Data transfers from the EU: Ensuring protection in hosted solutions

By Kenneth N Rashbaum Esq. and Jason M. Tenenbaum of Rashbaum Associates, LLC.

This blog post is for informational and educational purposes only. Any legal information provided in this post should not be relied upon as legal advice. It is not intended to create, and does not create, an attorney-client relationship and readers should not act upon the information presented without first seeking legal counsel.

Among the European responses to the release of documents by Edward Snowden was a plethora of proposals to create cloud providers that would host data exclusively on servers located in Europe.  The basis of this reaction may be found in the European privacy laws, which place severe constraints upon disclosures of personal data (data that can be linked to an identifiable person).  For reasons steeped in history, the greatest concern of many countries is the prospect of the U.S. government accessing personal data of non-U.S. nations. How do these laws affect U.S.-based companies in their decisions on information governance?

As an American company, European Data Protection laws may affect you without you even knowing it. In many ways, the laws of Europe and the United States are worlds apart with regard to information privacy. The European Data Protection Directive, which is currently being revised. affects American companies and offers comprehensive protections for European citizens with regard to data collected from and about them

Article 25 of the European Data Protection Directive states that personal data may only be transferred from one of the European Union Member States to another country where the country receiving the data has an “adequate level of protection.” Unfortunately, the United States is generally not one of the twelve countries outside of the European Union that have an “adequate level of protection” sufficient to allow for the free-flow of information.  Therefore, transferring data from European citizens, without an explicit exception in the Directive or local laws to a host or server in the United States may run afoul of European Data Protection Directive, subjecting the transferring company to expensive monetary penalties.

There are, however, ways to comply with European privacy and data protection laws when transferring data from the European Union to the U.S. for hosting. First, data may be transferred to the United States with the informed, unambiguous, and freely given consent of the data subject (usually the senders and recipients, but consent is often required from those “cc’ed” on emails).

However, Data/Information Commissioners, who are responsible for the administration and enforcement of the European Union Data Protection laws in their respective countries, advise companies not to rely on consent as their only basis for transfer.

This is because there is debate about whether consent is freely given in the employment context or in situations where consent is received in exchange for goods and services. In addition, informed consent requires a fairly extensive explanation of what actions the data being collected will be subject to before, during, and after transfer. Therefore, relying on consent may not truly offer protection against the fines that can be imposed for improper data transfer.

Another way to transfer personal data such as email to the United States is hosting with a provider that has registered with the U.S. Department of Commerce’s Safe Harbor Program.  Safe Harbor allows an American company to certify that it operates and maintains an “adequate level of protection” for the data it receives and stores pursuant to seven principles of data safeguards followed by the European Union. Therefore, if your hosting provider is registered with the Safe Harbor, personal data may be transferred to and from the European Union (subject to the limitations noted in the seven Safe Harbor principles)

Finally, you can protect your company by contracting with a host that is willing to agree to execute a Data Transfer Agreement that contains the European Union’s “Model Contractual Clauses.” Model Contractual Clauses comprise pre-approved terms and conditions written by the European Commission that reflect the requirements of an “adequate level of protection” and can be included into a contract between the entity looking to transfer data from the European Union and the host receiving the data.[4] Therefore, once incorporated, these clauses allow for the free flow of information much in the same way as Safe Harbor. It must be noted, though, that the clauses must be accepted without modification. As such, the incorporation of Model Contractual Clauses may make the overall contractual negotiations more contentious or difficult.

While these are the principal vehicles through which companies can legally transfer data to hosting providers with servers in the United States, there are others as well. Be sure to speak with counsel who can advise the best method for a particular company. How best to transfer data from the European Union is fact specific and depends on the type of data to be hosted, the locations of the company’s data subjects, and the needs for access and any further disclosures.

The post Data Transfers from the EU: Ensuring Protection in Hosted Solutions appeared first on Logicworks Gathering Clouds.

Related Stories

Leave a comment

Alternatively

This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.