MoFo Seminar Series. Data Protection London Masterclass: Privacy in the Cloud

MoFo Seminar Series Data Protection London Masterclass: Privacy in the Cloud London 22 January 2013

MoFo Seminar. Data Protection Masterclass: Privacy in the Cloud Table of Contents Presentation... 1 Speaker Biographies... 2 About Morrison & Foerster... 3 Selected Articles and Alerts... 4 Europe Offers Incentives to Cloud Computing Growth Privacy in the Cloud: A Legal Framework for Moving Personal Data to the Cloud 2013 Morrison & Foerster (UK) LLP mofo.com

Tab 1 Presentation Data Protection Masterclass: Privacy in the Cloud

Data Protection Master Class: Privacy in the Cloud January 22, 2013 Presented By Christine Lyon Karin Retzer 2013 Morrison & Foerster LLP All Rights Reserved mofo.com WHAT IS CLOUD COMPUTING? Internet-accessed outsourced computing, where a combination of infrastructure, software and data are stored and provided on an on-demand utility basis using massive data centers Offers easily provisioned, commoditized business technologies Infrastructure as a service Platform as a service Software as a service This is MoFo. 2 1

Public vs. Private Clouds PUBLIC On-demand, scalable resources are provided over the internet By a third-party provider who does not necessarily own the servers on which your data is stored With cloud infrastructure generally made available to any customer With less customer control over data security, compliance and reliability At a lower operational cost than a private cloud, since the provider has few restrictions With little flexibility, since the offering is highly standardized PRIVATE On-demand, scalable resources are provided over the internet or private networks By a third-party provider who owns the servers on which your data is stored Further distinction between private clouds storing your data on: Shared/multi-tenant servers Dedicated servers Allows customer control over data security, compliance and reliability At a higher operational cost than a public cloud, since provider has more restrictions With greater flexibility, since the solution is more easily customized This is MoFo. 3 Three Pillars of Cloud Computing Infrastructure-as-a-Service (IaaS) Basic IT resources, such as computing power, memory and storage, accessed over a network (typically the internet) and usually with a subscription or per-usage pricing model Platform-as-a-Service (PaaS) Web-based development tools and a platform for running those applications (typically running on IaaS, the applications are SaaS) Software-as-a-Service (SaaS) A complete software-based solution delivered over the internet This is MoFo. 4 2

The Cloud in Numbers 150 6.9 14 $150 billion: Gartner s estimate of the size of the Cloud market in 2013 $6.9 billion: amount invested in cloudbased start-ups by VCs in 2011 14 million: estimated number of jobs in global cloud computing industry in 2015 61 70 61%: percentage of UK businesses using Cloud in some form 70%: percentage of cloud non-adopters citing data privacy and security as main concern This is MoFo. 5 WHAT IS PERSONAL INFORMATION? Information relating to identified or identifiable individuals Name E-Mail Address Work Address Home Address ID Number Personnel Data Activity Records IP Address (EU) Covered individuals include: Employees Independent contractors/ consultants Vendors Service Providers Individuals at corporate customers, such as individuals using the hosted services 6 This is MoFo. 6 3

Privacy Laws in Europe 30 Member States of the European Economic Area Albania Andorra Armenia Belarus Bosnia & Herzegovina Croatia Faroe Islands Georgia Gibraltar Guernsey Isle of Man Jersey Macedonia Moldova Monaco Montenegro Russia Serbia Switzerland San Marino Turkey (Pending) Ukraine This is MoFo. 7 and elsewhere North America Canada Mexico United States Central & South America Argentina Brazil (Pending) Bahamas Chile Colombia Costa Rica Ecuador (Pending) Peru Uruguay Middle East Azerbaijan Israel Kyrgysztan Qatar (QFC) UAE (DIFC) Africa Angola Benin Burkina Faso Cape Verde Gabon Mauritius Morocco Senegal Seychelles South Africa (Pending) Tunisia Asia-Pacific Australia Hong Kong India Japan Macau Malaysia New Zealand Philippines Singapore South Korea Taiwan Thailand (Pending) Vietnam This is MoFo. 8 4

Privacy vs. Security Privacy laws focus on the collection, use, and disclosure of personal information Security is the means by which we safeguard information against unauthorized acquisition, use, disclosure, alteration, destruction Security is necessary to maintain privacy of personal information Separate issue: security of trade secrets, business data, other non- Personal Information 9 This is MoFo. 9 U.S. Privacy Compliance Sector-specific privacy laws (e.g., Gramm-Leach-Bliley Act, HIPAA) State data security laws require safeguards when using vendors Massachusetts data security regulations are high-profile example But at least 10 other states also have data security laws State security breach notification laws over 45 states Typically cover name plus Social Security number, driver s license number, credit or debit card number or financial account number, health information. Generally provide an exception for encrypted data Notice obligation falls on data owner, even if breach occurs at vendor This is MoFo. 10 5

Does Regulated Data Belong in the Cloud? HIPAA HIPAA imposes special privacy and data security rules for covered entities and their business associates Business Associate Agreements with vendors Gramm-Leach-Bliley Act Specialized privacy and data security requirements PCI All systems (in-house and third-party) used to store and process payment card data must be PCI compliant There are often mixed messages about whether a cloud solution is HIPAA/PCI/GLBA compliant marketing vs. legal. This is MoFo. 11 Data Protection Compliance in the EU/EEA EEA data protection laws cover all sectors and all types of personal information Basic requirements: Notice Legal basis/consent Limitations on data retention Access and correction rights Security Data processing agreements with data processors Registration requirements in some countries Limitations on cross-border transfers outside the EU/EEA This is MoFo. 12 6

Recent Developments Data protection authorities ( DPAs ) are increasingly concerned about privacy and security in the cloud Italy France WP29 Sweden Germany Ireland EDPS Denmark United Kingdom Netherlands This is MoFo. 13 WP29: Opinion on cloud computing Conduct a risk assessment: Before engaging a cloud provider, taking into account how cloud computing will be used, what data will be processed, the sensitivity of the data, and the safeguards that should be put in place. Identify the parties and their responsibilities: In most scenarios the cloud client is the data controller and the cloud provider the data processor. However, in some scenarios the cloud provider may act as a joint controller. Implement safeguards for sub-contracting: Provider should inform the customer about the use of sub-contractors and have individual contracts in place with its sub-contractors that reflect the contractual obligations it has with the customer. This is MoFo. 14 7

WP29: Opinion on cloud computing (cont.) Notice: Customer should, as a matter of good practice, inform individuals about the use of cloud computing, as well as the providers, sub-contractors, and location of data processing. Contractual safeguards: Contracts should include a number of safeguards: Purpose limitation and defined data retention schedule; Technical and organizational security measures; Access controls; Disclosure of data to third parties; Co-operation and audit ; Details on cross-border transfer of data This is MoFo. 15 Denmark: Refusal of Authorization DPA issued guidance that Google Apps or MS Office 365 did not provide sufficient protection: Risk Assessment before moving data to the cloud, and before engaging provider: ENISA checklist, SAS70 Type IOI certification Cloud Contract: Provider may only act upon instruction and in line with Danish security requirements General up-front consent for sub-processing permissible but customer must know the actual place of storage 3rd party audit permissible if based on "recognized standard" Encryption in transit between service centers and in storage at provider s facilities Strong access controls (access restrictions, secure log-in, access logs) This is MoFo. 16 8

France: CNIL Guidance Role of Parties: Cloud provider qualifies as joint controller in standardized public PaaS and SaaS offering where customer is unable to give instructions or control effectiveness of security Need for Risk Management: Conscious decision about what data should go into what cloud Privacy Level Agreement (PLA): Specific security standards, location of data, sub-contracting, compliance with specific requirements for specific data types Need for penalties and audit rights This is MoFo. 17 Germany: Düsseldorfer Kreis Guidance Customer is data controller because of its decision to use the cloud (or not) -- even where there was an imbalance in power Cloud contract must include detail set forth in German law Need for explicit consent for sensitive data This is MoFo. 18 9

United Kingdom: ICO Guidance Identify the role of the parties Be selective about the types of data moved to the cloud Be selective about the cloud service Be transparent Establish a written contract with the cloud provider Encrypt data in transit and provide adequate security Implement access controls Adequacy mechanism for cloud services outside the EU Guarantee access & correction rights This is MoFo. 19 Cross-Border Issues for the Cloud Many countries limit transfers of personal information to other countries this is not just an EU issue European Union offers several options for cross-border transfers: Safe Harbor program Model contracts Binding corporate rules Consent Other jurisdictions offer fewer options (e.g., Korea, Australia, Argentina); individual consent may be the only permissible basis In comparison, some countries permit cross-border transfers but require you to ensure the information is still handled pursuant to their laws Obligations typically rest on the data controller This is MoFo. 20 10

USA PATRIOT ACT Allows U.S. law enforcement to require the production of any electronically stored data relevant for investigations: Data may include personal data protected by the EU laws Access to data by local enforcement agencies is often exempt from data protection laws or is justified No exemption for access by foreign agencies Draft Regulation is silent on the issue. Draft LIBE report requires DPA authorization and notice to individuals Production order must not be disclosed to anyone except the cloud provider. Customer cannot challenge the order, nor comply with privacy obligations Many countries have laws allowing law enforcement access This issue is not unique to the U.S. However, PATRIOT Act has received the most attention This is MoFo. 21 USA PATRIOT ACT (cont.) France: Contractual requirement for provider to notify customer of any request by a foreign administrative or judicial authority. Germany: Access by foreign authorities must comply with German law. Contract should require notice of any such requests unless prohibited under criminal law and prohibit any nonmandatory sharing. UK: Very pragmatic. ICO action would not be appropriate against customer provided the customer took appropriate steps to ensure data protection, nor provider if the disclosure was legally required in response to the specific request. Netherlands/Norway: DPAs prohibited government departments to use U.S. cloud providers due to risks under PATRIOT Act. This is MoFo. 22 11

Who is Responsible for Privacy Law Compliance? General Principles: Data controllers are primarily responsible for compliance with protection laws Due Diligence Notice and consent (where applicable) Handling access and correction requests Implementing mechanisms for cross-border transfers Imposing contractual obligations on data processors Data processors are governed by contractual obligations imposed by controller But there are proposals to change this 23 This is MoFo. 23 Controller or Processor? DATA CONTROLLER A person or entity that (either alone or jointly with others) decides how and why personal information is processed DATA PROCESSOR A person or entity that processes personal information on behalf of a controller JOINT CONTROLLERS Two or more parties each acting as a controller with respect to personal information 24 This is MoFo. 24 12

Controller/Processor Tensions Cloud provider usually asserts that it is merely a data processor, to try to minimize direct privacy law obligations Yet cloud providers often handle matters traditionally viewed as data controller functions Be alert to processor/controller issues in drafting 25 This is MoFo. 25 Negotiating Cloud Privacy Terms Major areas of debate and negotiation include: Cross-border data transfers Use of vendors Audit and oversight Data security Breach response Data retention This is MoFo. 26 13

Issue 1: Cross-Border Data Transfers CUSTOMER Geographic limitations Notice/consent for cross-border transfers Contractual provisions Safe Harbor onward transfer EU model clauses BCR clauses Other country-specific clauses PROVIDER Multi-tenant structure limits customization Commodity approach Difficulties of passing through contractual obligations to vendors This is MoFo. 27 Issue 2: Use of Vendors CUSTOMER Identification of vendors and location Consent to share hosted data with vendors Passing through contractual obligations imposed on provider PROVIDER Unlimited use of vendors and subcontractors, without notice Comparable privacy and security obligations for vendors This is MoFo. 28 14

Issue 3: Audit and Oversight CUSTOMER Data protection laws require oversight Data protection authorities (DPAs) expect customer to have audit rights Customer expects cooperation if it is audited by DPA PROVIDER Difficulty of allowing audits in multi-tenant environment Audit of records vs. facilities Cost factors Proposed reliance on third-party audits and certifications This is MoFo. 29 Issue 4: Data Security CUSTOMER Heightened obligations for Personal Information Security measures at least as stringent as their own Industry-standard technical, physical and administrative measures PROVIDER No differentiation of Personal Information Standardized security protocols Reasonable or commercially reasonable measures This is MoFo. 30 15

Issue 5: Security Breach CUSTOMER Immediate notice of actual or suspected breach Notice to customer first Provision of notices, credit monitoring services upon request Indemnification rights PROVIDER Prompt notice of actual breach Ability to notify law enforcement first Assistance if breach results from own acts or omissions Liability caps This is MoFo. 31 Issue 6: Data Retention CUSTOMER Mandatory data preservation for transition period Requiring return/deletion of Personal Information upon request PROVIDER Lesser standard of not intentionally deleting data Cost issues for data preservation, transition Overwriting data over an unspecified period of time This is MoFo. 32 16

Further Reading WP29 Guidance Paper http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf Denmark Decision http://www.datatilsynet.dk/english/processing-of-sensitive-personal-data-in-a-cloud-solution/ France Guidance http://www.cnil.fr/fileadmin/documents/en/recommendations_for_companies_planning_to_use_cloud_computing_services.pdf Germany Guidance http://www.bfdi.bund.de/shareddocs/publikationen/entschliessungssammlung/duesseldorferkreis/23112011cloudcomputi ng.html?nn=409242 United Kingdom Guidance: http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/online/~/media/documents/library/data_protection/pr actical_application/cloud_computing_guidance_for_organisations.ashx ENISA Checklist: http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment (Risk Assessment) http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-information-assuranceframework (Information Assurance Framework) 33 This is MoFo. 33 Christine Lyon clyon@mofo.com More Information Karin Retzer kretzer@mofo.com Alistair Maughan amaughan@mofo.com 34 This is MoFo. 34 17

Save the Date Clouds Across Europe Review of Cloud Computing Issues Wednesday 27 February 2013 Noon 1:30pm GMT (1pm 3pm CET) Webinar only Registration details: kburgess@mofo.com This is MoFo. 35 18

Tab 2 Speaker Biographies Data Protection Masterclass: Privacy in the Cloud

Attorney Bio Alistair Maughan Partner London 44 20 7920 4066 amaughan@mofo.com Alistair Maughan is a partner in the firm s London office. He is co-chair of the Technology Transactions Group and a member of the Global Sourcing Group. Mr. Maughan focuses on outsourcing and technology-based projects for major companies and public sector organizations. His primary areas of expertise include advising on outsourcing transactions (both IT and business process-driven; and both on-shore and offshore); negotiating contracts for the supply and acquisition of technology equipment, services and software; advising on data security and data privacy; advising on issues and contracts related to e-commerce; counseling public bodies on procurement policy and procedures; and drafting, negotiating and advising on all types of technology contracts and issues. Mr. Maughan s recent transactions include advising Her Majesty s Revenue & Customs on Europe's largest "second generation" outsourcing; advising the UK police on its national fingerprint identification system and its project for the delivery and operation of the national UK emergency mobile radio network; advising the world's largest insurance broker on offshore outsourcing; and other transactions on behalf of banks, global pharmaceutical companies and major professional services firms. Mr. Maughan is a highly-regarded commercial lawyer with recommendations in Legal 500, Chambers Global and Chambers UK, leading independent guides to the legal profession. Chambers UK awards Mr. Maughan the top ranking for both Outsourcing and Information Technology, commenting that he "brings common sense to the negotiating table". Other guides note that Mr. Maughan is the best outsourcing lawyer ever when it comes to acting for the customer end of the market and "absolutely excellent when it comes to advising customers on public sector projects". He is also named in the 2009 UK edition of Best Lawyers. Mr. Maughan has a law degree from Leicester University, and qualified as a solicitor in 1987. He has practiced law on both sides of the Atlantic and is also admitted to the New York Bar. Alistair Maughan

Attorney Bio Karin Retzer Partner Brussels 32 2 340 7364 kretzer@mofo.com Karin Retzer s practice focuses on the legal aspects of data protection and security, direct marketing, and electronic commerce. Ms. Retzer assists clients with privacy and data security compliance and risk management, involving both national and international multi-jurisdictional dimensions. She advises on questions regarding data transfers, the handling of information in shared service centers and sourcing transactions, e-discovery, breach notification, and the use of email and the Internet in the workplace. She has drafted privacy policies and guidelines, notices, agreements for data list management, and data transfer and processing contracts for dozens of multinational clients. She also assists clients in their dealings with data protection authorities, developing appropriate responses to requests for information and complaints, and provides legislative and policy advice to clients. Ms. Retzer has particular expertise with regard to the implications of legislative restrictions for online tracking, analytics, and personalization of Internet content, behavioral advertising, and direct marketing communications. She regularly advises clients on the use of location data gathered through smart phones and location-based services. In addition, Ms. Retzer advises clients on issues relating to electronic commerce, such as online terms of use, the requirements for online contracts, disclosure obligations, liability for website content, and the legal aspects of online auction sites. She has developed template agreements and negotiated complex commercial agreements for many clients, counseling them not only with respect to legal ramifications, but also taking into account applicable business and technical considerations. Her work spans a wide range of industry sectors. Clients include internationally renowned consumer product companies, financial services organizations, technology and telecommunications providers as well as clients in the advertising, hospitality, media and entertainment, healthcare, pharmaceutical, and retail industries. Prior to joining Morrison & Foerster, Ms. Retzer worked in Paris at the European headquarters of Sterling Commerce, a U.S. supplier of e-commerce products. From 1997 to 1998, Ms. Retzer worked at the European Commission, where she was involved mainly with examining and monitoring Member States' implementation of European Community directives. Ms. Retzer regularly writes for a wide variety of publications and is a contributing author in the publication, Employee Privacy: Guide to US and International Law. She is a member of the Munich bar and the Brussels EU bar, after studies in Regensburg (Germany), Utrecht (The Netherlands), and Munich (Germany). Ms. Retzer is fluent in German, English, and French and has a working knowledge of Dutch. She is a member of the International Association of Privacy Professionals, the German Association for Data Protection and Data Security, the Licensing Executives Society, and the Association for Industrial Property and Copyright Law. Education University of Regensburg Law School (J.D., 1995) University of Regensburg (B.A., 1995) Karin Retzer

Attorney Bio Christine E. Lyon Partner Palo Alto (650) 813-5770 clyon@mofo.com Christine Lyon s practice focuses on privacy and employment law. Ms. Lyon assists clients in developing global strategies to comply with laws regulating the collection, use, disclosure, and transfer of personal information about their customers and employees. She also advises clients about privacy issues in cloud computing and outsourcing arrangements, security breach notification requirements, laws regulating the use of personal data for direct marketing purposes, and workplace privacy issues. Ms. Lyon counsels clients regarding all aspects of employment law, including compliance with California and federal employment laws, investigations of workplace complaints, and reductions in force. She regularly assists clients with multinational employment issues related to mergers and acquisitions, outsourcing transactions, and corporate restructuring. Legal 500 US 2012 recommends Ms. Lyon as a rising star who returns high-quality work very promptly. She frequently writes and speaks on the topics of global data protection laws, workplace privacy issues, and data security laws. She is a co-editor of Global Employee Privacy and Data Security Law, Second Edition (BNA Books, 2011). Ms. Lyon is a member of the editorial board of the World Data Protection Report. She is also a member of the International Association of Privacy Professionals and serves on its Education Advisory Board. Education University of Iowa (B.A., 1996) Stanford Law School (J.D., 1999) Christine E. Lyon

Tab 3 About Morrison & Foerster Data Protection Masterclass: Privacy in the Cloud

Firm Overview Firm Overview Morrison & Foerster is an international firm with more than 1,000 lawyers across 16 offices in the U.S., Europe, and Asia. Founded in 1883, we remain dedicated to providing our clients, which include some of the largest financial institutions, Fortune 100 companies, and technology and life science companies, with unequalled service. Among Top 10 firms nationwide based on number of first-tier national rankings Top-tier national rankings included, among others: Antitrust Banking & Finance Capital Markets Commercial Litigation Corporate/M+A IP & Patent Litigation Employment Law Energy Environmental Financial Services Regulation Securitisation/Structured Finance Tax Technology Venture Capital Global Excellence in Law Our clients rely on us for innovative and business-minded solutions. Therefore, we stress intellectual agility as a hallmark of our approach to client representation. We apply it to every matter from the complex to the routine to ensure the best outcomes for our clients and deliver success. We believe that great client service requires insight, expertise, speed, and integrity. Our attorneys share high standards, a commitment to excellence, and a passion for helping their clients succeed. This commitment to serving client needs has resulted in enduring relationships and a record of high achievement. In addition, our culture of genuine collegiality creates a work environment ideally suited to collaboration and effective teamwork, which ultimately translates into organisational stability, winning results, and more positive experiences for clients. We enjoy tremendous practice, geographic, and client diversification attributes that have allowed us to prosper in these challenging times. Our practice is balanced, with more than 500 business attorneys and nearly 500 litigators. Offices in key financial and technology centres around the world provide us with global reach and geographic diversity: Beijing London Palo Alto Shanghai Brussels Los Angeles Sacramento Singapore Denver New York San Diego Tokyo Hong Kong Northern Virginia San Francisco Washington, D.C. We are frequently recognised for our long-standing commitment to pro bono work and diversity. Our outstanding client work has earned broad recognition from well-known national and international organisations, such as: Firm Overview l 1

Firm Overview We provide global reach in the world s key markets MOFO EUROPE Brussels London MOFO USA New York San Francisco Los Angeles Palo Alto San Diego Washington, D.C. Northern Virginia Denver Sacramento MOFO ASIA Beijing Hong Kong Shanghai Singapore Tokyo Exceptional International Platform Over the past three decades, Morrison & Foerster has invested significant effort and capital toward developing a world-class international practice leaving us well-positioned to serve clients across the rapidly-expanding global economy. Our international service platform spans expertise in M&A, securities, finance and trade, and dispute resolution, and includes complex global tax structuring, counsel on foreign workforces, the navigation of regulatory bottlenecks in multiple jurisdictions, and antitrust, environmental, and litigation risk analyses throughout the world, among other capabilities. We enjoy unrivalled reach around the Pacific Rim with nearly 200 lawyers in Asia teamed with more than 500 lawyers in California. We are the largest U.S. law firm in Japan, with more than 120 attorneys in Tokyo, including nearly 50 bengoshi admitted to practice in Japan. With our partners, Ito & Mitomi, we are widely recognised as having Japan s leading corporate practice. Our nearly 30-year presence in China has produced a strong platform of more than 70 multilingual U.S.-, PRC-, and/or Hong Kong-qualified professionals. With an established presence in the UK for 30 years, we have nearly 60 lawyers qualified in the UK who offer expertise across all major disciplines. Firm Overview l 2

Practice Group Description Privacy + Data Security PARTNER Karin Retzer Boulevard Louis Schmidt 29 1040 Brussels, Belgium +322 340 7364 kretzer@mofo.com Clients value our extensive network of attorneys around the world since privacy legal issues are becoming more global every day. - Legal 500 US EUROPEAN DATA PROTECTION We help our clients navigate Europe s complex patchwork of data protection laws at the EU and individual country level, providing advice on international data transfers and processing of personal data in the employment context and online. We bring years of experience to the complex jurisdictional issues encountered by multinational companies operating in Europe and work with our long-established network of privacy experts to provide in-depth, tailored advice. In particular, we provide advice on the implementation of EU laws in the individual EU Member States, and provide our clients with regular updates, analysis, and practical compliance solutions. Our privacy group consults and negotiates extensively with European data protection authorities, such as the French Commission Nationale de l Informatique et des Libertés, the various German Länder Data Protection Commissioners and the UK Information Commissioner s Office, as well as the European Commission. Our work handling both compliance and advocacy projects gives us an advantage. We are able to translate and clarify high-level policy guidance into concrete compliance actions and, at the same time, use our practical compliance experience to advise government policymakers on how to craft policy in ways that can be translated into sensible compliance actions. Recent Representative Engagements Consumer Products Company. We provided advice on global whistleblowing hotlines and codes of conduct, including registration obligations across the EU. We also drafted appropriate communications with employees, internal protocols and procedures, and crafted language to include in contracts with service providers. Several clients Implementation of eprivacy Directive. We have assisted a number of clients in comprehensively tracking and analyzing implementation of the EU eprivacy Directive in all 30 EEA Member States. The eprivacy Directive introduced new requirements for data security breach notification, spam and electronic marketing, and the use of cookies and online tracking technologies. We provided and continue to provide our clients with practical advice on how to deal with these legal changes cost effectively across the jurisdictions. Multinational Pharmaceuticals Company. We advised our client on the choice, adoption, and implementation of Binding Corporate Rules as the global cross-border data handling strategy. We drafted the BCRs, interaffiliate agreement, and provided comprehensive assistance and advice 1

Practice Group Description including preparing presentations to management, drafting communications, and establishing standard operating procedures and complaint handling procedures. Global Health Care Company. We advised on the adoption and implementation of a global framework agreement. We advised on the approach to consultations with works councils, drafted communications to management, human resources, sales, marketing and clinical research departments, conducted training for the procurement and legal functions globally, and prepared employee notice and consent forms. We also advised on and handled registration requirements in all EEA countries and relevant Latin-American countries, and handled all aspects of data transfer authorizations with regulatory authorities. 2

Practice Group Description Privacy + Data Security PRACTICE GROUP CHAIR Miriam H. Wugmeister 1290 Avenue of the Americas New York, NY 10104-0050 (212) 506-7213 mwugmeister@mofo.com Recommended as excellent in all respects. - Legal 500 US Morrison & Foerster has a world-class privacy and information security practice that is cross-disciplinary and spans our global offices. With more than 60 lawyers actively counseling, litigating, and representing clients before regulators around the world on privacy and security of information issues, we have been recognized by Chambers and Legal 500 as having one of the best domestic and global practices in this area. We were winner of Chambers USA s award for excellence in the field of Privacy and Data Security 2008. Chambers Global ranks the practice Tier 1 in its Data Protection: Global category. Clients have commented that our group is: very responsive, with a knowledge of the area that is second to none, Chambers Global; and the best at giving practical advice by applying the law to the situation at issue, US Legal 500. Our practical and straightforward approach has made us the privacy counsel of choice for some of the world s largest and best known corporations, as well as a host of smaller organizations. Our skills are particularly valued by companies that operate in highly regulated sectors (such as financial services, healthcare, and pharmaceuticals), those with an online presence, and those operating internationally. Such organizations face multiple layers of regulation and appreciate the timely, knowledgeable, and realistic advice our attorneys are trained to provide. We take a big picture view of how organizations handle information during its life cycle and help our clients find realistic solutions to seemingly complex problems. We Advise On: Data protection and privacy policies, procedures, and training. Data security standards and information handling. Security breaches. Regulatory investigations. Litigation. Cross-border data transfers. Employee monitoring. Compliance audits. Commercial transactions. Direct marketing. E-discovery and disclosure issues in litigation. Privacy + Data Security 1

Practice Group Description The work quality is exceptional, they are incredibly responsive, and they know about all the hottest issues in data privacy. - Chambers Global A factor driving data protection regulation in recent years has been the changing nature of technology including issues such as the increased emphasis on technological means to secure data, how we use social media, and the adoption of cloud computing. Our data protection and privacy lawyers are at home with technological innovation as well as with complex regulation. Because of our comfort with technology, we are at ease speaking with the general counsel, the chief privacy officer or the chief information officer regarding technical and nontechnical issues relating to privacy and data security. What truly distinguishes us is our practical approach to our work. In relation to all areas of privacy law, we believe that it is our job to assist clients in finding innovative and realistic solutions that balance compliance with the law and the commercial realities of running their businesses. We work with our clients to find solutions for managing business operations in light of the complex matrix of privacy laws and regulations. Resources We offer important resources to support our clients in their privacy compliance and data security efforts. Legal Resources: The privacy team writes extensively on privacy and data security matters, including two treatises, Global Employee Privacy and Data Security Law setting out the U.S. and international legal landscape related to workplace privacy and data security, and The Law of Financial Privacy covering the Fair Credit Reporting Act, Financial Privacy Act, Bank Secrecy Act, and Internal Revenue Code requirements, including discussions of state financial privacy laws, use of technology, and use and protection of confidential information. Privacy Library: Our Privacy Library (www.mofoprivacy.com) is an online resource which provides links to privacy laws, regulations, reports, multilateral agreements, and government authorities of more than 90 countries around the world, including the United States. The Privacy Library is the most comprehensive collection of privacy laws and regulations ever assembled, the result of years of research and experience working with clients around the world. MoFoNotes: Morrison & Foerster provides content to Nymity (www.nymity.com) for its MoFoNotes product, a subscription-based database that helps organizations determine local compliance requirements in jurisdictions around the world, spot potential compliance issues, and simplify the development of global privacy approaches. Privacy + Data Security 2

Tab 4 Selected Articles and Alerts Data Protection Masterclass: Privacy in the Cloud

Client Alert. 6 November 2012 Europe Offers Incentives to Cloud Computing Growth By Alistair Maughan The European Commission has issued a Communication setting out a road map for the future growth of cloud computing in Europe. The Communication is a strange mix: in parts, an extended advert for the benefits of a digital single market in the EU, and a narrative on the benefits of cloud computing. But the most interesting aspect of the Communication is the regulatory agenda that the Commission proposes in order to unleash the potential of cloud computing in Europe. Sceptical observers may question whether the proposed package of extra regulation, certification and contractual limitations is more likely to slow down not speed up the implementation of cloud computing across Europe. Until now, most industry observers have viewed the European Union less as a facilitator and more as a barrier to the adoption of cloud computing, because the ubiquity of cloud computing services is threatened by the requirement for compliance with the EU data transfer regulations. In this Communication, the Commission claims that it is seeking to unleash the potential of cloud computing in Europe. It remains to be seen whether the laudable aims espoused by the Commission are followed up in practice, and whether the fast-growing cloud-based sector of the information and communications technology (ICT) industry welcomes the Commission s proposals. CLOUD COMPUTING AN OVERVIEW Cloud computing is an ICT delivery model where ICT services are provided to users from remote servers and facilities over the Internet rather than through owned or leased IT servers and platforms. Cloud-based technology offers important benefits to users, including the chance for significant cost savings and operational efficiencies; flexibility in deployment; ready access to information systems, applications and data; better back-up services; and faster and more responsive upgrade functionality. Through cloud computing services, users have the ability to outsource all or part of their ICT hardware architecture (infrastructure as a service, or IaaS), operating systems and platforms (platform as a service, or PaaS), or software applications (software as a service, or SaaS) as they choose. Clouds can be private, where the services are operated solely for one organisation (or a small group of organisations, which some refer to as community clouds), typically on a dedicated or partitioned platform; public, where the services are shared by numerous customers, and typically operated on a shared platform; or hybrid, which entails a combination of private and public cloud services. A cloud set-up consists of layers: hardware; middleware or platform; and application software. Some element of standardisation is important in a cloud environment, especially at the middle layer, because it enables developers to address a wide range of potential customers, and gives users choice. In general, users of cloud services trade-off customization for commoditization, and must be aware of the implications that remote services provided on standard supplier terms might have on their organisation. The financial benefits of adopting cloud-based services can be significant although it s important for organisation also to factor in the impact of extra risks that might arise as a result of a wholly or partly cloud-based ICT solution. 1 2012 Morrison & Foerster LLP mofo.com Attorney Advertising

Client Alert. THE COMMUNICATION The Commission highlights the potential benefits that cloud computing could bring to Europe. It believes that, if properly implemented across Europe, the Commission s proposals could bring an additional 45 billion of direct spend on cloud computing services in the EU by 2020, as well as the creation of an extra 3.8 million jobs. Key Benefits of Cloud Computing The Commission recognises that many of its proposed actions are designed to address the perception that cloud computing brings additional risks. So for example, it proposes actions aimed at providing more clarity and knowledge about the applicable legal framework; making it easier to signal and verify compliance with the legal framework (e.g. through standards and certification); and developing the relevant legal framework further (e.g. through a forthcoming legislative initiative on cybersecurity). The Communication goes to some lengths to describe the benefits of cloud computing on the European economy. To organisations that have already adopted cloud computing, these benefits are well rehearsed (see separate box). The Communication is part of the Commission s overall digital agenda under which the Commission targets setting up a digital single market. Under this digital agenda, the Commission has set itself the objective of simplifying copyright clearance, management and cross-border licensing - and thereby enhancing Europe s capacity to exploit new digital opportunities (such as cloud computing) for both producers and consumers of digital content. In an interesting piece of self-analysis, the Commission acknowledges that data protection barriers emerged from its consultation exercise as a key area of concern that could impede the adoption of cloud computing. Those barriers are largely of the EU s own making. In particular, the Commission recognises that the existence of 27 partly diverging national legal frameworks around data protection and the issue of restrictions on sending personal data outside the European Economic Area creates problems in constructing cost-effective cloud solutions in a fully integrated pan-european manner. The Commission also acknowledges that, given the global scope of cloud computing, it is important to try to clarify how international data transfers should be regulated. The Commission believes that these concerns have been addressed by Hardware is owned by the cloud computing provider, not by the user (who interacts with it via the internet) The use of hardware is dynamically optimised across a network of computers, so that the exact location of data, processes or hardware in use is invisible to the user (although that invisibility can have legal and compliance consequences) Cloud providers can move their users workloads around (e.g. from one computer to another or from one data centre to another) to optimise the use of available hardware The remote hardware stores and processes data and makes it available, e.g. through applications (so that a company could use its cloud-based computing in the same way consumers already today use their webmail accounts) Users can access their content and use their software when and where they need it, e.g. on desktop computers, laptops, tablets and smartphones Users normally pay by usage, avoiding the large up-front and fixed costs necessary to set up and operate sophisticated computing equipment Users can very easily modify the amount of hardware that they use (e.g. bring new storage capacity online in a matter of seconds with a few mouse clicks) 2 2012 Morrison & Foerster LLP mofo.com Attorney Advertising

Client Alert. the proposal of a strong uniform legal framework providing legal certainty as well as data protection (issued by the Commission on 25 January 2012; see previous MoFo Alert). That proposed regulation addresses issues raised by the cloud and also clarifies the important question of applicable law by ensuring that a single set of rules would apply directly and uniformly across all 27 Member States. The Commission notes that the importance of data protection concerns as a main barrier to cloud computing take-up underscores how important it is that the EU works swiftly toward the adoption of the proposed regulation as soon as possible in 2013. The Commission has also analysed the issues that cloud computing raises in the context of the European market. It stresses three issues in particular: fragmentation of the market due to differing national legal frameworks and uncertainties over applicable law, digital content and data location. In particular, the Commission highlights the complexities of managing services and usage patterns that span multiple jurisdictions, and the difficulty of achieving a common position in areas such as data privacy, contracts and consumer protection; problems with contracts. The Commission highlights worries over data access and portability; change control and ownership of data managed in the cloud; concerns over how liability for service failures such as downtime or loss of data would be compensated; ownership of data created in cloud applications; and the resolution of disputes; and standards. The Commission highlights a jungle of standards that generates confusion and suggests a lack of certainty as to which standards provide adequate levels of interoperability of data formats, or permit appropriate data portability. Although the Commission does not foresee the building of a European supercloud (i.e. the creation of a dedicated hardware infrastructure that would provide generic cloud computing services to public sector users across Europe), one of its aims is to ensure publicly-available cloud offerings that meet European standards in regulatory terms and which offer the benefits of being competitive, open and secure. Clearly, the Commission recognises that this does not preclude public bodies from setting up dedicated private clouds for the treatment of sensitive data. So far, a number of European countries - the UK in particular (which has launched the G-Cloud service) - are setting up their own national cloud platforms for the benefit of government departments locally. SPECIFIC EU ACTIONS ON CLOUD COMPUTING The Commission believes that there is a need for a series of confidence-building steps to create trust in cloud solutions. This starts with the identification of appropriate standards that can be certified in order to allow public or private buyers of cloud services to be confident that providers have met their compliance obligations and that those buyers are getting an appropriate solution to meet their needs. The Commission believes that these standards and certificates can, in turn, be referenced in contracts for cloud services so that providers and buyers feel confident that the contract is fair. To deliver on its goals, the Commission plans to launch three cloud-specific actions. Key Action 1: Cutting Through the Jungle of Standards The Commission believes that a wider use of standards (and certification of cloud services to show that they meet these standards) will help to accelerate the rate of adoption of cloud solutions in Europe. Currently, individual cloud providers have an incentive to fight for dominance by locking in their customers, inhibiting standardised industry-wide approaches. The Commission believes that cloud computing is likely to develop in a way that 3 2012 Morrison & Foerster LLP mofo.com Attorney Advertising

Client Alert. lacks interoperability, data portability and reversibility which are all crucial for the avoidance of lock-in. The Commission believes that standards in the cloud will affect stakeholders beyond the ICT industry, in particular small and medium-sized enterprises (SMEs), public sector users and consumers. Such users are rarely able to evaluate competing cloud providers claims, the interoperability of clouds and the ease with which data can be moved. It believes that independent, trusted certification is needed. The Commission notes that, in some places, standardisation and certification of cloud solutions is already taking place. The U.S. National Institute for Standards and Technology has published a series of documents, including a widelyaccepted set of definitions. It believes that the priority now should be to deploy existing standards and develop competence in cloud solutions. As a result, the Commission has asked the European Telecommunications Standards Institute (ETSI) to produce (by the end of 2013) a road-map of the standards necessary for security, interoperability, data portability and reversibility in the cloud. It also plans to facilitate EU-wide voluntary certification schemes covering cloud-based services, and agree industry-wide metrics for key environmental measures such as energy and water consumption, and carbon emissions of cloud services. Key Action 2: Promoting Safe and Fair Contracts The Commission notes that, traditionally, IT outsourcing agreements have been negotiated and described in detail upfront. However, cloud computing contracts tend to be done on the basis of a framework in which the user has access to scalable and flexible IT capabilities but with much less room for negotiation of the applicable contract terms with the result that cloud contracts tend to be imbalanced in the favour of the cloud provider. The Commission believes that the use of take it or leave it standard contracts might well be beneficial in cost terms for consumers, but it is often undesirable for them. Such contracts may also impose an inappropriate choice of applicable law or inhibit data recovery. Even larger companies have little negotiation power, and contracts often don t provide coverage on key issues such as liability for data integrity, confidentiality or service continuity. The Commission believes that the development of model terms for cloud computing and service-level agreements is one of the most important issues that arose during its consultation process. At one level, the Commission has already launched a proposal to implement a standard EU-wide regulation on a Common European Sales Law, which could address many of the obstacles stemming from diverging national sales law rules by providing contractual parties with a uniform set of rules. The Commission plans to set up a task force to identify (before the end of 2013) safe and fair contract terms and conditions for cloud consumers and small firms. The Commission would like to go further and develop model terms for cloud computing service-level agreements for contracts between cloud providers and larger corporate buyers. With respect to data privacy, the Commission plans to facilitate Europe s participation in the global growth of cloud computing by reviewing standard contractual clauses applicable. to transfer of personal data to third countries and adapting them, as needed, to cloud services; and by calling upon national data protection authorities to approve binding corporate rules for cloud providers. 4 2012 Morrison & Foerster LLP mofo.com Attorney Advertising

Client Alert. The Commission also wants to work with industry to agree a code of conduct for cloud computing providers to support a uniform application of data protection rules which may be submitted to the Article 29 Working Party for endorsement in order to ensure legal certainty and coherence between the code of conduct and EU law. Key Action 3: Promoting Public Sector Leadership The Commission believes that governments and the wider public sector across Europe have a strong role to play in shaping the cloud computing market. The public sector is the EU s largest buyer of IT services, and can set stringent requirements for the features, performance, security and interoperability of cloud services. Currently, the public sector market is fragmented and its requirements have little impact. The Commission believes that pooling public requirements could bring greater efficiency and common requirements, which would reduce costs. Accordingly, the Commission is setting up a European Cloud Partnership (ECP) to provide an umbrella for comparable initiatives at Member State level. These include the G-Cloud in the UK, Andromede in France and Trusted Cloud in Germany. The ECP will bring together industry expertise and public sector users to work on common procurement requirements for cloud computing in an open and transparent way. The ECP is not targeted at creating physical cloud computing infrastructure. Rather, the aim is for the ECP to involve participating Member States in order to ensure consistency and avoid fragmentation, and ensure that public cloud usage is interoperable as well as safe, secure and in line with European rules on issues such as data protection and security. VIEW FROM THE ICT INDUSTRY The ICT industry s reception of the Communication has been distinctly low key. It comes as no surprise to many that the Commission thinks that the answer to the adoption of cloud computing is more regulation and certification rather than less. Equally, few outside Brussels believe that implementation of the [EU s] Digital Agenda proposals is the essential first step towards making Europe cloud-friendly. Sceptics point out that the best way to create trust in cloud solutions (which the Commission professes as an aim) is for the Commission to keep out of the way and let the market flourish free of regulation. Most companies involved in the roll-out of cloud services consider that the cloud sector is growing nicely and, but for the complication caused by EU-originated data privacy laws over where personal data can be transferred and processed, the market could be growing even faster. Arguably, therefore, the best use of the Commission s time would be to clarify the application of the laws on data transfer to a cloud solution. Currently, this is being addressed by national regulators (such as the UK Information Commissioner s Office, which published an official Guidance on the Use of Cloud Computing in September 2012). In terms of the three Key Actions proposed by the Commission: Key Action 1: The absence of a voluntary certification scheme is not something that has appeared to impede the development of the cloud market so far. Cloud-based services have not been seen as a VHS v. Betamax situation. It is questionable how far any certification scheme can go if it is voluntary. But the alternative a mandatory scheme would be much worse for the cloud sector, so it s doubtful whether the industry will object to this Key Action too loudly. 5 2012 Morrison & Foerster LLP mofo.com Attorney Advertising

Client Alert. Key Action 2: There is no doubt that the Commission could help the adoption of cloud computing in Europe to grow by addressing the issue of data privacy. Model clauses would be helpful, as would a common set of standards that would enable cloud providers to ensure that all appropriate EU-level privacy rules are addressed by their solutions. Beyond that, the creation of a model set of contract conditions for cloud usage is a distant prospect. The Commission has been working for years on the issue of harmonizing contract laws across the EU and there is no immediate likelihood of that happening (either in the cloud or out of it) any time soon. Key Action 3: The ECP ought to be cautiously welcomed by industry. The government sector has been a significant driver of activity in the ICT industry for many years, but public bodies are seen as conservative and slow adopters of new technologies or methods of ICT delivery. Anything that incentivises or legitimises the take-up of cloud computing by a large group of potential users must be good for the industry. AN OPPORTUNITY MISSED? One of the significant blockages to the adoption of cloud solutions is the absence of guidance by regulators in specific sectors. For the financial services sector especially, cloud solutions could have a significant impact. But regulators have generally failed to grapple with cloud computing or provide guidance to their regulated firms. The result has been a takeup of cloud solutions by regulated entities that has been more muted than it could have been, because firms are worried about entrusting core systems to a form of services delivery about which the regulatory treatment is unclear. The Commission s Communication has not helped to point the way for European financial services regulators to open the door to more take-up of cloud services by financial institutions. Elsewhere, the EU s Markets in Financial Instruments Directive (MiFID) has focussed greater attention on the importance of regulated firms having greater control and effective access over data relating to their activities. The Communication would have been a perfect vehicle for the Commission to clarify doubt over how MiFID might apply to data stored or processed in the cloud; to discuss whether a graduated approach to the effectiveness of data access might have been appropriate; and to explain what sort of audit requirements are appropriate to data stored in the cloud by a regulated entity. The fact that it didn t do any of these things represents an opportunity missed. The position is slightly different in the U.S. There, as we reported in our Client Alert Federal Financial Agencies Issue Cautionary Statement on Financial Institution Cloud Computing Services, various federal financial regulatory agencies have been more proactive and have issued a joint interagency statement on the use by financial institutions of outsourced cloud computing services, and the key risks associated with such services. The statement is the first formal federal financial agency statement on the matter of cloud computing. In general, the statement reaffirms that the fundamentals of existing risk and risk management requirements that currently are applicable to financial institution outsourcing of IT services apply equally to outsourced cloud-based services, while identifying certain risks that, in the Agencies view, are of particular concern with respect to such services. CONCLUSION In many ways, the Communication is characteristic of the Commission s approach to many issues. It tends to favour regulation over liberalisation; it believes that the market needs stimulus; and it proposes grand gestures and task forces over specific reforms. But in practice, the cloud computing market is growing at a significant rate in Europe, even without the benefit of the Commission s extra help. The ICT industry has moved quickly to wrap cloud services into packages alongside more customized services, and make them attractive to customers as part of their ICT sourcing options. 6 2012 Morrison & Foerster LLP mofo.com Attorney Advertising

Client Alert. More seriously, the Commission seems to have failed to grasp the central point that some of the features that it feels the need to reform are, in fact, central to the cloud model. The trade-off between price, flexibility and contract rights is at the heart of what makes the cloud work. If the Commission s proposals were to be adopted across-the-board, the cloud providers would have to raise their prices and drop many of the services where the cloud offers flexibility which would defeat the whole reason why cloud seems so attractive in the first place. Some of the supposed issues identified by the Commission (for example, the lack of certification and standards) would not feature on many industry observers lists of top 10 risks. Contact: Alistair Maughan +44 20 7920 4066 amaughan@mofo.com About Morrison & Foerster: We are Morrison & Foerster a global firm of exceptional credentials in many areas. Our clients include some of the largest financial institutions, investment banks, Fortune 100, technology and life science companies. We ve been included on The American Lawyer s A-List for nine straight years, and Fortune named us one of the 100 Best Companies to Work For. Our lawyers are committed to achieving innovative and business-minded results for our clients, while preserving the differences that make us stronger. This is MoFo. Visit us at www.mofo.com. Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome. 7 2012 Morrison & Foerster LLP mofo.com Attorney Advertising

Morrison & Foerster Client Alert. February 14, 2011 Privacy in the Cloud: A Legal Framework for Moving Personal Data to the Cloud By Christine Lyon and Karin Retzer For many companies, the main question about cloud computing is no longer whether to move their data to the cloud, but how they can accomplish this transition. Cloud (or Internet-based on-demand) computing involves a shift away from reliance on a company s own local computing resources, in favor of greater reliance on shared servers and data centers. Well-known examples of cloud computing services include Google Apps, Salesforce.com, and Amazon Web Services. In principle, a company also may maintain its own internal private cloud without using a third-party provider. Since many companies choose to use thirdparty cloud providers, however, this article will focus on that cloud computing model. Cloud computing offerings range from the provision of IT infrastructure alone (servers, storage, and bandwidth) to the provision of complete software-enabled solutions. Cloud computing can offer significant advantages in cost, efficiency, and accessibility of data. The pooling and harnessing of processing power provides companies with flexible and cost-efficient IT systems. At the same time, however, cloud computing arrangements tend to reduce a company s direct control over the location, transfer, and handling of its data. The flexibility and easy flow of data that characterize the cloud can raise challenging issues related to protection of data in the cloud. A company s legal obligations and risks will be shaped by the nature of the data to be moved to the cloud, whether the data involve personal information, trade secret information, customer data, or other competitively sensitive information. This article describes the special legal considerations that apply when moving personal information to the cloud. It also offers a framework to help companies navigate these issues to arrive at a solution that meets their own legal and business needs. Beijing Paul D. McKenzie 86 10 5909 3366 Jingxiao Fang 86 10 5909 3382 Brussels Karin Retzer 32 2 340 7364 Joanne Lopatowska 32 2 340 7365 Hong Kong Gordon A. Milner 852 2585 0808 Nigel C.H. Stamp 852 2585 0888 Los Angeles Mark T. Gillett (213) 892-5289 Michael C. Cohen (213) 892-5404 David F. McDowell (213) 892-5383 Russell G. Weiss (213) 892-5640 London Ann Bevitt 44 20 7920 4041 Anthony Nagle 44 20 7920 4029 Chris Coulter 44 20 7920 4012 New York Joan P. Warrington (212) 506-7307 John F. Delaney (212) 468-8040 Madhavi T. Batliboi (212) 336-5181 Suhna Pierce (212) 336-4150 Marian A. Waldmann (212) 336-4230 Miriam Wugmeister (212) 506-7213 Sherman W. Kahn (212) 468-8023 Northern Virginia Daniel P. Westman (703) 760-7795 Timothy G. Verrall (703) 760-7306 Palo Alto Bryan Wilson (650) 813-5603 Christine E. Lyon (650) 813-5770 San Francisco Roland E. Brandel (415) 268-7093 James McGuire (415) 268-7013 William L. Stern (415) 268-7637 Jim McCabe (415) 268-7011 Tokyo Daniel P. Levison 81 3 3214 6717 Gabriel E. Meister 81 3 3214 6748 Jay Ponazecki 81 3 3214 6562 Toshihiro So 81 3 3214 6568 Yukihiro Terazawa 81 3 3214 6585 Washington, D.C. Andrew M. Smith (202) 887-1558 Cynthia J. Rich (202) 778-1652 Julie O Neill (202) 887-8764 Nathan David Taylor (202) 778-1644 Obrea O. Poindexter (202) 887-8741 Reed Freeman (202) 887-6948 Richard Fischer (202) 887-1566 Kimberly Strawbridge Robinson (202) 887-1508 2011 Morrison & Foerster LLP mofo.com Attorney Advertising

Client Alert. DETERMINE THE CATEGORIES OF PERSONAL INFORMATION TO BE MOVED TO THE CLOUD As a general principle, personal information includes any information that identifies or can be associated with a specific individual. Some types of personal information involve much greater legal and business risks than other types of personal information. For example, a database containing health information will involve greater risks than a database containing names and business contact information of prospective business leads. Also, financial regulators in many countries require specific security standards for financial information. Accordingly, a cloud computing service that may be sufficient for the business lead data may fail to provide the legally required level of protection for health, financial, or other sensitive types of information. A company will want to develop a strategy that provides sufficient protection to the most sensitive personal information to be transmitted to the cloud. In some cases, a company may elect to maintain certain types of personal information internally, in order to take advantage of more cost-efficient cloud computing services for its less-sensitive data. IDENTIFY APPLICABLE LAWS AFFECTING YOUR OUTSOURCING OF PERSONAL INFORMATION Cloud computing, by its nature, can implicate a variety of laws, including privacy laws, data security and breach notification laws, and laws limiting cross-border transfers of personal information. Privacy Laws Companies operating in the United States will need to consider whether they are subject to sector-specific privacy laws or regulations, such as the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA). Such laws impose detailed privacy and data security obligations, and may require more specialized cloudbased offerings. European-based companies, as well as companies working with providers in or with infrastructure in Europe, will need to account for the broad-reaching requirements under local omnibus data protection laws that protect all personal information, even basic details like business contact information. These requirements can include notifying employees, customers, or other individuals about the outsourcing and processing of their data; obligations to consult with works councils before outsourcing employee data; and registering with local data protection authorities. Similar requirements arise under data protection laws of many other countries, including countries throughout Europe, Asia, the Middle East, and the Americas. Data Security Requirements Even if a company is not subject to these types of privacy laws, it will want to ensure safeguards for personal information covered by data security and breach notification laws. In the United States, these laws focus on personal information such as social security numbers, driver s license numbers, and credit or debit card or financial account numbers. One of the key safeguards is encryption because many (although not all) of the U.S. state breach notification laws provide an exception for encrypted data. In contrast, many other countries require protection of all personal information, and do not necessarily provide an exception for encrypted data. Consequently, companies operating outside of the United States may have broaderreaching obligations to protect all personal information. While data protection obligations vary significantly from law to law, both U.S. and international privacy laws commonly require the following types of safeguards: Conducting appropriate due diligence on providers; 2 2011 Morrison & Foerster LLP mofo.com Attorney Advertising

Client Alert. Restricting access, use, and disclosure of personal information; Establishing technical, organizational, and administrative safeguards; Executing legally sufficient contracts with providers; and Notifying affected individuals (and potentially regulators) of a security breach compromising personal information. The topic of data security in the cloud has received significant industry attention. The National Institute of Standards and Technology (NIST) is working to develop guidelines, and recently issued its draft Guidelines on Security and Privacy in Public Cloud Computing. In the interim, industry groups, such as the Cloud Security Alliance, have suggested voluntary guidelines for improving data security in the cloud. The CSA s Security Guidelines for Critical Areas of Focus for Cloud Computing V.2.1 (December 2009) are available at http://www.cloudsecurityalliance.org/csaguide.pdf. Providers also may choose to be certified under standards such as ISO 27001, although such certifications may not address all applicable legal requirements. Restrictions on Cross-Border Data Transfers A number of countries e.g., all the European Economic Area (EEA) Member States and certain neighboring countries (including Albania, the Channel Islands, Croatia, the Faroe Islands, the Isle of Man, Macedonia, and Switzerland), as well as countries in North Africa, the Middle East, Latin America, and Asia (including Morocco, Israel, Argentina, Uruguay, and Korea) restrict the transfer or sharing of personal information beyond their borders. These restrictions can present significant challenges for multinational companies seeking to move their data to the cloud. Recognizing these challenges, some providers are starting to offer geographic-specific clouds, in which the data are maintained within a given country or jurisdiction. Some U.S. providers have also certified to the U.S.-European Union Safe Harbor program, in order to accommodate EU-based customers. However, as the Safe Harbor only permits transfers from the EU to the United States, it is not a global solution. Accordingly, a company should assess carefully whether the options offered by a provider are sufficient to meet the company s own legal obligations in the countries where it operates. To complicate matters, international data protection authorities, particularly in the EEA, have expressed growing doubts about the permissibility of the cloud model for personal information. For example, Mr. Thilo Weichert, the head of the data protection authority of Schleswig-Holstein (one of the smaller German federal states), recently issued an opinion arguing that any cloud located outside the EEA was unlawful unless explicit written (pen on paper) consent was obtained from all of the individuals involved. In Mr. Weichert s opinion, cloud computing was neither necessary nor legitimate and therefore was forbidden without such consent. See (in German) Thilo Weichert: Cloud Computing und Datenschutz, available at http://www.golem.de/1006/75887.html. Note that the opinion is not legally binding, even for companies established in Schleswig-Holstein, and it appears unlikely that other German federal states (or other data protection authorities in the EEA or elsewhere) will follow this restrictive interpretation. However, the opinion has attracted significant attention and the Working Party 29, the assembly of European data protection authorities, has included cloud computing in its work program. The Working Party 29 is currently expected to issue guidance about cloud computing in 2011. REVIEW CONTRACTUAL OBLIGATIONS AFFECTING YOUR OUTSOURCING OF PERSONAL INFORMATION If your company is seeking to outsource to a cloud provider applications that involve third-party data, such as personal information maintained on behalf of customers or business partners, it is important to consider any limitations imposed by contracts with those third parties. Such agreements might require third-party consent to the outsourcing or subcontracting of data processing activities, or may require your company to impose specific contractual obligations on the new provider 3 2011 Morrison & Foerster LLP mofo.com Attorney Advertising

Client Alert. or subcontractor. SELECT AN APPROPRIATE CLOUD COMPUTING SOLUTION Cloud services tend to be offered on a take-it-or-leave-it basis, with little opportunity to negotiate additional contractual protections or customized terms of service. As a result, companies may find themselves unable to negotiate the types of privacy and data security protections that they typically include in contracts with other service providers. Companies will need to evaluate whether the contract fulfills their applicable legal and contractual obligations, as discussed above. Beyond that, companies will want to evaluate the practical level of risk to their data, and what steps they might take to reduce those risks. Public vs. Private Cloud Broadly speaking, a private cloud maintains the data on equipment that is owned, leased, or otherwise controlled by the provider. Private cloud models can be compared with many other well-established forms of IT outsourcing, and do not tend to raise the same level of concerns as a public cloud model. A public cloud model disperses data more broadly across computers and networks of unrelated third parties, which might include business competitors or individual consumers. While offering maximum flexibility and expansion capabilities, the public cloud model raises heightened concerns about the inability to know who holds your company s data, the lack of oversight over those parties, and the absence of standardized data security practices on the hosting equipment. Given these challenges, companies outsourcing personal information will want to understand whether the proposed service involves a private or public cloud, as well as evaluate what contractual commitments the provider is willing to make about data security. Securing Data Before Transmission to the Cloud Companies also may be able to take measures themselves to protect personal information before it is transmitted to the cloud. Some provider agreements instruct or require customers to encrypt their data before uploading the data to the cloud, for example. If it is feasible to encrypt the data prior to transmission to the provider, this may provide substantial additional protections, as long as the encryption keys are not available to the provider. It is also important to account for applicable security requirements. To this effect, several countries in Europe have very specific statutory requirements for security measures, and some regulators have issued detailed security standards for cloud computing providers, such as the recently published security standards from the German IT-Security Agency. This paper, published on September 27, 2010, sets forth in great detail minimum requirements for cloud computing services, as well as other related services such as IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service). The requirements include specific organizational and technical standards, access controls, encryption, incident response planning, and data portability. The paper is not yet final as the Agency is seeking comments from the industry. See Bundesamt für Sicherheit in der Informationstechnologie: Mindestsicherheitsanforderungen an Cloud-Computing-Anbieter, available (in German) by clicking here. Contract Issues The contract with the cloud services provider needs to set out clearly the roles and responsibilities of the parties. Unlike many outsourcing arrangements, cloud service contracts usually do not distinguish between personal information and other types of data. These contracts may still include at least basic data protection concepts, even if they are not expressly identified as such. At a minimum, companies will want to look for provisions preventing the provider from using 4 2011 Morrison & Foerster LLP mofo.com Attorney Advertising

Client Alert. the information for its own purposes, restricting the provider from sharing the information except in narrowly specified cases, and confirming appropriate data security and breach notification measures. Given the difficulty of negotiating special arrangements with cloud providers, it is important to select a cloud offering that is appropriately tailored to the nature of the data and the related legal obligations. It is likely that as cloud computing matures, more offerings tailored to specific business requirements, including compliance with privacy and similar laws, will be made available to companies. CONCLUDING THOUGHTS While cloud computing can substantially improve the efficiency of IT solutions, particularly for small and medium-sized businesses, the specific offerings need to be examined closely. There is no one-size-fits-all solution to cloud computing, especially for companies operating in highly regulated sectors or internationally. By understanding their legal compliance obligations, companies can make informed decisions in selecting cloud computing services or suites of services that best meet their needs. This was first published by ALM Media Properties LLC in Corporate Counselor (February 2011). About Morrison & Foerster: We are Morrison & Foerster a global firm of exceptional credentials in many areas. Our clients include some of the largest financial institutions, investment banks, Fortune 100, technology and life science companies. We ve been included on The American Lawyer s A-List for seven straight years, and Fortune named us one of the 100 Best Companies to Work For. Our lawyers are committed to achieving innovative and business-minded results for our clients, while preserving the differences that make us stronger. This is MoFo. Visit us at www.mofo.com. Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. 5 2011 Morrison & Foerster LLP mofo.com Attorney Advertising

2013 Morrison & Foerster (UK) LLP, mofo.com