Cloudy data sovereignty in Europe (part two)
Part one can be found here. Part two examines the 'safe harbour' approach to cloud data, and answers the question: who's ultimately responsible for data in the cloud?
In 2000, the US Department of Commerce created the Safe Harbour framework to ensure organisations put appropriate controls in place for the protection of data when handling European and UK companies’ data that may be stored in the USA (for example an American company who may have regional offices in the UK, France and Germany that keeps employee data such as employment, tax and personal details centrally in the USA).
The Safe Harbour directives consist of seven rules that have been established specifically for US companies to comply with EU data storage directives.
The ‘safe-harbour’ approach, which allows for data on EU subjects to be moved out of the EU, does not have the adoption you may think, even if you did decide it covers your needs.
Many US cloud firms have not signed up to safe harbour and the liabilities that it might entail for them. So it’s important to assimilate two things:
- Does it give you the safety you want?
- Has the vendor you’re considering signed to it and is this reflected in your terms of service/license with them?
Transfers to USA organisations adhering to the safe harbour principles can take place lawfully under EU law, since the recipient organisations are deemed to provide an adequate level of protection for the data.
There has been much discussion recently about storing data in the USA or with non European cloud firms, much of it driven after it was realised that the US can use the Patriot Act to access European citizens' data without their consent.
The Patriot act provides the ability for US Government and law enforcers to access foreign data stored on US located servers as well as data held in the EU by US-based vendors.
You may also hear of the ‘Article 29 Working Party’ which is an independent European advisory body on data protection and privacy issues made up as a committee of representatives from the 27 data protection authorities in EU member states.
It analyses all relevant issues for cloud computing service providers operating in the European Economic Area (EEA).
The Article 29 Working Party in July 2012 stated on cloud that companies exporting data to providers outside their local jurisdiction should not merely rely on the statement of the data importer claiming that they have a Safe Harbour certification.
They recommend that the company exporting data should obtain evidence that the Safe Harbour self certifications exist and request evidence demonstrating that their principles are being complied with.
The article 29 Working Party stated: “Businesses that wish to use cloud services to store and process personal data must use providers that can ‘guarantee’ compliance with EU data protection laws”.
The Working Party’s conclusion appears to be that US Safe Harbour coverage is not robust enough on the basis that it alone cannot substitute for the relevant contractual arrangements and guarantees which may be required by individual data protection authorities,
When using public clouds which are offered globally to a range of audiences from enterprise companies through to small businesses and consumers there is a risk of data leaving the EU without you knowing.
You have the right to know if this may happen and where your data may be stored and the cloud provider should be open with you about this and give transparency so that you can make those educated choices.
Since the issues around US-stored cloud data and the Patriot Act’s lack of alignment with the Safe Harbour principals came to light, European bodies have been revising and updating the data protection laws that apply to all 27 European member states – and this is under review as this article is written.
Outlined plans for change, including amendments, are expected during the next few years. It was stated that the European Commission will come forward with proposals to reform the 1995 Data Protection Directive during 2012.
The other challenge that has highlighted the need for more legal clarity is whether the customer or the cloud provider is the data controller.
The controller is the one who determines purposes and means of the processing of personal data. The processor is the one who processes personal data on behalf of the controller.
Typically this means the customer is the controller, however due to the nature of the cloud computing environment the historical definitions can be unclear and such roles still often need to be determined on a case-by-case basis until legal clarity is brought to bear.
It is therefore important to understand that you may be subject to the authority of the jurisdiction where your data and systems are hosted or where the parent company providing the hosting is from.
If you want to make sure that you are compliant with local data laws and also doing right by your own clients whom you hold data on then you should be vigilant to understand where your data is ultimately held and whether or not the hosting entity is compliant with the appropriate local legislation that you require.
New EU Data protection regulation could mean fines up to 2% of company turnover for data security breaches and with fines and data breaches being reported more diligently (see reported 2012 breaches as examples) evaluating your obligations around data security and sovereignty now, understanding them and any necessary actions is key.
It is your data that you are putting into the cloud and according to the lawyers and the data protection laws it means that you are responsible for it.
You are by default the data controller and must choose a cloud provider that guarantees compliance with data protection legislation. Microsoft, Google, Amazon, Salesforce and any other US based organisation has to comply with local US laws meaning that any data that is housed, stored or processed by a US-based company, is open to inspection and interception by US authorities without notice or permission of a non-US company who has hosted their data in their systems.
Infact during Microsoft's Office 365 launch, Gordon Frazer, Managing Director of Microsoft UK, admitted exclusively to ZDNet that the Patriot Act can be invoked by U.S. law enforcement to access EU-stored data without consent.
The managing director of Microsoft UK admitted that it would comply with the Patriot Act as its headquarters are based in the US. While it would try to inform its customers before this should happen, it stated that it could not guarantee this.
This means that if you do business with a UK subsidiary of a US-based cloud operator who is hosting your data in the UK and you specify that English law applies as well as operating under EU data protection laws, the FBI can still get access to your data.
While this had already been suspected, this was the first clear affirmation and is true for any US-based cloud provider.
This could illustrate why in the Cloud Industry Forum 2012 Cloud Adoption outlook report 47% of UK organisations wanted their data stored in the UK. This reflects a sense of national law being perceived as providing a higher level of comfort for users.
In a separate public survey carried out by the Cloud Industry Forum of 5,800 individuals, 64 per cent had concern as to where data would be stored.
Cloud is too important a technological offering to ignore and whilst there are undoubtedly a number of considerations to address, none are insurmountable and the cloud technologies offer a great benefit when used in the right areas and for the right reasons.
As cloud becomes more mature and providers more sophisticated there will be accelerated adoption and more consistent answers and clarity to questions from customers.
So what approach can and should you take in your security diligence to adopting a cloud solution in the area of data, sovereignty and privacy?
Gartner defined six rights of a cloud customer being;
– The right to retain ownership, use and control one's own data
– The right to SLAs that address liabilities, remediation and business outcomes
– The right to notification and choice about changes that affect the service consumer's business processes
– The right to understand the technical limitations or requirements of the service up front
– The right to know what security processes the provider follows.
– The responsibility to understand and adhere to software license requirements
These are a good start as a high level foundation and basis for what you should look to adhere to in adopting cloud services, possibly from vendors you have not dealt with previously.
Businesses concerned about data issues and wishing to use cloud computing should conduct a risk analysis encompassing:
- What data will be stored or pass through the cloud service
- The importance and confidentiality of the relevant data
- Any relevant EU, local or industry segment data protection rules to be complied with
- Your own internal receptiveness to where data is stored and what comfort you require from the chosen cloud vendor.
All European Cloud providers should provide clients with all the necessary information to openly assess the relevant service, including clarity of where they will store the clients primary and backup data, which data laws will apply, who is deemed the data controller and what data liberation terms are in place to ensure easy retrieval and removal of your own data should/when you choose to exit the cloud service.
As a client you should select a Cloud provider that guarantees compliance with EU data protection legislation and many articles have suggested going further if dealing with a US vendor.
Suggestions include the recommendation that you should verify that the cloud provider will guarantee the lawfulness of any cross border international data transfers with your data.
They go as far to suggesting you ask the US vendor who is providing cloud services to you in the EU, to state clearly in their terms with you that "under no circumstances will the data you provide us leave the EEA, even from a request under the USA Patriot Act".
Whether they will comply with your request or not you should ask for clarity on what contractual service terms they have to protect you and then make a decision on your businesses receptiveness as to whether those on offer are enough in relevance to the data type you will hold in their service.
Cloud is here to stay in all its forms and security whilst an important consideration is not a mandated prohibiter.
As with any solutions there is diligence to be done and cloud is not inherently less secure and in many cases will be more secure than internally provisioned infrastructures.
Well provisioned cloud services can deliver a range of great advantages including greater security, more resilience, ease of mobile user support, flexibility, reduced costs and a greater user experience. However as a business you need to understand your local responsibility as a data controller and ensure you have clear service contracts and SLA’s in place to bring you the protection you require,
A recent publication of note in this area is the book Cloud Computing: Assessing the Risks available now from http://www.itgovernance.co.uk/products/3820