Privacy and cloud computing Protection of personal data in the cloud E-mail lends itself well to being a cloud service. The advantage is that it can be more efficient and less costly because there is no need for the IT department to set up its own mail server. Because the mail facility operates in a cloud, e- mails are now being exchanged outside the company network. The data is processed via the Internet without knowing where it actually is. If that data is personal data, privacy aspects will have to be considered when contracting a cloud computing provider. Several obligations under the Dutch Data Protection Act (Wet bescherming persoonsgegevens), such as those relating to the transfer of personal data, will clearly need to be addressed. As a first step, clients and cloud computing providers must clarify their division of roles in the context of privacy and the obligations incumbent upon them as a consequence. The Dutch Data Protection Act is based on the EU Privacy Directive 95/46. A draft proposal for an EU Privacy Regulation intended to replace the 1995 EU Privacy Directive in time - was leaked towards the end of 2011. This article focuses primarily on existing Dutch privacy law, with the qualification that we may be seeing a very different landscape in two or three years time. Although there may be an upsurge in interest in cloud computing, many people still do not know what it is. Wikipedia defines cloud computing as a parallel computer system which distributes the software amongst multiple computers on the Internet. The cloud means the Internet, in combination with those parts and actions of the application that do not occur on the end user s own equipment. Cloud computing obviates the need for the user to have extensive knowledge or control of the technology he is using. A distinction is often made in cloud computing between the different types of service model: Software as a Service (SaaS), Platform as a service (PaaS) and Infrastructure as a Service (IaaS). With SaaS the applications are offered as a service whereas PaaS offers a platform for software development. The IaaS model offers the IT infrastructure of an organisation as a service. Another common sub-division is based on the level of security or vulnerability of the cloud. There are four different models: public, community, private and hybrid. Public and community cloud computing entails outsourcing IT services to a cloud computer provider. The difference between the two types is that the provider's resources are shared with other users in a public cloud whereas in the community cloud, the hardware is dedicated. Private cloud computing uses technology within the organisation's data centre. Finally, hybrid cloud computing is a composition of public, community and private clouds. Van Doorne N.V. is gevestigd te Amsterdam en ingeschreven in het handelsregister onder nummer 34199342. Van Doorne N.V. is de enige opdrachtnemer van alle werkzaamheden. Op deze werkzaamheden en alle rechtsverhoudingen met derden zijn van toepassing de Algemene Voorwaarden van Van Doorne N.V. en haar dochtermaatschappijen, waarin een beperking van aansprakelijkheid is opgenomen. Deze Voorwaarden, die zijn gedeponeerd ter griffie van de rechtbank te Amsterdam, kunnen worden geraadpleegd op www.vandoorne.com en worden op verzoek toegezonden. Van Doorne N.V. has its registered offices in Amsterdam and is registered with the Commercial Register under number 34199342. Van Doorne N.V. is the exclusive contracting party in respect of all commissioned work. This work and all legal relations with third parties shall be governed by the General Terms of Van Doorne N.V. and its subsidiaries which include a limitation of liability. These Terms, which have been filed with the District Court at Amsterdam, may be consulted at www.vandoorne.com and will be forwarded upon request.
Personal data Personal data will inevitably be processed in the cloud, irrespective of the cloud computing model. The Dutch Data Protection Act defines personal data as data that are traceable to a living natural persons. They may be data that are directly traceable to a private person, for example their name, telephone number, address or e-mail address, but it could also be data that are only traceable to an individual in conjunction with other data, such as gender or date of birth. Some data, such as medical data, can also be more sensitive. However, the statutory regime which covers processing of this type of personal data is even stricter than the regime for processing "ordinary" personal data. In principle, the processing of special personal data is prohibited unless a statutory exception can be invoked. For instance, hospitals are permitted to process medical data (in a cloud), but most other organisations will only be permitted to process these data with the express permission of the individual concerned. Any action involving personal data, including collecting, recording, sorting, storing, amending, changing, requesting, consulting, using or supplying personal data, will automatically be regarded as processing. Even the deletion or destruction of personal data can be regarded as a processing operation. Such processing operations involving personal data are conceivable in cloud computing. The mere transmission of personal data, which can also occur in the cloud, does not constitute processing of personal data. In such cases, the privacy rules will not apply. Nor do the privacy rules apply to activities that are purely for personal or domestic purposes. However, European Court of Justice case law shows that this exception must be interpreted restrictively. For instance, it is accepted that placing personal data on a website does not fall under this exception because the data have been made publicly accessible. If data were placed in a cloud for personal purposes (for example a list of contacts) and were accessible by numerous individuals, it is unlikely that this exception could be invoked. In those circumstances, again, the privacy rules must be taken into account. Role of the cloud computing provider The most important privacy obligations are incumbent upon the data controller, i.e. the entity establishing the purposes and the means of the data processing. The data controller can outsource data processing to a data processor. Unlike the data controller, the data processor has no control over the data processing, but is contracted and instructed to carry out data processing by the data controller. A data processor processes the personal data on behalf of the data controller, without being subject to his direct authority. Assuming that cloud computing involves at least a client and the cloud computing provider, the roles could conceivably be divided as follows: the client is the data controller and the cloud computing provider is the data processor. After all, the cloud computing provider is offering the services under contract to and for the client. Nevertheless, qualification of the cloud computing provider as joint controller cannot be ruled out. According to the Opinion of the Article 29 Working Party, the European Commission advisory body on privacy, of February 2010 (WP 169) on interpretation of concepts such as controller" and "processor, it depends on how the parties process the data in practice. If the cloud computing provider also processes data for its own purposes, it is no longer a data processor, but also the data controller. In such circumstances the cloud computing provider must also comply with the obligations under the applicable privacy legislations. If the cloud computing provider is a data processor, this implies that the client and the provider must have agreements in place on the processing of personal data and more particularly the protection of personal data. These agreements, which are also referred to as "processor agreements", may be part of the service contract but can also be included in a separate annex. In any event it must be agreed that the cloud computing provider, as the data processor, may only process the personal data in as instructed by the client. In addition, there must be a contractual obligation upon the cloud computing provider to adhere to security measures which are applicable to the client. The client will have to monitor compliance with these regulations and it is recommended that the client reserves the right to do so.
Security From the point of view of privacy, protection of personal data seems to represent a serious threat in cloud computing. For instance, it would not be inconceivable for the system to be down for a certain time, thus preventing access to essential personal data, with all the attendant consequences. An additional problem is that companies which process their data in the cloud have normally stopped backing up this data, They are completely reliant on the availability of data in the cloud. Another feature of cloud computing is that the data may be at several locations, making monitoring of data processing more difficult. Security problems will probably occur mostly in the public cloud because it is accessible to the public. In a private cloud, the personal data remains within a private network and the cloud is not shared with other clients. In principle, therefore, organisations will still be capable of monitoring data processing themselves in the private cloud, unlike the public cloud. In the Netherlands, the statutory framework for imposing security requirements can be found in article 13 of the Dutch Data Protection Act, which is equivalent to article 17 of the EU Privacy Directive 95/46. The Dutch provision requires that adequate technical measures and security measures are put in place to protect personal data. This raises the question, however, of the scope of this security obligation in the case of cloud computing. Aspects to be considered are the state of the art, the cost of their implementation, the risks represented by processing and the nature of the data to be protected. These are open standards. The Dutch Data Protection Authority (College Bescherming Persoonsgegevens), which monitors compliance with privacy standards, has created a number of risk categories to specify these standards in further detail. A data controller which is contemplating transferring data to a cloud must first analyse the risk to privacy. This will involve analysing the nature and extent of the data processing, who will be granted access to the data, the privacy risks envisaged and their potential consequences. This analysis can then be used as a basis for establishing the applicable risk category and the applicable level of protection. The more sensitive the data being processed in the cloud, the higher the risk category. If, for example, the data being processed is special personal data or personal data which is subject to an obligation of confidentiality, the processing will be categorised as high risk. The current risk categories were defined in 2001. The Dutch Data Protection Authority announced that new guidelines were being developed for the protection of personal data, but they have not yet been published. At the same time, the Dutch Data Protection Authority indicated its intention to tighten up monitoring of data protection compliance. This is good to know, both for clients who use cloud computing and for the cloud computing providers. Obligation to notify data breaches When data is processed in a cloud, there is an increased risk of leaks and, as a consequence, infringements of privacy. Therefore measures to protect personal data should also have regard to the envisaged introduction of a statutory obligation to notify data breaches. At the moment no statutory regulation in the Netherlands obliges organisations to report the loss of privacy-sensitive information (unlike the United States or Germany, for example). A Bill has now been tabled to amend the Dutch Telecommunications Act, which implements (inter alia) the EU Citizens Rights Directive 2009/136. Essentially, the obligation to notify data breaches as it is currently proposed, entails immediate reporting by public communications service providers to the parties involved and the OPTA (the Dutch telecommunications watchdog) of any infringement of the security of personal data being processed in the context of a public electronic communications service which is provided within the EU. This Citizens Rights Directive should have been transposed into Dutch law by May 2011, but this deadline was not met. The Bill is currently before the Dutch Senate. The Bill proposes that for the moment, the obligation to notify data breaches will apply only to providers of public telecommunications services. However, given that leaks can occur in many other organisations the value of such an limited obligation to report is questionable, which is why plans for a wide-ranging obligation to report are currently being developed in the Netherlands and Europe. If these plans come to fruition, the obligation to notify data breaches will also apply to other organisations that process personal data, such as financial institutions, social networks, web shops, hospitals and public transport organisations. This extension is not expected at European level until the review of the EU Privacy Directive 95/46 which will probably be replaced by a regulation. The Dutch government did not want to wait for this: the preliminary Bill proposing the inclusion of a general obligation to notify data breaches in the Dutch Data Protection Act was published in December 2011. If the foregoing is applied to cloud computing, then the following will apply. Assuming that a general obligation to notify data breaches is indeed introduced, the clients of
cloud providers, as data controllers, will be obliged to inform both the data subjects involved and the relevant supervisory authority of any data breach that is coupled with the unlawful acquisition of personal data from the cloud. It is specifically important in the context of cloud computing that clients are dependent on their cloud provider for this information and it is therefore advisable for both parties, since the cloud provider knows the exact situation, to include a definition of the obligation to notify data breaches t in the service contract/processing agreement. International aspects With cloud computing, data are normally stored in different locations. They may be in a different country. The Dutch Data Protection Act applies only to personal data that are processed as part of the activities of a data controller established in the Netherlands. The Dutch Data Protection Act also applies if the data controller is established outside the EU and the data processing uses resources in the Netherlands, such as servers, cookies, banners, search engines, social networks, cloud computing and/or outsourcing. In the latter case, the data controller established outside the EU must appoint a representative in the Netherlands who will be regarded as the data controller. Having regard to the earlier consideration that a cloud provider can also be the data controller, this adds an extra dimension to the already complex issue of applicability of the Dutch Data Protection Act. Here again, the ambiguity and attendant lack of certainty on applicability of the Dutch Data Protection Act can present an obstacle to cloud computing. Furthermore, the applicability of the Dutch Data Protection Act at European level could be of subordinate importance if an EU Privacy Regulation were indeed introduced. The aforementioned Opinion of the Article 29 Working Party states that data controllers will be required to know where the data processing takes place. A complication with cloud computing, however, is that clients will often be uncertain about the destination countries to which their data are transferred. It is self-evident that the data can be transferred to countries outside the European Economic Area (EEA). As a rule of thumb, personal data may only be transferred to countries with an appropriate level of protection. Even if a country cannot offer an appropriate level of protection, transfer of data will be nevertheless permitted if a statutory exception can be invoked or if the Dutch Minister of Justice has issued a permit for the transfer. The following countries are presumed to have an appropriate level of protection: Argentina, Guernsey, Jersey, Switzerland, Canada, Isle of Man, Israel, Andorra. Faroe Islands (Uruguay, New Zealand and Australia). The same applies to companies established in the United States which have an obligation to comply with the Safe Harbor principles. If the company in question is not in one of these countries and is not a established in the United States which has endorsed the Safe Harbor principles, a statutory exception must be invoked or the client contracting a cloud computing provider must apply for a permit. The statutory exceptions do not really appear to offer an option for validating the transfer of personal data in the framework of cloud computing. Clearly, requesting the unequivocal consent of all data subjects involved (one of the statutory exceptions) will pose practical difficulties. Not only is this a rather exacting alternative, but refusal by the data subject involved to give consent gives rise to the problem that his personal data may not be transferred to the third country; hence it is not a realistic option. Personal data may also be transferred if the client can demonstrate that the transfer is necessary to implement an agreement concluded between the client and the data subject involved. This might also be an agreement which is or will be concluded, in the interests of the data subject, between the client and a third party, for example the cloud computing provider. It may be possible to justify the transfer on the basis of the statutory exception in the case of cloud computing. If it is not, the client will have no other option than to apply for a permit, in which case the client must know the destination countries for the personal data which, as stated above, can be problematic with cloud computing. The permit is granted by the Dutch Minister of Justice. The application for the permit must be submitted to the Dutch Data Protection Authority. The permit application attaches further conditions which act as safeguards to protect the personal data in question. The easiest way of demonstrating that these safeguards are offered is by using the model contracts approved by the European Commission. In 2010 a new model contract between the controller/data exporter and the processor/data importer was defined. This contract must be concluded between the client and the cloud computing provider. Moreover, this model contract applies only if the cloud computing provider is established outside the EEA and it is therefore unclear whether it can also be used if the cloud computing provider is established within the EEA, but uses subcontractors which are established in a country outside the EEA without appropriate levels of protection.
As stated above, it is not incumbent upon the cloud computing provider to ensure that the transfer to the client is legitimate. It is therefore the client who must complete the necessary formalities. If the cloud computing provider wishes to take over these formalities from its clients, it must elect to apply for a "generic permit". The idea here is that the client is the data controller with respect to data processing in the Netherlands, whereas the cloud computing provider is the data controller in the context of transfer of the personal data. This allows the cloud computing provider to relieve his clients of some administrative burdens. Moreover, the cloud computer must in principle be aware of the destination countries for the data. The issue of the permit will become less controversial in future given that a Bill has been tabled which proposes that the permit requirement ceases to be valid if the model contracts are used without amendment. Another way of validating the transfer is to use Binding Corporate Rules (BCRs). Apart from the fact that applying for a BCR can be rather time-consuming, BCRs are currently only available for transfers within the data controller's group. Because cloud computing involves providing the data to the cloud computing provider, as the data processor, the BCR solution is not (for the moment) a viable option. In light of the current text of the proposed EU Privacy Regulation, BCRs are expected to become increasingly important in the transfer of personal data. In conclusion The problems surrounding the privacy aspects of cloud computing are not inconsiderable, particularly in regard to protection of personal data. Other obligations under the Dutch Data Protection Act, such as those relating to the transfer of personal data, will clearly need to be examined. In any event, the first step is for clients and cloud computing providers to clarify their division of roles in the context of privacy and what obligations may be incumbent upon them as a consequence. If cloud computing is to be a successful venture for all concerned we must keep our head out of the clouds" and keep "both feet on the ground. Van Doorne N.V. Jachthavenweg 121 1081 KM Amsterdam t +31 (0)20 6789 123 Postbus 75265 f +31 (0)20 7954 589 1070 AG Amsterdam info@vandoorne.com The Netherlands www.vandoorne.com For more information: Dr. Elisabeth Thole t +31 (0)20 6789 293 f +31 (0)20 7954 293 m +31 (0)61 1388 561 thole@vandoorne.com