The Article 29 Working Party (A29WP), a grouping of representatives from the 28 EU national data protection authorities, has issued a number of opinions and working papers in recent weeks that are relevant to users of cloud based services.
Whilst the A29WP’s opinions and views do not create binding law, they do usually reflect how the individual national data protection authorities (such as the UK’s Information Commissioner) will interpret the law.
EU approves Microsoft cloud terms
Firstly, Microsoft has announced that the A29WP has concluded (PDF) that the standard Microsoft agreement for various Microsoft cloud services (such as Office 365, Microsoft Azure and Microsoft Dynamics CRM) is “in line” with the EU model controller to processor clauses for transfers of personal data outside the EEA.
In effect, the A29WP is saying that contracting on Microsoft’s standard cloud service terms will fall within the scope of the derogation approved by the EU Commission for transfers of personal data under the model controller to processor clauses approved by the EU Commission for international data transfers.
This is good news for users of cloud services and particularly good news for Microsoft who can now claim to be the only cloud service provider whose standard terms and conditions have been approved by the A29WP for the purposes of international data transfers.
To data, Microsoft has addressed Eighth Principle compliance either through entering into a model clause agreement with the customer or by agreeing to host personal data only in EU data centres. The new clauses will reduce some of the admin and paperwork associated with using model clauses, whilst also enabling customers to utilise more geographically diverse data centres. This may help improve disaster recovery and latency and also reduce prices.
However, it is worth noting that the A29WP’s approval only covers compliance with the eighth data protection principle (that personal data should not be transferred outside the EEA unless the country ensures an adequate level of protection).
It is still incumbent on users of Microsoft’s cloud services to ensure that the processing complies with the other seven data protection principles, in particular the requirement under principle seven to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
This information needs to be set out in the appendices to the Microsoft agreement, and the A29WP passes no judgement on the adequacy of Microsoft’s information security measures.
It’s also unclear how the national data protection authorities will view variations to Microsoft’s standard terms. A very strict interpretation is taken for the purposes of the model clauses approved by the EU Commission. If these are amended then the clauses will cease to fall within the derogation. That’s usually not a problem when the model clauses supplement a larger outsourcing/services agreement, as there should be little need to vary the model clauses.
In contrast, the Microsoft terms cover the arrangement as a whole. As such, there is a much greater risk that amendments to the terms could lead to the negotiated agreement inadvertently falling outside the scope of the A29WP’s approval. As such, if any material amendments are proposed to provisions dealing with the security of personal data then it may be prudent to continue using the approved model clauses.
Ad-hoc EU processor to non-EU sub-processor model clauses
The other notable development is the publication by the A29WP of a working document on Draft Ad-hoc contractual clauses for “EU data processor to non-EU sub-processor.”
The current model clauses approved by the EU Commission cover transfers of personal data by an EU data controller to a non-EU data processor and by an EU data controller to a non-EU data controller.
Whilst the controller to processor clauses include a clause that enable processors to subcontract, a data controller can only rely upon the derogation to the eighth principle where the data processor is established in a country outside the EEA.
This means that if a UK organisation is outsourcing services under a contract to another entity in the EU and that supplier wishes to use a subcontractor located outside the EEA (for example, to perform application development services in India), then the UK organisation needs to enter into a model clause agreement directly with the local entity outside the EEA.
This leads to Eighth Principle compliance essentially becoming an admin exercise to put in place approved clauses with the relevant party, rather than focussing on whether the data in question is actually being kept secure and processed properly. It also becomes administratively burdensome when a supplier wishes to offer a follow-the-sun service offering with delivery centres in multiple countries.
The A29WP’s new model clauses are aimed at making this simpler. If adopted by the EU Commission, the clauses would allow service providers (and organisations outsourcing services to third parties) an easier way to deal with data protection compliance when transferring personal data to data processors outside the EEA, by setting up a framework between the EU processor and the non-EU sub-processor setting out key terms.
Organisations will need to wait until the clauses are finalised and adopted by the EU Commission before they can rely on them. It’s not yet clear when (or even if) that may happen.
However, the fact that the A29WP is working on this will give organisations comfort that regulators are alive to the shortcomings of the current model clauses.
On April 23, 2014