businesses... 4 The benefits of applying data protection regulations... 4 The role of a data controller The role of a data processor Data Protection in the cloud Data Protection in the cloud... 5 Sub-contracting of cloud services Safe Harbour, Standard Contractual Clauses and BCR Restrictions on the export of data... 6 Cloud security The Patriot Act... 7 The European General Data Privacy Regulation (GDPR) The European General Data Privacy Regulation (GDPR)... 7 Impact for organizations/businesses... 8 Penalties Potential implementation timescale... 8 Recommendations for data controllers and processors Recommendations for data controllers and processors References:... 9 Appendicies Appendicicies Appendix 1: Belgium Appendix 2: Czech Republic Appendix 3: Denmark Appendix 4: Finland Appendix 5: France Appendix 6: Germany Appendix 7: Hungary Appendix 8: Italy Appendix 9: Netherlands Appendix 10: Poland Appendix 11: Spain Appendix 12: Sweden Appendix 13: United Kingdom Underwritten by Underwritten by Workshare AIIM AIIM - The Global Community of Information Professionals 2

4 Introduction Data Protection laws and regulations across the EU govern the storage and processing of data that would allow an individual to be recognised. They are intended to address the risks around privacy and data loss, and to provide a framework for good information governance. The development of public, private, government and hybrid cloud computing services has created a challenge to on-premise data storage and processing, and thus created uncertainty regarding responsibilities of the respective organisations regarding data protection and data privacy. The European Union is soon to implement the General Data Protection Regulation (GDPR), which will bring all 27 countries under a single regime of rules, and penalties for breach. AIIM regards this as an opportunity for cloud providers to deliver EU-wide services under a single operations model. However providers and users need to be aware of the current legislative challenges. The purpose of this White Paper is to inform end-users of the current and potential future legislative landscape in Europe regarding data protection and data privacy. This will enable end-user organisations to make risk-based decisions about cloud versus on-premise content storage. This will also allow them to evaluate providers of cloud services to ensure that they will stay compliant with applicable law. This white paper is based on AIIM s in-house research and the interactive guide provided by the international law firm Bird and Bird 1 The purpose of EU Data protection laws and regulations The current directive and future regulation In 1980, the Organization for Economic Cooperation and Development (OECD) published Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans- Border Flows of Personal Data. The objective was to create a comprehensive system for the protection of personal data throughout OECD countries, principally Europe and the US. A year later the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was negotiated within the Council of Europe obliging the signatories to enact legislation concerning the automatic processing of personal data. This included seven key principles: n Notice data subjects should be given notice when their data is being collected; n Purpose data should only be used for the purpose stated and not for any other purposes; n Consent data should not be disclosed without the data subject s consent; n Security collected data should be kept secure from any potential abuses; n Disclosure data subjects should be informed as to who is collecting their data; n Access data subjects should be allowed to access their data and make corrections to any inaccurate data n Accountability data subjects should have a method available to them to hold data collectors accountable for following the above principles. This resulted in the first EU Data Protection Directive implemented between 1984 and 1986 in the then EU states, but with differing interpretations. The US, whilst endorsing the OECD s recommendations, did not implement them. In the early 1990 s the European Commission recognised that diverging data protection legislation across various EU members was impeding the free flow of data (and thus trade) within the EU and thus proposed the updated Data Protection Directive (95/46/EC). This, the current European Data Protection Directive, covers the protection and processing of personal data regarding individuals, and the free movement of such data across the EU. The Directive is a component of EU privacy and human rights law. Directives are not legally binding for citizens in principle, so it has been incorporated into respective state laws across the 28 countries but in different ways. The lack of consistency has led to confusion for those wishing to store and process data, something at odds with the EU ideal of a single open market across all states. For example the German and Austrian 2014 AIIM - The Global Community of Information Professionals 3

5 interpretations of the directive do not normally permit personal data of their citizens to be stored outside the physical boundaries of those countries. In January 2012, the European Commission published the draft European General Data Protection Regulation (EDPR) that will supersede the Data Protection Directive. As a regulation, this will be mandatory across the whole of the EU with no national exceptions. From a broader view, the right to privacy is a highly developed area of law in Europe - across the 28 states of the EU and the wider European Economic Area (EEA). All the member states of the EU are also signatories of the European Convention on Human Rights (ECHR). Article 8 of the ECHR provides a right to respect for one s private and family life, his home and his correspondence, subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence. The Council of Europe has also published the Handbook on European Data Protection Law 2 which whilst it does not account for cloud provides a thorough background for businesses new to the field, and is available for download. Why we need Data Protection Personal data is defined as any information relating to an identified or identifiable natural person ( data subject ); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; 2 The widespread adoption of computer systems and the internet as a means for processing information to provide and support services for individuals, whether commercial such as online shopping, for business either government or private, or as social media, has resulted in many people placing much of their personal data in the public (internet accessible) domain. In the EU there is a presumption that such information is given in return for a particular operation or service, not that it will be used for purposes that the data subject had not intended. From an EU perspective personal data should only be used in line with the wishes of the data subject (the person) and protected from loss, deletion, or other uses without the permission of the data subject. Current examples of breaches of data protection legislation range from identity theft to the loss of backup tapes. The responsibility for compliance with data protection legislation rests with the data controller, i.e. the person, public authority, agency or any other body which decides the purpose and the means of processing the personal data collected. Data protection and what it means for businesses The benefits of applying data protection regulations Implementing appropriate Data Protection is often regarded as an overhead by organisations. If one looks, for example, at the eight Data Protection Principles as applied in the 1998 UK Data Protection Act, these are in reality just best business practices and should add value to business process: n Personal data shall be processed fairly and lawfully this is self-evident n Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes a matter of trust between the data subject and the organisation n Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed this saves storing irrelevant data and the costs involved n Personal data shall be accurate and, where necessary, kept up to date inaccurate data costs money, in terms of wasted mail and and storage n Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes as with principle 2 it saves storing irrelevant data and the costs involved n Personal data shall be processed in accordance with the rights of data subjects under this Act honest and self-evident 2014 AIIM - The Global Community of Information Professionals 4

6 n Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data if an organisation collects data it must have valued that information as an asset, and therefore like any physical asset it should be protected. n Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data other countries may not follow the same rules on privacy: this would be a betrayal of a data subject s (in most cases a customer s) trust. The role of a data controller The Data Controller is the organisation itself, but the physical process of control and monitoring will be undertaken by a designated person, who may be titled the data controller or data protection officer. She/ he will be responsible on an operational basis for ensuring that the data collected by the organisation on its data subjects is managed not only according to national law and regulation, but to any organisation-specific policies. The Data Controller will be the entity responsible for placing data in the cloud, with a Data Processor (provider). While ultimately it will be the CEO or equivalent who will be held responsible for any breach, it is the designated person, through establishing procedures, processes, monitoring and reporting regimes that keeps the organisation compliant. In the UK the Office of the Information Commissioner (OIC) has produced specific guidance 3 on data protection in the cloud. The role of a data processor The Data Processor is the designated person/company responsible for the physical capture, storage and processing of the data subject s information. This may be within the organisation for on-premise solutions, but in the outsourced or cloud environment it can be one, or even a number of organisations. However with regard to both the current directive and the future regulation the prime responsibility for protection of personal data lies with the data controller. Data Protection in the cloud Cloud computing can be described as the range of information technology services offered to organisations and delivered over the internet. There is a wide variety of benefits that may be achieved through the use of specialist cloud providers, including increased security, reliability and resilience, exploiting the provider s economies of scale, flexibility of storage, lower maintenance costs, lower energy bills and a reduction of onpremise servers. The cloud by its definition and structure is not restricted by geographical boundaries, with data centres potentially being in any country around the globe. When a geographically centred customer contracts with a cloud provider, it is putting its data, including its customer s personal data, out there and potentially against the implementation of the EU Directive. When using cloud computing it will normally be the cloud customer who will determine the purposes for which and the manner in which any personal data is processed. Therefore it is the cloud customer (the Data Controller) who will have overall responsibility for complying with the data protection legislation in each country. What constitutes a personal data breach is not as well defined in the current EU Directive as it is in the draft EU Regulation, and can differ outside Europe and in particular in the US. As definition of personal data in the EEA currently includes any information relating to a data subject, the loss or unauthorised modification of an address or a phone number could be considered to be a personal data breach. The current Directive and the future Regulation applies to personal data that is processed. Processing of data has a very broad definition and includes most of the operations that are likely to occur in the cloud, including simply the storage of data AIIM - The Global Community of Information Professionals 5

7 Sub-contracting of cloud services Some countries (e.g., Czech Republic) have specific guidance on use of cloud sub-contractors (who may be providing the underlying infrastructure for a SaaS cloud service). In general, any contractual and compliance elements agreed between the Data Controller and the prime Data Processor must be reflected in the contract between the Data Processor and the sub-contractor. Additional issues also need to be covered in contractual agreements such as control over the distribution and sharing of personal data (particularly in SaaS applications and social networks), retention periods, and data deletion. Safe Harbour, Standard Contractual Clauses and BCR The European Commission has recognised a Safe Harbour scheme as providing adequate protection for the rights of data individuals in connection with the transfer of their personal data to signatories of the scheme in the US. However, the US Safe Harbour scheme is self-certifying by the cloud service providers, and consequently some individual countries within the EU have different standards within their respective legislation. In 2001 the EC produced a set of Model Contracts for the transfer of personal data to third countries, often referred to as Standard Contractual Clauses 5. These attempted to create a situation where, by incorporating the standard contractual clauses into a contract, personal data can flow from a Data Controller established in any of the 27 EU states and three EEA member countries (Norway, Liechtenstein and Iceland) to a Data Controller or to Data Processors established in a country that does not ensure an adequate level of data protection. These standard clauses are invoked in some data protection regimes to provide an exception to general data export prohibitions see Reference 1. There is a further EC initiative that relates to transfer of data across borders known as Binding Corporate Rules. These were introduced in 2008 to facilitate transfer of personal data within a multi-national corporation. The primary application was for employee data but it can also apply to customer databases. Companies need to apply to their local Data Protection Authority, for example the ICO 6. In the context of this paper, this would only relate to the use of private corporate clouds. Restrictions on the export of data Under the current Directive, and the future Regulation, personal data may not be sent to countries outside the European Economic Area (EEA) who do not have what is regarded as adequate protection, or those with no Safe Harbour arrangements. This has implications for both cloud providers and those organisations based in the EU who contract with cloud providers. The countries within the EEA are: Austria Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Germany Greece Hungary Iceland Ireland Italy Latvia Liechtenstein Lithuania Luxembourg Malta Netherlands Norway Poland Portugal Romania Slovakia Slovenia Spain Sweden United Kingdom 2014 AIIM - The Global Community of Information Professionals 6

8 Other jurisdictions with existing adequate levels of protection as specified by the European Commission are listed below, but may not be included in a specific EU country s law: Andorra Argentina Canada Faroe Islands Guernsey Isle of Man Israel Jersey New Zealand Switzerland Uruguay It must be noted that the US Safe Harbour arrangement is not included in the list, but is acceptable to some countries as detailed in the respective Appendices. It is for data controllers to check their specific country requirements. Cloud security Whether data is stored in an off-shore or onshore cloud repository, in a known but outsourced data centre, or on-premise on the Data Controller s own servers, defensible standards of security protection need to be applied if private data is to be protected as per legislations and regulations. There are a number of international standards that can provide certification of conformance to best practice. ISO/IEC 27001:2005 is the most widespread, updated in This is a formal specification for security management against which organizations can be certified compliant. It is highly detailed and designed to be audited, and includes requirements for staff qualifications. A number of professional qualifications exist including CISSP and SSCP. Ironically, a cloud services provider is far more likely than most user organisations to be certified to ISO/IEC 27001, and to employ fully qualified staff. Compliance with these standards should be strongly considered when selecting a cloud provider, and will form part of a Data Controller s due diligence. The Patriot Act The Patriot Act 2001, was implemented in the US after 9/11 to support national security. It gives US government agencies the ability to demand personal data from all US organizations, or their subsidiaries in any other country. Under the Act, there is no necessity to notify the individuals, overriding any consent from the individual. This is in direct challenge to the EU Data Protection Directive and could be seen as a barrier for EU organisations using cloud providers based or headquartered in the US. This has become a high-level political issue following the Snowdon revelations about NSA activities, and presidential initiatives to curb some of these powers are on-going. It has to be said that many European governments have similar covert or overt powers. It is unlikely that a user organisation would be deemed to be in breach of data privacy regulations from such government sanctioned activities, especially against Safe Harbour registered companies, but some may feel an obligation to their customers to take account of it. The European General Data Privacy Regulation (GDPR) The EU is currently (April 2014) passing a new Regulation to supersede the previous Directive, and this could have a significant impact on both the users and providers of cloud services. The purpose of the GDPR is to provide a single law for data protection to cover the whole of the EU rather than the present Directive which as previously discussed has been implemented differently in each member state. As a Regulation, rather than a Directive there will be one single set of rules regarding data protection, individual countries will not have the freedom to make choices. As soon as the regulation is passed, each of its provisions will become part of the national legal system of each EEA Member State, as is. The GDPR will thus make it easier for both European and non-european companies to comply with data protection requirements. In addition to giving a common approach to privacy, unlike the existing Directive it covers both cloud computing and social media, and provides common levels of fines for breaches. The GDPR will establish a European Data Protection Board (EDPB) to oversee the administration of the Regulation across the EU AIIM - The Global Community of Information Professionals 7

9 The final details of the GDPR are still under discussion, and despite significant lobbying of the EC by a number of unnamed companies from the US and within the EU itself, the Commission is intent on the GDPR being implemented in its current structure. This will require some specific changes for organisations already operating in the EU. Impact for organizations/businesses The GDPR extends the definition of personal data to include address(es), the IP address of computer(s) used, and any posts on social media sites. It also covers all organisations operating in Europe irrespective of where the data is stored. As proposed, organisations will have to: n Collect explicit consent to collect data from data subjects (the data subjects must opt-in ) and facilitate the subject s wish to withdraw that consent. n Be able to delete all customer data at the request of the data subject, a provision known as Right to Erasure, unless there is a legitimate reason for its retention. n Provide data subjects with a clear privacy policy. n On request, provide data subjects with a copy of their personal data in a format that can be transmitted electronically to another system. n Undertake an annual risk management/analysis, detailing both the risks identified for data breach/loss and steps taken to alleviate those risks. n Establish which is to be the Single Data Protection Authority (DPA) for the organisation. This may be in any member state. (It is expected that The UK and Ireland will be most popular because of the use of English language). n Appoint a lead authority Data Controller to be responsible for all processing operations across Europe. n For public bodies and organisations processing more than 5,000 data subjects, appoint a Data Protection Officer within 12 months of the Regulation being adopted. n Document fully any breach, and notify the appropriate authority without undue delay. It is expected that the authority will decide whether the organisation should notify data subjects if any adverse impact has been determined. It is also proposed that the data controller and data processor (the cloud provider) have joint liability for any breach. Organisations will be able to apply for an EU Data Protection Seal, which will be a 5 year certification of the processes it and its data processor(s) have in place. Penalties For a negligent breach privacy or loss of data it is proposed that a company can be fined up to 5% of annual revenues to a maximum of 100 million Euros. A new potential offence which has emerged in the US regarding data protection, and which may have future bearing on the implementation of the Regulation, is that of Unjust enrichment. This is where a company has profiteered by saving monies through not implementing adequate security measures. It is understood that this is currently being considered in the European Commission as a potential basis for future legal actions. The first example was the $3-million data breach class action settlement with health insurance provider AvMed, Inc and relates to the theft of two AvMed laptop computers that contained the personal information of 1.2 million customers. The company subsequently agreed to settle (March 2014) by paying all its current and former customers whose sensitive personal information was contained on the stolen computers $10 for every year they were a customer, subject to a maximum of $30. The payments relate to the claims that AvMed should have been spending additional funds on data security during that time period. Potential implementation timescale The GDPR had its first reading on 12 March 2014 where the MEPs agreed to stronger safeguards for data that gets transferred outside the EU/EEA. During the second half of 2104 there will be Parliament- Council negotiations on the fine detail, with agreement on the Directive planned before the end of Organisations will be given two years to implement the changes and for the Commission to establish the 2014 AIIM - The Global Community of Information Professionals 8

10 EDPB8. This would take us to early 2017 as the latest compliance date, remembering that in the meantime, national laws for data privacy (as outlined in the Appendices) need to be complied with as a minimum. Recommendations for data controllers and processors Until the implementation of the Regulation, data controllers and their organisations using, or intending to use cloud services need to: n Be aware of the respective countries within the EU that the personal data of data subjects originates from. n Follow the current legislation, in particular with specific regard to transfer of such personal data across borders. n Establish whether any existing processing falls foul of current legislation and work with the respective Data Protection Authorities to resolve the problems. n Review contracts with existing data processors to ensure that they are compliant with current legislation. n Set a compliant strategy in each geography to reflect the requirements of the new GDPR Regulation before the end of the transition period (currently 2017). n Establish procedures and start the process of gaining explicit consent for the collection and processing of personal data in preparation for the implementation of the Regulation Data processors providing cloud services need to: n Review the physical locations of their data centres and ensure that they are not currently processing personal data outside the boundaries set by individual country legislation n Decide whether to establish data centres within the EU/EEA or other areas with adequate levels of protection in preparation for the Regulation. n Set a compliant strategy for the company, and in each geography, in preparation for the requirements of the Regulation n Educate sales and technical staff on the implications of the Regulations, and amend contracts and provisioning appropriately. References: 1. Cloud Computing & your legal questions answered, Bird & Bird Handbook on European data protection law, European Union Agency for Fundamental Rights, EU Data Protection Directive (95/46) European Commission 4. Guidance on the use of cloud computing, Information Commissioners Office, Practical_application/cloud_computing_guidance_for_organisations.ashx 5. Model Contracts for the transfer of personal data to third countries European Commission 6. Binding corporate rules, Information Commissioners Office, 7. ISO/IEC 27001:2013, Information technology Security techniques Information security management systems Requirements, 8. Q&A on EU data protection reform Justice Directorate-General AIIM - The Global Community of Information Professionals 9

11 APPENDICIES The following appendices are abbreviated from the Bird & Bird Guide 1, and describe the currently applicable laws and regulations relating to Data Protection, in thirteen of the twenty-eight European Union states. Where relevant they specifically relate to those aspects around cloud computing. As previously discussed, these will be brought into line through the application of the GDPR, but during the transitional period, both Data Controllers and Data Processors need to be aware of the differences and have a migration path to the regime under GDPR. Because the laws have derived from the same Directive there is significant commonality between jurisdictions, but there are also significant differences in the application, for example Germany and Spain. Companies are advised to obtain specific advice on their target markets. NOTE: These appendices are a simplification of complex legal and policy rules, and specific legal advice should be sought for your situation AIIM - The Global Community of Information Professionals 10

12 Appendix 1: Belgium Relevant legislation The Privacy Act (1992) aims to protect the citizen against any misuse of his personal data as a result of processing. It not only defines the rights and duties of the persons whose data is processed (data subjects) but also those responsible for such treatment (data controllers). There is no specific law or regulation in Belgium regarding the ownership of data. This should be determined by the contract between the service provider and the user. The Belgian DPA (the Act) is generally compatible with the EU Data Protection Directive with respect to cloud computing issues. However, as it is not tailored to deal with all cloud computing issues, guidance from the Data Protection Authority is yet to be published. The DPA requires that data subjects are informed of the existence and purposes of processing. They must be notified directly at the time of collection of the data and, as cloud services often involve the transfer of data abroad, that transfer may take place. The DPA is strict and in principle prohibits the collection and the processing of sensitive data (information as to racial or ethnic origin, political opinions, religious or other beliefs, membership of a trade union, health data, sexual life, and judicial data). There are exceptions: (i) if the data subject has given his/her explicit written consent; (ii) if it s necessary to provide care to the data subject; (iii) if it is mandatory under employment or social security laws; (iv) if the data subject has made the data public; (v) if it is necessary to establish, exercise or defend a right; or (vi) if it is necessary for scientific research. Financial information is not as such considered as sensitive data. Personal data may only be transferred outside the EEA if (i) the data subject has expressly consented to the transfer; or (ii) an adequate level of protection is ensured in the non-eea State; or (iii) processing is compulsory in accordance with legal obligations. The adequate level of protection is ensured if (i) it is determined by the EU Commission or an international agreement between the country of destination and Belgium; or (ii) it is based on a Safe Harbour certification in case of transfer to the U.S.; or (iii) if the adequate protection is provided through agreements such as Binding Corporate Rules or EU Standard Contractual Clauses. The Data Controller s obligations The data controller is the entity or person, alone or together with others, determining the purposes and the means of the processing of personal data and is responsible for compliance with the data protection legislation. In most cases, the user of the cloud is deemed to be the controller. The Data Processor s obligations The data processor is the entity or person processing personal data on behalf of the data controller. In most cases, the cloud service provider is deemed to be the processor. However, the processor may evolve and be qualified towards a co-controller or even a controller. It can only collect, process and use personal data according to the instructions and on behalf of the data controller. It is bound by strict obligations regarding the technical and organisational security measures as well as regarding the confidentiality of the data. The relationship between the data controller and the data processor must be stated in a written agreement. If services are sub-contracted by the processors, the client should be informed and should give its consent to such use. The contractual relationship between the processor and subprocessor shall mirror the obligations of the agreement. Requirements set by the regulator(s) Both data controllers and data processors must ensure data security and confidentiality by implementing technical and organisational measures. The Belgian Data Protection Authority has published two opinions regarding cloud, the first relates to the Government Cloud and the second aimed at companies. These provide legal guidelines, especially related to IT security, the location of servers and the determination of the data controller at every stage where data is placed in the cloud1. These include specific requirements relating to disclosure on Health Data, Advertising Administration and Municipal councillors. The Belgian Finance Supervisory Authority (FSMA) applies regulations issued in 2004 when financial institutions which do outsource activities and processes to external companies, including to a cloud service provider AIIM - The Global Community of Information Professionals 11

13 Appendix 2: Czech Republic Relevant legislation The Czech data protection law is generally compatible with the EU Data Protection Directive on cloud computing issues. However the EU Data Protection Directive has not been fully implemented in the Czech Republic (e.g. cookies) and there is no practical experience, and no guidelines issued by the Czech DPA, making it difficult to predict the official position. The Czech Data Protection Authority (Czech DPA) has competence over the data controllers/processors that control/process data on the territory of the Czech Republic. Therefore, the Czech DPA claims competence when controllers/processors: Have their registered office within the territory of the Czech Republic; Use technical means located within the territory of the Czech Republic. Besides the standard notification regarding processing personal data, the subject of personal data must be informed if the cloud service takes place outside the EEA (e.g. personal data is processed on servers outside the EEA) and about the nature of the data. There are no specific requirements applying to cloud services. The standard notification regarding any processing of personal data is mandatory. Personal data can be transferred to third countries: If the prohibition restricting free movement of personal data ensues from an international treaty, or if the personal data is transferred on the basis of the decision of an institution of the European Union (i.e. SCCs or Safe Harbour); If the controller proves that: the data transfer is carried out with the consent of, or on the basis of, an instruction by the data subject; sufficient specific guarantees for personal data protection have been created in a third country; the transfer is necessary for negotiating the conclusion or change of a contract, carried out on the incentive of the data subject, or for the performance of a contract to which the data subject is a contracting party; the transfer is necessary to perform a contract between the controller and a third party, concluded in the interest of the data subject, or to exercise other legal claims; the transfer is necessary for the protection of rights or important vital interests of the data subject, in particular for rescuing life or providing health care. In this case, the controller must apply to the Czech DPA for authorisation before transfer to third countries. The Data Controller s obligations The data controller is the person/entity that determines the purpose and manner in which any data is processed. The official position of the Czech DPA confirms that, in most cases, the user of cloud computing services is the data controller The Data Processor s obligations The data processor is the person/entity who processes data on behalf of the data controller. The official position of the Czech DPA confirms that, in most cases, the provider of cloud services is the data processor. Requirements set by the regulator - The Czech Data Protection Authority (Czech DPA) Both the controller and the processor must: adopt measures preventing unauthorised or accidental access to personal data, their alteration, destruction or loss, unauthorised transmission, other unauthorised processing and other misuse of personal data; develop and document the technical organisational measures used to ensure personal data protection in accordance with the law and other legal regulations; 2014 AIIM - The Global Community of Information Professionals 12

14 perform a risk assessment for: carrying out instructions for processing by people with immediate access to personal data; prevention of unauthorised access to personal data; means for processing; prevention of unauthorised reading, creating, copying, transferring, modifying or deleting records containing personal data; measures to enable determination and verification of the recipients of transferred personal data. The processor must also monitor and report any breach of data protection law to the Czech DPA. Czech DP law only recognises the direct agreement between a controller and a processor. Based on longstanding interpretation of the Czech DPA, chaining of processors (sub-processors) was not allowed at all, and direct agreement was always required. The approach has changed slightly in 2013 after the guidelines related to protection of personal data within cloud services were issued by the Czech Data Protection Office. According to the guidelines, it is generally possible for providers of cloud services to use sub-processors. The use of sub-processing must be expressly permitted in the agreement between the provider and the user of cloud services. The obligations and responsibilities deriving from data protection legislation should be set out clearly and not dispersed throughout the chain of subcontracting AIIM - The Global Community of Information Professionals 13

15 Appendix 3: Denmark Relevant legislation The Danish Personal Data Act (Persondataloven) implements the EU Data Protection Directive. In relation to security measures, Denmark has adopted additional requirements by way of an executive order (Sikkerhedsbekendtgørelsen), which presents particular challenges to international cloud computing providers. Minor changes to the executive order are underway, but the general opinion in businesses and authorities is, that a more comprehensive modernisation is needed, i.e. to embrace cloud computing. For processing sensitive or semi-sensitive data (i.e. data that is not sensitive but is strictly private, such as information on crime or social problems) authorisation from the DPA is required. For transferring such data, authorisation is needed, even when transferring to a safe third country or to Safe Harbour companies, unless transfer is based on unchanged EU standard contractual clauses. In general the security requirements are higher if sensitive or semi-sensitive data is processed. In relation to financial information, it is a requirement that a company s accounting material is stored in Denmark, though storing in Sweden, Norway, Finland and Iceland is accepted. Exemption can be obtained but case law on this is quite strict. Data can be sent outside the EU/EEA: To third countries, which are considered by the commission to ensure an adequate level of protection. Transfer of sensitive or semi-sensitive data requires authorisation. To Safe Harbour companies in the US. Transfer of sensitive or semi-sensitive data requires authorisation. Where data subjects consented to the transfer, no authorisation is required. Other specific situations, including: performance of a contract between a data controller and data subject; conclusion or performance of a contract between a data controller and third party in the interest of the data subject; the protection of vital interests of the data subject. Transfer of sensitive or semisensitive data may require authorisation. The Data Controller s obligations The data controller is the person or entity, alone or together with others, that decide the purposes and means of the processing. Usually this would be the customer (i.e. the company/authority using the cloud service). The data processor is the person or entity processing data on behalf of the data controller. The cloud service provider is in most situations considered the data processor, but may also act as controller for some parts of the data processing depending on the circumstances. Requirements set by the regulator Appropriate technical and organisational security measures must be adopted. More in-depth requirements are stated in Sikkerhedsbekendtgørelsen (executive order on security), which only apply to public authorities, but is used as a guide in relation to private companies as well. In recent cases regarding cloud computing and public authorities, the Danish DPA has set high standards on security AIIM - The Global Community of Information Professionals 14

16 Appendix 4: Finland Relevant legislation The Finnish Personal Data Act (523/1999, as amended) implements the EU Directive 95/46/EC and the content of the Finnish Personal Data Act complies generally with the Directive. However, the Finnish Personal Data Act does not include any cloud computing specific provisions. The data subject need not be informed that cloud services in particular may be used to process the data. However, in accordance with the Finnish Personal Data Act, the data controller must provide certain information, regardless of the means by which the personal data is processed, including the purposes of the processing, what personal data is processed, what security measures are being taken, whether the personal data may be transferred to a third country and whether the data may be disclosed to a third party. The Finnish Personal Data Act has a special regulation concerning sensitive personal information. The main rule is that processing sensitive personal data is, under the Act, denied. The sensitive personal data means (i) race or ethnic origin; (ii) social and political opinions and religious or philosophical beliefs or membership to a work union; (iii) criminal act, punishment or other criminal sanctions; (iv) information relating to health, illness or disability or treatments of other comparable actions relating to health; (v) sexual orientation or behaviour; or (vi) need of social care or gained social care services, supporting measurements or other social care benefits. However, in certain situation the sensitive personal data may be processed but the sensitive personal data shall be removed immediately after there are no grounds to process the data as set out in the Act. There are also restrictions in relation to processing social security numbers under the Act. There are no special data protection regulations concerning financial information, however, if the data is related to the operations which Finnish Financial Supervisory Authority monitors and/or regulates, the authority may require a right to audit the cloud service. Data can be sent outside the EU/EEA: provided that (i) the laws of the non-eu/ EEA country provide sufficient data protection, or (ii) the European Commission has defined the non-eu/eea country has sufficient data protection i.e. receiver is part of a Safe Harbour scheme. In addition, the Finnish Data Protection Act includes exceptions when the personal data can be transferred to a third country, even if the data protection is not considered to be sufficient: the data subject s explicit consent to the transfer is obtained; the transfer is necessary for the performance of a contract between the data controller and the data subject or the implementation of pre-contractual measures taken in response to the request of the registered; the transfer is necessary for the conclusion or performance of a contract between the data controller and a third country, which is in the interest of the data subject; the protection of vital interests of the data subject; the establishment, exercise or defence of legal claims or safety of the public interest required by law; the transfer is made from a register and obtaining information is based on law; the data controller provides sufficient guarantee of the protection of the privacy and rights and the commission has not considered the guarantee insufficient; or Standard Contractual Clauses accepted by the European Commission are used. The Data Controller s obligations Under the Finnish Personal Data Act the data controller is one or several persons or entities, who define the purpose and means of processing the data. Normally, the party which is acquiring cloud computing services is deemed to be the data controller. The data processor is the person or entity processing personal data on behalf of the data controller (such can be e.g. the cloud computing service provider). However, the data controller is responsible of the data despite using the data processor and the data controller needs to protect the data through 2014 AIIM - The Global Community of Information Professionals 15

17 the agreement terms between data controller and data processor. The data processor s responsibility shall be agreed in the agreements between the data controller and the data processor. Under the Finnish Personal Data Act the data controller is liable for processing data regardless of the data processor being involved. However, it should be noted that if the Finnish law is applied to the data processor, the data processor has to file, in the cases defined in the Personal Data Act, a notice including certain information on processing personal data to the Data Protection Ombudsman. Also, an independent entrepreneur who operates on behalf of the data controller, or to whom data controller transmits data with technical means of communication, shall before starting the processing of data, provide the data controller with appropriate commitments and other adequate guarantees of the security of the data. Requirements set by the regulator The data controller and the data processor, if the Finnish law is applicable to the data processor, have to notify the Data Protection Ombudsman when processing of personal data is carried out in certain cases, such as when personal data is transferred outside of the European Union or European Economic Area and the law does not contain express provisions allowing the transfer AIIM - The Global Community of Information Professionals 16