By George Kennedy, Solicitor, Intellectual Property and Technology Unit
Technology is evolving at a faster pace than ever before and, while the concept of cloud computing has developed over a long number of years, its application in business and recreation use has increased exponentially over recent years. This presents huge opportunities for users but also presents significant legal challenges for users, lawmakers and regulators alike.
To clarify data protection obligations of users of cloud based storage and software applications the Irish Data Protection Commissioner recently published welcome guidelines to data controllers and processors, entitled “Data Protection – In the Cloud”.
Irish Data Protection Law
Irish Data protection legislation emanated from European directives. Current Irish legislation is the Data Protections Acts 1988 and 2003 (the “Acts”), together with various statutory instruments.
Persons who control and use data relating to living individuals and who are either (i) established in Ireland; or (ii) not established in Ireland or another European Economic Area (“EEA”) state but use equipment based in Ireland to process their data are “Data Controllers” under the Acts. This brings companies from outside the EEA, who use Irish based “cloud” servers to process their data, within the remit of the Acts.
Data Controllers bear primary responsibility for compliance with the Acts. They are required to comply with eight fundamental rules of data protection, which are as follows:-
1. To obtain and process data fairly
2. To keep data only for one or more specified, explicit and lawful purpose(s)
3. To use and disclose data only in ways compatible with the purpose(s)
4. To keep data safe and secure
5. To keep data accurate, complete and up-to-date
6. To ensure that data is adequate, relevant and not excessive
7. To retain data for no longer than is necessary for the purpose(s)
8. To give a copy of personal data to an individual on request.
In addition to this, in order to process personal data in compliance with the Acts, Data Controllers must ensure that (1) they have complied with the eight fundamental data protection rules set out above; and (2) they have the data subjects consent to process the data or that the processing is necessary for a specific purpose which is outlined in the Acts; and (3) they have a contract in writing with the processor; and (4) they have ensured adequate security for the data, particularly if transmitting it outside the EEA.
Data Protection Commissioners Guidance Note
In their recently published guidance note, entitled “In the Cloud”, the DPC focused on the security and location of data and also the obligation to have a written contract with a data processor as being of particular significance for Data Controllers who wish to process data with cloud based processors.
As mentioned above, one of the eight fundamental rules of data protection is that data must be kept safe and secure. The Acts provide that Data Controllers must take “appropriate security measures” against unauthorised access, alteration, disclosure or destruction of data, particularly where processing involves transmission over a network.
The DPC cites the following as examples of what Data Controllers should look for: (i) that the processor has “very high level” security standards of the type which are outlined in the DPC “General Guidance on Security”, (ii) that, where feasible, and particularly in relation to private clouds, a detailed technical analysis incorporating an audit of the cloud processor should be carried out (Third party certification to approved national standards is however acknowledged as being more appropriate in many circumstances although, it is noted that the certificate and accompanying report should be reviewed by the Data Controller), and (iii) the data processor must assure the Data Controller of:-
– Continued access to data (including backup and disaster recovery mechanisms);
– Prevention of unauthorised access to data (including protection against external hacking and access by other cloud users);
– Adequate oversight of sub-processors;
– Procedures in the event of data breach; and
– Right to remove or transfer data.
The location of the data processor is related to ensuring that “appropriate security measures” are taken.
When data is retained within the EEA Data Controllers can rely on the fact that they benefit from common standards of data protection. However, when data is transferred outside the EEA, additional steps must be taken by Data Controllers to ensure that “appropriate security measures” are taken. In the context of cloud based processors the DPC suggests that the following options are available to Data Controllers to ensure this:-
– The country where the data is located is deemed by the EU Commission as having “adequate” levels of protection for data (e.g. US “Safe Harbor” companies); or
– The data is protected contractually by the parties adopting EU approved “Model” contractual terms.
• Written Contract
There should be a written agreement between the Data Controller and the cloud processor which must provide that the processor must (i) process the data only on and subject to the Data Controllers instructions; and (ii) comply with obligations to ensure that “appropriate security measures” are taken against unauthorised access, alteration, disclosure or destruction of data, particularly where processing involves transmission over a network.
Using cloud based storage or software systems is undoubtedly an attractive option for users however, when assessing cloud based offerings, Data Controllers should always bear in mind that they are ultimately responsible for the data which they control and are responsible for ensuring compliance with the data protection law.
If you require further advice on this area please contact George Kennedy, Solicitor.