Cloud Is it legal or illegal to use American

cloud services in Europe? PATRICIA AYODEJI

Dual qualified Lawyer, England & Spain Member of The Law Society, London &

Ilustre Colegio de la Abogacía, Barcelona Founding Lawyer E-PDP

payodeji@icab.cat

24th February 2016 www.e-pdp.es

Dropbox, Google Drive, Gmail.., Microsoft Office 365.., Mailchimp & many others….

2016 E-PDP PROTECCIÓN DE DATOS PERSONALES

CLOUD DOES NOT… Remove our responsibility for data protection, data security, data integrity, data confidentiality and business continuity .

We cannot entrust or delegate these to the cloud provider. Contractual clause invalid!

Before & AfterMass-surveillance on foreigners abroad

What you should know...... Not on a par......Data is governed by a patchwork of state and federal laws, with new reforms added all the time. Europe has a more harmonised regime – and there are big changes planned!

Privacy Act 1974 Guarantees three primary rights which federal agencies must abide by:•The right to see records about oneself, subject to Privacy Act exemptions;•The right to request the amendment of records that are not accurate, relevant, timely or complete; and•The right of individuals to be protected against unwarranted invasion of their privacy resulting from the collection, maintenance, use, and disclosure of personal information.

Only applies to U.S CITIZENS OR non-U.S citizens who are permanent residents.

Judicial Redress Act 2015 Gives citizens from approved EU countries (“U.S.-allied countries”) the right to sue federal agencies that mishandle their personal data in a similar way to rights Americans enjoy under the Privacy Act. Americans already enjoy similar rights in Europe. The right to redress is subject to the same restrictions U.S. citizens face under the Privacy Act, including broad exemptions for national security.

PrivacySecurityConfidentialityData integrityBusiness continuity

The European Approach

2016 E-PDP PROTECCIÓN DE DATOS PERSONALES

Charter of Fundamental Rights of the European Union

Title II Freedoms

Article 8 Protection of Personal Data

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly and on the basis of the consent of the person concerned or some other legitimate reason laid down by the law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.

Data ProtectionDirective 95/46/EC -> L.OPD 15/1999PROTECTS PERSONAL DATA OF EU CITIZENS AS USERS OF CLOUD & WHEN IN CUSTODY OF A CLIENT OF CLOUD SERVICES.

In process of reform! New EU Data Protection Regulation. Expected to be formally agreed shortly and in place in 2018. ONE SINGLE LAW, which will enter into force after a transition period of 2 years). Higher fines–up to 4% of turnover when companies have violated the privacy of a European.

Extended territory includes all non-EU companies with no establishment in EU who offer goods/services (including free of charge) to EU citizens.

Ireland will cease to be a soft option for U.S companies.

Some Data Protection questions• Do they share data with third party subcontractors? Do you know who

they are & what services are outsourced? where their servers are located?

WhatsApp, Gmail… involve the processing of data via undetermined servers and companies throughout the world.

• Are you sure data not used for other purposes?

• In case of breach do they have the appropriate insurance?

If our cloud provider does not provide us with certain guarantees all responsibility for the data lies with us!

JURISPRUDENCE & CLOUD SOURCED DATA

2015 'annus horribilis' for Google, Facebook, Apple Yahoo etc.

2016 E-PDP PROTECCIÓN DE DATOS PERSONALES

US Safe Harbour Scheme

Turning point in international transfers to the US....The strike down of Safe Harbour!

6 October 2015, EU Court of Justice– Schrems vs. Facebook Judgment C-362/14 (Facebook- mass-surveillance programs by NSA. Snowden’s NSA leaks demonstrated that European data stored by US companies was not safe from the type of surveillance which would be considered illegal in Europe) proclaims that the 15 year old Safe Harbour, the legal framework that American companies have used to handle European citizens’ data does not provide an adequate level of protection and does not provide guarantees equivalent to those established in the European Union.

Judgment invalidated the legal basis for US-EU Safe Harbour.

If your company relying on Safe Harbour it is in an illegal situation and may face enforcement proceedings depending on the DPAs in question!!

AGPD : Spanish Data Protection Authority’s response to EU Court of Justice Schrems Judgment, Madrid, 29th October 2015

In exercise of its powers the AEPD, Spanish Data Protection Authority required that at the earliest, and in any case before 29 January 2016, that all transfers of data from Spain to the U.S be notified or modified in the General Data Protection Registry and, if necessary, include details of their compliance with data protection legislation.

Failing to do so within this period, the Authority may initiate proceedings, if necessary, to temporarily suspend such international transfers.

https://www.agpd.es/portalwebAGPD/canalresponsable/transferencias_internacionales/common/Comunicacion_responsables_-_Puerto_Seguro.pdf

The US Government’s response to Schrems

U.S. Secretary of Commerce Penny Pritzker

“…..We are deeply disappointed in today’s decision from the European Court of Justice, which creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy. Among other things, the decision does not credit the benefits to privacy and growth that have been afforded by this Framework over the last 15 years….”

How do we use American cloud services in Europe without running afoul of EU data protection law! Alternative compliant data transfer mechanisms .....

Data localisation- actual whereabouts of data Choose Spanish/EU provider e.g. migrate from Georgia based Mailchimp (Privacy policy disclose personal information to comply with court orders and subpoenas) to Madrid based Mailrelay (data centres in EU). Basic, but effective means to influence jurisdiction. Option for large organisations.

EU model contractual clauses For transfers to countries or territories that do not ensure an adequate level of protection (which now includes the USA). In Spanish & English!

Binding Corporate Rules ( BCRs )A set of legally enforceable internal rules ( such as a Code of Conduct ) regarding data privacy and security, to ensure that transfers of personal data outside of the EU take place in accordance with EU rules. A valid solution. Greater flexibility

THESE OPTIONS REMAIN FORMALLY EFFECTIVE & LEGAL

#FLISH FLASH Successor to Safe Harbour: EU-US Privacy Shield2nd February 2016

http://ec.europa.eu/avservices/video/player.cfm?ref=I115848&sitelang=en

EU Commission & US Dept. of Commerce

•New living framework for transatlantic data flows with continuous process of monitoring by EU Commission & annual review which will look at all aspects of the agreement.

•Multiple channels for EU citizens to report any “misuse” of their personal data. Companies will have deadlines in which to respond to complaints.

•EU citizens will benefit from legal redress for privacy violations .

•Severe restrictions on indiscriminate mass surveillance of European citizens by U.S

EU-US Privacy Shield

The situation has notchanged since Schrems

WP29, ( body of representatives of individual European Member States’ DPAs ) EU-US data transfers won’t be blocked while Privacy Shield details are hammered out!

Is the arrangement robust enough? Not in fact certain that will pass scrutiny of the WP29 (quality, content, legal consequences) or the ECJ (the ultimate authority on enforceability of the new pact).

Plenty of questions remain & a deal is not really done yet! Uncertainty likely to prevail for some time!

SecurityEmployees remain the weakest link within an organisation!

What security measures does it have in place and does it offer levels of security equivalent to local access?

Preventative measures for viruses, hackers, spies?

Do they keep security copies?

ISO certification?

ISO/IEC 27018 (Aug. 2014 ) code of practice to ensure cloud service providers offer suitable information security controls to protect PII processed in public cloud

ISO/IEC 27017 Cloud specific information security controls & advice for cloud service customers and providers. Published end of 2015. Agreement with information security roles & responsibilities of both parties.

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Data security breaches continue to climbWorld's Biggest Data BreachesSelected losses greater than 30,000 records (updated 2nd October 2015)www.informationisbeautiful.net

Confidentiality

Encryption?

Who holds the Access keys? How are they protected?

Usernames. Passwords. Password recovery.

Data integrity

• Measures taken by the provider to mitigate risks of data being involuntarily compromised?

• Who can access data? What can they do with it?

• What happens when you want to change cloud provider? Will critical data be inaccessible? For how long ?

2016 E-PDP PROTECCIÓN DE DATOS PERSONALES

Continuity: Portability & Interoperability

Ability to retrieve and shift data & services between different cloud systems.

Portability a new right under the new Regulation designed especially for cloud services. i.e. ability to get structured, legible information in a format compatible with other systems!

Go for it but remember……

PATRICIA AYODEJIIP/IT/Privacy

payodeji@icab.catwww.e-pdp.es

Thank you!

Don’t panic.....

We protect your company data, digital products and services in different legal jurisdictions.

• Information Security and Data Protection • Copyright and Trade marks • e-Legal proceedings • International legal services