European Barriers to the Cloud?
U.S. providers of cloud services may see new overseas opportunities as the European Commission (EC) releases its cloud computing strategy sometime this year. The EC recognizes the cloud as a potential driver of cost savings, economic growth and innovation, and it is working to clarify the law applicable to cloud services in areas as diverse as tax, copyright and duties to support law enforcement.
Data protection and privacy will be particular sticking points for the EC's Strategy. Cloud architecture runs headlong into the European Union's (EU) legal restrictions on transfers of personal data internationally. For example, EU companies cannot send data identifying individuals to the United States, whose privacy laws are not viewed as "adequate," unless special safeguards are in place. But because the United States is a leader in cloud services, U.S. destinations would be prime locations for European data.
Will the U.S.-EU Safe Harbor Survive in the Cloud?
The developing EC cloud computing strategy is shaping up as the new battlefield for EU data protection authorities (DPAs) and U.S. companies doing business via the Internet. Member State regulators have long targeted U.S. companies that do online business in the EU, such as Google and Facebook.
DPAs reserve a special dislike for the U.S.-EU Safe Harbor program. By participating in the program, eligible U.S. companies can overcome restrictions on receiving personal data from the European Union. U.S. companies generally can effect such transfers without answering to EU regulators. The Safe Harbor privacy standards are also attractive because they are less restrictive than EU data protection law, and certainly less so than EU DPAs' preferred interpretation. In the Safe Harbor's 12 year history, aggressive EU regulators have sought to toughen Safe Harbor requirements, limit the availability of the program, subject Safe Harbor participants to reviews by EU authorities and prompt enforcement actions against U.S. companies. Despite such pressure, U.S. administrators of the program, the U.S. Commerce Department and the U.S. Federal Trade Commission, have maintained its integrity as a mechanism subject to U.S. law and embodying U.S. policy in support of industry self-regulation. Many U.S. companies doing business online have chosen to enter and remain in the Safe Harbor.
On its face, the Safe Harbor is well-adapted to trans-Atlantic cloud computing arrangements. For example, an EU company could hire a U.S. cloud service provider that has agreed to uphold the Safe Harbor privacy standards. With only the execution of a so-called data processing contract, trans-Atlantic transfers of personal data could commence (notably, the data processing contract need not include the relatively onerous model data protection contract clauses adopted by EU DPAs).
In July 2012, an influential body of EU DPAs issued an opinion on cloud computing, timed to coincide with the EC's broader formulation of the cloud computing strategy. The DPAs squarely take aim at the Safe Harbor, against a backdrop of deep skepticism that cloud computing arrangements can adequately protect EU individuals' privacy interests. Cloud architecture creates strong tensions with fundamental DPA principles. It would call for unencumbered outsourcing of computing functions, whereas EU regulators would first insist that individuals be "informed who processes their data," be told where those processors reside and be given an opportunity "to exercise the rights afforded," perhaps even to refuse outsourcing. Free transfers among cloud processors also threaten to decrease EU regulators' capability to view international personal data flows and their control over them.
EU privacy regulators assert in their opinion that the Safe Harbor program alone "may not be deemed sufficient" as a basis for transfers to U.S. cloud providers. EU DPAs lack the authority to upend the settled U.S.-EU Safe Harbor agreement, but they suggest that local EU member state data protection requirements should apply in addition to the Safe Harbor standards. EU cloud customers also should demand extensive documentary evidence from U.S. Safe Harbor participants of their compliance with the program. Third-party audits of U.S. participants' network security are recommended. U.S. cloud providers should not be free to subcontract computing functions without first complying with EU regulations concerning data processing contracts, DPAs contend.
While the EC is developing its cloud computing strategy, U.S. companies have an opportunity to clear a path for cloud computing services in the EU. Opinions like the EU DPAs are influential and could rob cloud services of their efficiencies in routing computing functions to the most efficient locations in commercial timeframes. Engagement with the EC, or U.S. government and public sector actors working with the Commission, is needed in order to clear legal obstacles to cloud computing. The U.S. Commerce Department and the U.S. Federal Trade Commission should be encouraged to protect the current Safe Harbor framework as a proven mechanism for efficient trans-Atlantic transfers that safeguard privacy.