The EU has been hit by Microsoft's recent announcement that,
in certain circumstances, it may be required to disclose personal
data belonging to businesses using its new cloud service to US
authorities - even if the data centres are based in the EU.
Such disclosures would be carried out under the provisions of the
Patriot Act, which was initially drafted as an anti-terrorism tool,
and allows authorities access to personal data held by US-based
companies, regardless of where it is stored in the world.
Further uncertainty was added by the revelation that, despite Safe
Harbor arrangements in place, Microsoft may be required to keep
such disclosures secret both from the EU and from individuals to
whom the data relates.
Safe Harbor is a framework under which US companies can
self-certify that they comply with the obligations under EU data
protection regulations. The framework allows for the sharing
of data between the EU and self-certified US companies under
certain restrictions, such as the promise of reasonable data
security and informing the EU of the request for access to the data
in question, so it can in turn inform the affected citizens about
it. Microsoft's announcement suggests that even where
Safe Harbor provisions are in place, they would provide little
protection should US authorities seek secretly to seize servers
holding cloud data on EU based individuals under the Patriot Act,
overriding one of the key principles of the Safe Harbor
arrangements.
Cloud computing services undoubtedly offer businesses looking to
minimise IT operating costs and streamline their systems a number
of solutions. However, Microsoft's recent announcements
simply add to the serious data protection issues that businesses
will need to consider before engaging such services. These
issues are well documented, and a survey of businesses that use
cloud services conducted earlier this year by the National
Computing Centre summarised the issues as including systems
failures, security incidents involving the supplier's staff,
corruption of data, data loss, and data theft. It will
therefore be of paramount importance that businesses ensure their
cloud provider has adequate security arrangements in place.
This will be best achieved by carrying out independent security
audits of the service provider and ensuring sufficient ongoing
audit rights. Businesses should also assess their own
internal governance and security policies for adequate provisions
on the adoption and use of cloud services, before migrating data to
the cloud.
Going forward, there will undoubtedly need to be increased scrutiny on cloud service providers, and legislation that effectively addresses the concerns will need to be put into place. Data protection regulation is undergoing necessary changes in Europe, and the European Commission has already stated its intention to adopt a proposal for a more effective new data protection framework over the course of 2011. This will aim to address challenges including the consequences of globalisation and transborder flows of personal data, and the development of technology especially in the online world. In light of Microsoft's announcement, legislators may also be prompted to approach the review with the data protection risks posed by cloud services specifically in mind.
This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq
Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.
The original publication date for this article was 16/08/2011.