MoFo Seminar Series. Data Protection London Masterclass: Privacy in the Cloud

Transcription

1 MoFo Seminar Series Data Protection London Masterclass: Privacy in the Cloud London 22 January 2013

2 MoFo Seminar. Data Protection Masterclass: Privacy in the Cloud Table of Contents Presentation... 1 Speaker Biographies... 2 About Morrison & Foerster... 3 Selected Articles and Alerts... 4 Europe Offers Incentives to Cloud Computing Growth Privacy in the Cloud: A Legal Framework for Moving Personal Data to the Cloud 2013 Morrison & Foerster (UK) LLP mofo.com

3 Tab 1 Presentation Data Protection Masterclass: Privacy in the Cloud

4 Data Protection Master Class: Privacy in the Cloud January 22, 2013 Presented By Christine Lyon Karin Retzer 2013 Morrison & Foerster LLP All Rights Reserved mofo.com WHAT IS CLOUD COMPUTING? Internet-accessed outsourced computing, where a combination of infrastructure, software and data are stored and provided on an on-demand utility basis using massive data centers Offers easily provisioned, commoditized business technologies Infrastructure as a service Platform as a service Software as a service This is MoFo. 2 1

5 Public vs. Private Clouds PUBLIC On-demand, scalable resources are provided over the internet By a third-party provider who does not necessarily own the servers on which your data is stored With cloud infrastructure generally made available to any customer With less customer control over data security, compliance and reliability At a lower operational cost than a private cloud, since the provider has few restrictions With little flexibility, since the offering is highly standardized PRIVATE On-demand, scalable resources are provided over the internet or private networks By a third-party provider who owns the servers on which your data is stored Further distinction between private clouds storing your data on: Shared/multi-tenant servers Dedicated servers Allows customer control over data security, compliance and reliability At a higher operational cost than a public cloud, since provider has more restrictions With greater flexibility, since the solution is more easily customized This is MoFo. 3 Three Pillars of Cloud Computing Infrastructure-as-a-Service (IaaS) Basic IT resources, such as computing power, memory and storage, accessed over a network (typically the internet) and usually with a subscription or per-usage pricing model Platform-as-a-Service (PaaS) Web-based development tools and a platform for running those applications (typically running on IaaS, the applications are SaaS) Software-as-a-Service (SaaS) A complete software-based solution delivered over the internet This is MoFo. 4 2

6 The Cloud in Numbers $150 billion: Gartner s estimate of the size of the Cloud market in 2013 $6.9 billion: amount invested in cloudbased start-ups by VCs in million: estimated number of jobs in global cloud computing industry in %: percentage of UK businesses using Cloud in some form 70%: percentage of cloud non-adopters citing data privacy and security as main concern This is MoFo. 5 WHAT IS PERSONAL INFORMATION? Information relating to identified or identifiable individuals Name Address Work Address Home Address ID Number Personnel Data Activity Records IP Address (EU) Covered individuals include: Employees Independent contractors/ consultants Vendors Service Providers Individuals at corporate customers, such as individuals using the hosted services 6 This is MoFo. 6 3

7 Privacy Laws in Europe 30 Member States of the European Economic Area Albania Andorra Armenia Belarus Bosnia & Herzegovina Croatia Faroe Islands Georgia Gibraltar Guernsey Isle of Man Jersey Macedonia Moldova Monaco Montenegro Russia Serbia Switzerland San Marino Turkey (Pending) Ukraine This is MoFo. 7 and elsewhere North America Canada Mexico United States Central & South America Argentina Brazil (Pending) Bahamas Chile Colombia Costa Rica Ecuador (Pending) Peru Uruguay Middle East Azerbaijan Israel Kyrgysztan Qatar (QFC) UAE (DIFC) Africa Angola Benin Burkina Faso Cape Verde Gabon Mauritius Morocco Senegal Seychelles South Africa (Pending) Tunisia Asia-Pacific Australia Hong Kong India Japan Macau Malaysia New Zealand Philippines Singapore South Korea Taiwan Thailand (Pending) Vietnam This is MoFo. 8 4

8 Privacy vs. Security Privacy laws focus on the collection, use, and disclosure of personal information Security is the means by which we safeguard information against unauthorized acquisition, use, disclosure, alteration, destruction Security is necessary to maintain privacy of personal information Separate issue: security of trade secrets, business data, other non- Personal Information 9 This is MoFo. 9 U.S. Privacy Compliance Sector-specific privacy laws (e.g., Gramm-Leach-Bliley Act, HIPAA) State data security laws require safeguards when using vendors Massachusetts data security regulations are high-profile example But at least 10 other states also have data security laws State security breach notification laws over 45 states Typically cover name plus Social Security number, driver s license number, credit or debit card number or financial account number, health information. Generally provide an exception for encrypted data Notice obligation falls on data owner, even if breach occurs at vendor This is MoFo. 10 5

9 Does Regulated Data Belong in the Cloud? HIPAA HIPAA imposes special privacy and data security rules for covered entities and their business associates Business Associate Agreements with vendors Gramm-Leach-Bliley Act Specialized privacy and data security requirements PCI All systems (in-house and third-party) used to store and process payment card data must be PCI compliant There are often mixed messages about whether a cloud solution is HIPAA/PCI/GLBA compliant marketing vs. legal. This is MoFo. 11 Data Protection Compliance in the EU/EEA EEA data protection laws cover all sectors and all types of personal information Basic requirements: Notice Legal basis/consent Limitations on data retention Access and correction rights Security Data processing agreements with data processors Registration requirements in some countries Limitations on cross-border transfers outside the EU/EEA This is MoFo. 12 6

10 Recent Developments Data protection authorities ( DPAs ) are increasingly concerned about privacy and security in the cloud Italy France WP29 Sweden Germany Ireland EDPS Denmark United Kingdom Netherlands This is MoFo. 13 WP29: Opinion on cloud computing Conduct a risk assessment: Before engaging a cloud provider, taking into account how cloud computing will be used, what data will be processed, the sensitivity of the data, and the safeguards that should be put in place. Identify the parties and their responsibilities: In most scenarios the cloud client is the data controller and the cloud provider the data processor. However, in some scenarios the cloud provider may act as a joint controller. Implement safeguards for sub-contracting: Provider should inform the customer about the use of sub-contractors and have individual contracts in place with its sub-contractors that reflect the contractual obligations it has with the customer. This is MoFo. 14 7

11 WP29: Opinion on cloud computing (cont.) Notice: Customer should, as a matter of good practice, inform individuals about the use of cloud computing, as well as the providers, sub-contractors, and location of data processing. Contractual safeguards: Contracts should include a number of safeguards: Purpose limitation and defined data retention schedule; Technical and organizational security measures; Access controls; Disclosure of data to third parties; Co-operation and audit ; Details on cross-border transfer of data This is MoFo. 15 Denmark: Refusal of Authorization DPA issued guidance that Google Apps or MS Office 365 did not provide sufficient protection: Risk Assessment before moving data to the cloud, and before engaging provider: ENISA checklist, SAS70 Type IOI certification Cloud Contract: Provider may only act upon instruction and in line with Danish security requirements General up-front consent for sub-processing permissible but customer must know the actual place of storage 3rd party audit permissible if based on "recognized standard" Encryption in transit between service centers and in storage at provider s facilities Strong access controls (access restrictions, secure log-in, access logs) This is MoFo. 16 8

12 France: CNIL Guidance Role of Parties: Cloud provider qualifies as joint controller in standardized public PaaS and SaaS offering where customer is unable to give instructions or control effectiveness of security Need for Risk Management: Conscious decision about what data should go into what cloud Privacy Level Agreement (PLA): Specific security standards, location of data, sub-contracting, compliance with specific requirements for specific data types Need for penalties and audit rights This is MoFo. 17 Germany: Düsseldorfer Kreis Guidance Customer is data controller because of its decision to use the cloud (or not) -- even where there was an imbalance in power Cloud contract must include detail set forth in German law Need for explicit consent for sensitive data This is MoFo. 18 9

13 United Kingdom: ICO Guidance Identify the role of the parties Be selective about the types of data moved to the cloud Be selective about the cloud service Be transparent Establish a written contract with the cloud provider Encrypt data in transit and provide adequate security Implement access controls Adequacy mechanism for cloud services outside the EU Guarantee access & correction rights This is MoFo. 19 Cross-Border Issues for the Cloud Many countries limit transfers of personal information to other countries this is not just an EU issue European Union offers several options for cross-border transfers: Safe Harbor program Model contracts Binding corporate rules Consent Other jurisdictions offer fewer options (e.g., Korea, Australia, Argentina); individual consent may be the only permissible basis In comparison, some countries permit cross-border transfers but require you to ensure the information is still handled pursuant to their laws Obligations typically rest on the data controller This is MoFo

14 USA PATRIOT ACT Allows U.S. law enforcement to require the production of any electronically stored data relevant for investigations: Data may include personal data protected by the EU laws Access to data by local enforcement agencies is often exempt from data protection laws or is justified No exemption for access by foreign agencies Draft Regulation is silent on the issue. Draft LIBE report requires DPA authorization and notice to individuals Production order must not be disclosed to anyone except the cloud provider. Customer cannot challenge the order, nor comply with privacy obligations Many countries have laws allowing law enforcement access This issue is not unique to the U.S. However, PATRIOT Act has received the most attention This is MoFo. 21 USA PATRIOT ACT (cont.) France: Contractual requirement for provider to notify customer of any request by a foreign administrative or judicial authority. Germany: Access by foreign authorities must comply with German law. Contract should require notice of any such requests unless prohibited under criminal law and prohibit any nonmandatory sharing. UK: Very pragmatic. ICO action would not be appropriate against customer provided the customer took appropriate steps to ensure data protection, nor provider if the disclosure was legally required in response to the specific request. Netherlands/Norway: DPAs prohibited government departments to use U.S. cloud providers due to risks under PATRIOT Act. This is MoFo

15 Who is Responsible for Privacy Law Compliance? General Principles: Data controllers are primarily responsible for compliance with protection laws Due Diligence Notice and consent (where applicable) Handling access and correction requests Implementing mechanisms for cross-border transfers Imposing contractual obligations on data processors Data processors are governed by contractual obligations imposed by controller But there are proposals to change this 23 This is MoFo. 23 Controller or Processor? DATA CONTROLLER A person or entity that (either alone or jointly with others) decides how and why personal information is processed DATA PROCESSOR A person or entity that processes personal information on behalf of a controller JOINT CONTROLLERS Two or more parties each acting as a controller with respect to personal information 24 This is MoFo

16 Controller/Processor Tensions Cloud provider usually asserts that it is merely a data processor, to try to minimize direct privacy law obligations Yet cloud providers often handle matters traditionally viewed as data controller functions Be alert to processor/controller issues in drafting 25 This is MoFo. 25 Negotiating Cloud Privacy Terms Major areas of debate and negotiation include: Cross-border data transfers Use of vendors Audit and oversight Data security Breach response Data retention This is MoFo

17 Issue 1: Cross-Border Data Transfers CUSTOMER Geographic limitations Notice/consent for cross-border transfers Contractual provisions Safe Harbor onward transfer EU model clauses BCR clauses Other country-specific clauses PROVIDER Multi-tenant structure limits customization Commodity approach Difficulties of passing through contractual obligations to vendors This is MoFo. 27 Issue 2: Use of Vendors CUSTOMER Identification of vendors and location Consent to share hosted data with vendors Passing through contractual obligations imposed on provider PROVIDER Unlimited use of vendors and subcontractors, without notice Comparable privacy and security obligations for vendors This is MoFo

18 Issue 3: Audit and Oversight CUSTOMER Data protection laws require oversight Data protection authorities (DPAs) expect customer to have audit rights Customer expects cooperation if it is audited by DPA PROVIDER Difficulty of allowing audits in multi-tenant environment Audit of records vs. facilities Cost factors Proposed reliance on third-party audits and certifications This is MoFo. 29 Issue 4: Data Security CUSTOMER Heightened obligations for Personal Information Security measures at least as stringent as their own Industry-standard technical, physical and administrative measures PROVIDER No differentiation of Personal Information Standardized security protocols Reasonable or commercially reasonable measures This is MoFo

19 Issue 5: Security Breach CUSTOMER Immediate notice of actual or suspected breach Notice to customer first Provision of notices, credit monitoring services upon request Indemnification rights PROVIDER Prompt notice of actual breach Ability to notify law enforcement first Assistance if breach results from own acts or omissions Liability caps This is MoFo. 31 Issue 6: Data Retention CUSTOMER Mandatory data preservation for transition period Requiring return/deletion of Personal Information upon request PROVIDER Lesser standard of not intentionally deleting data Cost issues for data preservation, transition Overwriting data over an unspecified period of time This is MoFo

20 Further Reading WP29 Guidance Paper Denmark Decision France Guidance Germany Guidance ng.html?nn= United Kingdom Guidance: actical_application/cloud_computing_guidance_for_organisations.ashx ENISA Checklist: (Risk Assessment) (Information Assurance Framework) 33 This is MoFo. 33 Christine Lyon More Information Karin Retzer Alistair Maughan 34 This is MoFo

21 Save the Date Clouds Across Europe Review of Cloud Computing Issues Wednesday 27 February 2013 Noon 1:30pm GMT (1pm 3pm CET) Webinar only Registration details: This is MoFo

22 Tab 2 Speaker Biographies Data Protection Masterclass: Privacy in the Cloud

23 Attorney Bio Alistair Maughan Partner London Alistair Maughan is a partner in the firm s London office. He is co-chair of the Technology Transactions Group and a member of the Global Sourcing Group. Mr. Maughan focuses on outsourcing and technology-based projects for major companies and public sector organizations. His primary areas of expertise include advising on outsourcing transactions (both IT and business process-driven; and both on-shore and offshore); negotiating contracts for the supply and acquisition of technology equipment, services and software; advising on data security and data privacy; advising on issues and contracts related to e-commerce; counseling public bodies on procurement policy and procedures; and drafting, negotiating and advising on all types of technology contracts and issues. Mr. Maughan s recent transactions include advising Her Majesty s Revenue & Customs on Europe's largest "second generation" outsourcing; advising the UK police on its national fingerprint identification system and its project for the delivery and operation of the national UK emergency mobile radio network; advising the world's largest insurance broker on offshore outsourcing; and other transactions on behalf of banks, global pharmaceutical companies and major professional services firms. Mr. Maughan is a highly-regarded commercial lawyer with recommendations in Legal 500, Chambers Global and Chambers UK, leading independent guides to the legal profession. Chambers UK awards Mr. Maughan the top ranking for both Outsourcing and Information Technology, commenting that he "brings common sense to the negotiating table". Other guides note that Mr. Maughan is the best outsourcing lawyer ever when it comes to acting for the customer end of the market and "absolutely excellent when it comes to advising customers on public sector projects". He is also named in the 2009 UK edition of Best Lawyers. Mr. Maughan has a law degree from Leicester University, and qualified as a solicitor in He has practiced law on both sides of the Atlantic and is also admitted to the New York Bar. Alistair Maughan

24 Attorney Bio Karin Retzer Partner Brussels kretzer@mofo.com Karin Retzer s practice focuses on the legal aspects of data protection and security, direct marketing, and electronic commerce. Ms. Retzer assists clients with privacy and data security compliance and risk management, involving both national and international multi-jurisdictional dimensions. She advises on questions regarding data transfers, the handling of information in shared service centers and sourcing transactions, e-discovery, breach notification, and the use of and the Internet in the workplace. She has drafted privacy policies and guidelines, notices, agreements for data list management, and data transfer and processing contracts for dozens of multinational clients. She also assists clients in their dealings with data protection authorities, developing appropriate responses to requests for information and complaints, and provides legislative and policy advice to clients. Ms. Retzer has particular expertise with regard to the implications of legislative restrictions for online tracking, analytics, and personalization of Internet content, behavioral advertising, and direct marketing communications. She regularly advises clients on the use of location data gathered through smart phones and location-based services. In addition, Ms. Retzer advises clients on issues relating to electronic commerce, such as online terms of use, the requirements for online contracts, disclosure obligations, liability for website content, and the legal aspects of online auction sites. She has developed template agreements and negotiated complex commercial agreements for many clients, counseling them not only with respect to legal ramifications, but also taking into account applicable business and technical considerations. Her work spans a wide range of industry sectors. Clients include internationally renowned consumer product companies, financial services organizations, technology and telecommunications providers as well as clients in the advertising, hospitality, media and entertainment, healthcare, pharmaceutical, and retail industries. Prior to joining Morrison & Foerster, Ms. Retzer worked in Paris at the European headquarters of Sterling Commerce, a U.S. supplier of e-commerce products. From 1997 to 1998, Ms. Retzer worked at the European Commission, where she was involved mainly with examining and monitoring Member States' implementation of European Community directives. Ms. Retzer regularly writes for a wide variety of publications and is a contributing author in the publication, Employee Privacy: Guide to US and International Law. She is a member of the Munich bar and the Brussels EU bar, after studies in Regensburg (Germany), Utrecht (The Netherlands), and Munich (Germany). Ms. Retzer is fluent in German, English, and French and has a working knowledge of Dutch. She is a member of the International Association of Privacy Professionals, the German Association for Data Protection and Data Security, the Licensing Executives Society, and the Association for Industrial Property and Copyright Law. Education University of Regensburg Law School (J.D., 1995) University of Regensburg (B.A., 1995) Karin Retzer

25 Attorney Bio Christine E. Lyon Partner Palo Alto (650) Christine Lyon s practice focuses on privacy and employment law. Ms. Lyon assists clients in developing global strategies to comply with laws regulating the collection, use, disclosure, and transfer of personal information about their customers and employees. She also advises clients about privacy issues in cloud computing and outsourcing arrangements, security breach notification requirements, laws regulating the use of personal data for direct marketing purposes, and workplace privacy issues. Ms. Lyon counsels clients regarding all aspects of employment law, including compliance with California and federal employment laws, investigations of workplace complaints, and reductions in force. She regularly assists clients with multinational employment issues related to mergers and acquisitions, outsourcing transactions, and corporate restructuring. Legal 500 US 2012 recommends Ms. Lyon as a rising star who returns high-quality work very promptly. She frequently writes and speaks on the topics of global data protection laws, workplace privacy issues, and data security laws. She is a co-editor of Global Employee Privacy and Data Security Law, Second Edition (BNA Books, 2011). Ms. Lyon is a member of the editorial board of the World Data Protection Report. She is also a member of the International Association of Privacy Professionals and serves on its Education Advisory Board. Education University of Iowa (B.A., 1996) Stanford Law School (J.D., 1999) Christine E. Lyon

26 Tab 3 About Morrison & Foerster Data Protection Masterclass: Privacy in the Cloud

27 Firm Overview Firm Overview Morrison & Foerster is an international firm with more than 1,000 lawyers across 16 offices in the U.S., Europe, and Asia. Founded in 1883, we remain dedicated to providing our clients, which include some of the largest financial institutions, Fortune 100 companies, and technology and life science companies, with unequalled service. Among Top 10 firms nationwide based on number of first-tier national rankings Top-tier national rankings included, among others: Antitrust Banking & Finance Capital Markets Commercial Litigation Corporate/M+A IP & Patent Litigation Employment Law Energy Environmental Financial Services Regulation Securitisation/Structured Finance Tax Technology Venture Capital Global Excellence in Law Our clients rely on us for innovative and business-minded solutions. Therefore, we stress intellectual agility as a hallmark of our approach to client representation. We apply it to every matter from the complex to the routine to ensure the best outcomes for our clients and deliver success. We believe that great client service requires insight, expertise, speed, and integrity. Our attorneys share high standards, a commitment to excellence, and a passion for helping their clients succeed. This commitment to serving client needs has resulted in enduring relationships and a record of high achievement. In addition, our culture of genuine collegiality creates a work environment ideally suited to collaboration and effective teamwork, which ultimately translates into organisational stability, winning results, and more positive experiences for clients. We enjoy tremendous practice, geographic, and client diversification attributes that have allowed us to prosper in these challenging times. Our practice is balanced, with more than 500 business attorneys and nearly 500 litigators. Offices in key financial and technology centres around the world provide us with global reach and geographic diversity: Beijing London Palo Alto Shanghai Brussels Los Angeles Sacramento Singapore Denver New York San Diego Tokyo Hong Kong Northern Virginia San Francisco Washington, D.C. We are frequently recognised for our long-standing commitment to pro bono work and diversity. Our outstanding client work has earned broad recognition from well-known national and international organisations, such as: Firm Overview l 1

28 Firm Overview We provide global reach in the world s key markets MOFO EUROPE Brussels London MOFO USA New York San Francisco Los Angeles Palo Alto San Diego Washington, D.C. Northern Virginia Denver Sacramento MOFO ASIA Beijing Hong Kong Shanghai Singapore Tokyo Exceptional International Platform Over the past three decades, Morrison & Foerster has invested significant effort and capital toward developing a world-class international practice leaving us well-positioned to serve clients across the rapidly-expanding global economy. Our international service platform spans expertise in M&A, securities, finance and trade, and dispute resolution, and includes complex global tax structuring, counsel on foreign workforces, the navigation of regulatory bottlenecks in multiple jurisdictions, and antitrust, environmental, and litigation risk analyses throughout the world, among other capabilities. We enjoy unrivalled reach around the Pacific Rim with nearly 200 lawyers in Asia teamed with more than 500 lawyers in California. We are the largest U.S. law firm in Japan, with more than 120 attorneys in Tokyo, including nearly 50 bengoshi admitted to practice in Japan. With our partners, Ito & Mitomi, we are widely recognised as having Japan s leading corporate practice. Our nearly 30-year presence in China has produced a strong platform of more than 70 multilingual U.S.-, PRC-, and/or Hong Kong-qualified professionals. With an established presence in the UK for 30 years, we have nearly 60 lawyers qualified in the UK who offer expertise across all major disciplines. Firm Overview l 2

29 Practice Group Description Privacy + Data Security PARTNER Karin Retzer Boulevard Louis Schmidt Brussels, Belgium kretzer@mofo.com Clients value our extensive network of attorneys around the world since privacy legal issues are becoming more global every day. - Legal 500 US EUROPEAN DATA PROTECTION We help our clients navigate Europe s complex patchwork of data protection laws at the EU and individual country level, providing advice on international data transfers and processing of personal data in the employment context and online. We bring years of experience to the complex jurisdictional issues encountered by multinational companies operating in Europe and work with our long-established network of privacy experts to provide in-depth, tailored advice. In particular, we provide advice on the implementation of EU laws in the individual EU Member States, and provide our clients with regular updates, analysis, and practical compliance solutions. Our privacy group consults and negotiates extensively with European data protection authorities, such as the French Commission Nationale de l Informatique et des Libertés, the various German Länder Data Protection Commissioners and the UK Information Commissioner s Office, as well as the European Commission. Our work handling both compliance and advocacy projects gives us an advantage. We are able to translate and clarify high-level policy guidance into concrete compliance actions and, at the same time, use our practical compliance experience to advise government policymakers on how to craft policy in ways that can be translated into sensible compliance actions. Recent Representative Engagements Consumer Products Company. We provided advice on global whistleblowing hotlines and codes of conduct, including registration obligations across the EU. We also drafted appropriate communications with employees, internal protocols and procedures, and crafted language to include in contracts with service providers. Several clients Implementation of eprivacy Directive. We have assisted a number of clients in comprehensively tracking and analyzing implementation of the EU eprivacy Directive in all 30 EEA Member States. The eprivacy Directive introduced new requirements for data security breach notification, spam and electronic marketing, and the use of cookies and online tracking technologies. We provided and continue to provide our clients with practical advice on how to deal with these legal changes cost effectively across the jurisdictions. Multinational Pharmaceuticals Company. We advised our client on the choice, adoption, and implementation of Binding Corporate Rules as the global cross-border data handling strategy. We drafted the BCRs, interaffiliate agreement, and provided comprehensive assistance and advice 1

30 Practice Group Description including preparing presentations to management, drafting communications, and establishing standard operating procedures and complaint handling procedures. Global Health Care Company. We advised on the adoption and implementation of a global framework agreement. We advised on the approach to consultations with works councils, drafted communications to management, human resources, sales, marketing and clinical research departments, conducted training for the procurement and legal functions globally, and prepared employee notice and consent forms. We also advised on and handled registration requirements in all EEA countries and relevant Latin-American countries, and handled all aspects of data transfer authorizations with regulatory authorities. 2

31 Practice Group Description Privacy + Data Security PRACTICE GROUP CHAIR Miriam H. Wugmeister 1290 Avenue of the Americas New York, NY (212) mwugmeister@mofo.com Recommended as excellent in all respects. - Legal 500 US Morrison & Foerster has a world-class privacy and information security practice that is cross-disciplinary and spans our global offices. With more than 60 lawyers actively counseling, litigating, and representing clients before regulators around the world on privacy and security of information issues, we have been recognized by Chambers and Legal 500 as having one of the best domestic and global practices in this area. We were winner of Chambers USA s award for excellence in the field of Privacy and Data Security Chambers Global ranks the practice Tier 1 in its Data Protection: Global category. Clients have commented that our group is: very responsive, with a knowledge of the area that is second to none, Chambers Global; and the best at giving practical advice by applying the law to the situation at issue, US Legal 500. Our practical and straightforward approach has made us the privacy counsel of choice for some of the world s largest and best known corporations, as well as a host of smaller organizations. Our skills are particularly valued by companies that operate in highly regulated sectors (such as financial services, healthcare, and pharmaceuticals), those with an online presence, and those operating internationally. Such organizations face multiple layers of regulation and appreciate the timely, knowledgeable, and realistic advice our attorneys are trained to provide. We take a big picture view of how organizations handle information during its life cycle and help our clients find realistic solutions to seemingly complex problems. We Advise On: Data protection and privacy policies, procedures, and training. Data security standards and information handling. Security breaches. Regulatory investigations. Litigation. Cross-border data transfers. Employee monitoring. Compliance audits. Commercial transactions. Direct marketing. E-discovery and disclosure issues in litigation. Privacy + Data Security 1

32 Practice Group Description The work quality is exceptional, they are incredibly responsive, and they know about all the hottest issues in data privacy. - Chambers Global A factor driving data protection regulation in recent years has been the changing nature of technology including issues such as the increased emphasis on technological means to secure data, how we use social media, and the adoption of cloud computing. Our data protection and privacy lawyers are at home with technological innovation as well as with complex regulation. Because of our comfort with technology, we are at ease speaking with the general counsel, the chief privacy officer or the chief information officer regarding technical and nontechnical issues relating to privacy and data security. What truly distinguishes us is our practical approach to our work. In relation to all areas of privacy law, we believe that it is our job to assist clients in finding innovative and realistic solutions that balance compliance with the law and the commercial realities of running their businesses. We work with our clients to find solutions for managing business operations in light of the complex matrix of privacy laws and regulations. Resources We offer important resources to support our clients in their privacy compliance and data security efforts. Legal Resources: The privacy team writes extensively on privacy and data security matters, including two treatises, Global Employee Privacy and Data Security Law setting out the U.S. and international legal landscape related to workplace privacy and data security, and The Law of Financial Privacy covering the Fair Credit Reporting Act, Financial Privacy Act, Bank Secrecy Act, and Internal Revenue Code requirements, including discussions of state financial privacy laws, use of technology, and use and protection of confidential information. Privacy Library: Our Privacy Library ( is an online resource which provides links to privacy laws, regulations, reports, multilateral agreements, and government authorities of more than 90 countries around the world, including the United States. The Privacy Library is the most comprehensive collection of privacy laws and regulations ever assembled, the result of years of research and experience working with clients around the world. MoFoNotes: Morrison & Foerster provides content to Nymity ( for its MoFoNotes product, a subscription-based database that helps organizations determine local compliance requirements in jurisdictions around the world, spot potential compliance issues, and simplify the development of global privacy approaches. Privacy + Data Security 2

33 Tab 4 Selected Articles and Alerts Data Protection Masterclass: Privacy in the Cloud

34 Client Alert. 6 November 2012 Europe Offers Incentives to Cloud Computing Growth By Alistair Maughan The European Commission has issued a Communication setting out a road map for the future growth of cloud computing in Europe. The Communication is a strange mix: in parts, an extended advert for the benefits of a digital single market in the EU, and a narrative on the benefits of cloud computing. But the most interesting aspect of the Communication is the regulatory agenda that the Commission proposes in order to unleash the potential of cloud computing in Europe. Sceptical observers may question whether the proposed package of extra regulation, certification and contractual limitations is more likely to slow down not speed up the implementation of cloud computing across Europe. Until now, most industry observers have viewed the European Union less as a facilitator and more as a barrier to the adoption of cloud computing, because the ubiquity of cloud computing services is threatened by the requirement for compliance with the EU data transfer regulations. In this Communication, the Commission claims that it is seeking to unleash the potential of cloud computing in Europe. It remains to be seen whether the laudable aims espoused by the Commission are followed up in practice, and whether the fast-growing cloud-based sector of the information and communications technology (ICT) industry welcomes the Commission s proposals. CLOUD COMPUTING AN OVERVIEW Cloud computing is an ICT delivery model where ICT services are provided to users from remote servers and facilities over the Internet rather than through owned or leased IT servers and platforms. Cloud-based technology offers important benefits to users, including the chance for significant cost savings and operational efficiencies; flexibility in deployment; ready access to information systems, applications and data; better back-up services; and faster and more responsive upgrade functionality. Through cloud computing services, users have the ability to outsource all or part of their ICT hardware architecture (infrastructure as a service, or IaaS), operating systems and platforms (platform as a service, or PaaS), or software applications (software as a service, or SaaS) as they choose. Clouds can be private, where the services are operated solely for one organisation (or a small group of organisations, which some refer to as community clouds), typically on a dedicated or partitioned platform; public, where the services are shared by numerous customers, and typically operated on a shared platform; or hybrid, which entails a combination of private and public cloud services. A cloud set-up consists of layers: hardware; middleware or platform; and application software. Some element of standardisation is important in a cloud environment, especially at the middle layer, because it enables developers to address a wide range of potential customers, and gives users choice. In general, users of cloud services trade-off customization for commoditization, and must be aware of the implications that remote services provided on standard supplier terms might have on their organisation. The financial benefits of adopting cloud-based services can be significant although it s important for organisation also to factor in the impact of extra risks that might arise as a result of a wholly or partly cloud-based ICT solution Morrison & Foerster LLP mofo.com Attorney Advertising

35 Client Alert. THE COMMUNICATION The Commission highlights the potential benefits that cloud computing could bring to Europe. It believes that, if properly implemented across Europe, the Commission s proposals could bring an additional 45 billion of direct spend on cloud computing services in the EU by 2020, as well as the creation of an extra 3.8 million jobs. Key Benefits of Cloud Computing The Commission recognises that many of its proposed actions are designed to address the perception that cloud computing brings additional risks. So for example, it proposes actions aimed at providing more clarity and knowledge about the applicable legal framework; making it easier to signal and verify compliance with the legal framework (e.g. through standards and certification); and developing the relevant legal framework further (e.g. through a forthcoming legislative initiative on cybersecurity). The Communication goes to some lengths to describe the benefits of cloud computing on the European economy. To organisations that have already adopted cloud computing, these benefits are well rehearsed (see separate box). The Communication is part of the Commission s overall digital agenda under which the Commission targets setting up a digital single market. Under this digital agenda, the Commission has set itself the objective of simplifying copyright clearance, management and cross-border licensing - and thereby enhancing Europe s capacity to exploit new digital opportunities (such as cloud computing) for both producers and consumers of digital content. In an interesting piece of self-analysis, the Commission acknowledges that data protection barriers emerged from its consultation exercise as a key area of concern that could impede the adoption of cloud computing. Those barriers are largely of the EU s own making. In particular, the Commission recognises that the existence of 27 partly diverging national legal frameworks around data protection and the issue of restrictions on sending personal data outside the European Economic Area creates problems in constructing cost-effective cloud solutions in a fully integrated pan-european manner. The Commission also acknowledges that, given the global scope of cloud computing, it is important to try to clarify how international data transfers should be regulated. The Commission believes that these concerns have been addressed by Hardware is owned by the cloud computing provider, not by the user (who interacts with it via the internet) The use of hardware is dynamically optimised across a network of computers, so that the exact location of data, processes or hardware in use is invisible to the user (although that invisibility can have legal and compliance consequences) Cloud providers can move their users workloads around (e.g. from one computer to another or from one data centre to another) to optimise the use of available hardware The remote hardware stores and processes data and makes it available, e.g. through applications (so that a company could use its cloud-based computing in the same way consumers already today use their webmail accounts) Users can access their content and use their software when and where they need it, e.g. on desktop computers, laptops, tablets and smartphones Users normally pay by usage, avoiding the large up-front and fixed costs necessary to set up and operate sophisticated computing equipment Users can very easily modify the amount of hardware that they use (e.g. bring new storage capacity online in a matter of seconds with a few mouse clicks) Morrison & Foerster LLP mofo.com Attorney Advertising

36 Client Alert. the proposal of a strong uniform legal framework providing legal certainty as well as data protection (issued by the Commission on 25 January 2012; see previous MoFo Alert). That proposed regulation addresses issues raised by the cloud and also clarifies the important question of applicable law by ensuring that a single set of rules would apply directly and uniformly across all 27 Member States. The Commission notes that the importance of data protection concerns as a main barrier to cloud computing take-up underscores how important it is that the EU works swiftly toward the adoption of the proposed regulation as soon as possible in The Commission has also analysed the issues that cloud computing raises in the context of the European market. It stresses three issues in particular: fragmentation of the market due to differing national legal frameworks and uncertainties over applicable law, digital content and data location. In particular, the Commission highlights the complexities of managing services and usage patterns that span multiple jurisdictions, and the difficulty of achieving a common position in areas such as data privacy, contracts and consumer protection; problems with contracts. The Commission highlights worries over data access and portability; change control and ownership of data managed in the cloud; concerns over how liability for service failures such as downtime or loss of data would be compensated; ownership of data created in cloud applications; and the resolution of disputes; and standards. The Commission highlights a jungle of standards that generates confusion and suggests a lack of certainty as to which standards provide adequate levels of interoperability of data formats, or permit appropriate data portability. Although the Commission does not foresee the building of a European supercloud (i.e. the creation of a dedicated hardware infrastructure that would provide generic cloud computing services to public sector users across Europe), one of its aims is to ensure publicly-available cloud offerings that meet European standards in regulatory terms and which offer the benefits of being competitive, open and secure. Clearly, the Commission recognises that this does not preclude public bodies from setting up dedicated private clouds for the treatment of sensitive data. So far, a number of European countries - the UK in particular (which has launched the G-Cloud service) - are setting up their own national cloud platforms for the benefit of government departments locally. SPECIFIC EU ACTIONS ON CLOUD COMPUTING The Commission believes that there is a need for a series of confidence-building steps to create trust in cloud solutions. This starts with the identification of appropriate standards that can be certified in order to allow public or private buyers of cloud services to be confident that providers have met their compliance obligations and that those buyers are getting an appropriate solution to meet their needs. The Commission believes that these standards and certificates can, in turn, be referenced in contracts for cloud services so that providers and buyers feel confident that the contract is fair. To deliver on its goals, the Commission plans to launch three cloud-specific actions. Key Action 1: Cutting Through the Jungle of Standards The Commission believes that a wider use of standards (and certification of cloud services to show that they meet these standards) will help to accelerate the rate of adoption of cloud solutions in Europe. Currently, individual cloud providers have an incentive to fight for dominance by locking in their customers, inhibiting standardised industry-wide approaches. The Commission believes that cloud computing is likely to develop in a way that Morrison & Foerster LLP mofo.com Attorney Advertising

37 Client Alert. lacks interoperability, data portability and reversibility which are all crucial for the avoidance of lock-in. The Commission believes that standards in the cloud will affect stakeholders beyond the ICT industry, in particular small and medium-sized enterprises (SMEs), public sector users and consumers. Such users are rarely able to evaluate competing cloud providers claims, the interoperability of clouds and the ease with which data can be moved. It believes that independent, trusted certification is needed. The Commission notes that, in some places, standardisation and certification of cloud solutions is already taking place. The U.S. National Institute for Standards and Technology has published a series of documents, including a widelyaccepted set of definitions. It believes that the priority now should be to deploy existing standards and develop competence in cloud solutions. As a result, the Commission has asked the European Telecommunications Standards Institute (ETSI) to produce (by the end of 2013) a road-map of the standards necessary for security, interoperability, data portability and reversibility in the cloud. It also plans to facilitate EU-wide voluntary certification schemes covering cloud-based services, and agree industry-wide metrics for key environmental measures such as energy and water consumption, and carbon emissions of cloud services. Key Action 2: Promoting Safe and Fair Contracts The Commission notes that, traditionally, IT outsourcing agreements have been negotiated and described in detail upfront. However, cloud computing contracts tend to be done on the basis of a framework in which the user has access to scalable and flexible IT capabilities but with much less room for negotiation of the applicable contract terms with the result that cloud contracts tend to be imbalanced in the favour of the cloud provider. The Commission believes that the use of take it or leave it standard contracts might well be beneficial in cost terms for consumers, but it is often undesirable for them. Such contracts may also impose an inappropriate choice of applicable law or inhibit data recovery. Even larger companies have little negotiation power, and contracts often don t provide coverage on key issues such as liability for data integrity, confidentiality or service continuity. The Commission believes that the development of model terms for cloud computing and service-level agreements is one of the most important issues that arose during its consultation process. At one level, the Commission has already launched a proposal to implement a standard EU-wide regulation on a Common European Sales Law, which could address many of the obstacles stemming from diverging national sales law rules by providing contractual parties with a uniform set of rules. The Commission plans to set up a task force to identify (before the end of 2013) safe and fair contract terms and conditions for cloud consumers and small firms. The Commission would like to go further and develop model terms for cloud computing service-level agreements for contracts between cloud providers and larger corporate buyers. With respect to data privacy, the Commission plans to facilitate Europe s participation in the global growth of cloud computing by reviewing standard contractual clauses applicable. to transfer of personal data to third countries and adapting them, as needed, to cloud services; and by calling upon national data protection authorities to approve binding corporate rules for cloud providers Morrison & Foerster LLP mofo.com Attorney Advertising