iStock_000048822690_smThe European Commission has announced new draft laws that would give consumers new remedies where digital content supplied online is defective or not as described by the seller.

On Dec. 9, 2015, the European Commission proposed two new directives on the supply of digital content and the online sale of goods. In doing so, the Commission is making progress towards one of the main goals in the Digital Single Market Strategy (the “DSM Strategy”) announced in May 2015: to strengthen the European digital economy and increase consumer confidence in trading across EU Member States.

This is not the first time that the Commission has tried to align consumer laws across the EU; its last attempt at a Common European Sales Law faltered earlier this year. But the Commission has now proposed two new directives, dealing both with contracts for the supply of digital content and other online sales (the “Proposed Directives”).

National parliaments can raise objections to the Proposed Directives within eight weeks, on the grounds of non-compliance with the subsidiarity principle—that is, by arguing that that regulation of digital content and online sales is more effectively dealt with at a national level.

Objectives

Part of the issue with previous EU legislative initiatives in this area is that “harmonized” has really meant “the same as long as a country doesn’t want to do anything different.” This time, the Proposed Directives have been drafted as so-called “maximum harmonization measures,” which would preclude Member States from providing any greater or lesser protection on the matters falling within their scope. The Commission hopes that this consistent approach across Member States will encourage consumers to enter into transactions across EU borders, while also allowing traders to simplify their legal documentation by using a single set of terms and conditions for all customers within the EU.

An outline of the scope and key provisions of each of the Proposed Directives, as well as the effect on English law, are summarized after the jump.

Continue Reading Harmonizing B2C Online Sales of Goods and Digital Content in Europe

150728SociallyAware_Page_01The latest issue of our Socially Aware newsletter is now available here.

In this issue of Socially Aware, our Burton Award-winning guide to the law and business of social media, we present a “grand unifying theory” of today’s leading technologies and the legal challenges these technologies raise; we discuss whether hashtags can be protected under trademark law; we explore the status of social media accounts in bankruptcy; we examine the growing tensions between content owners and users of livestreaming apps like Meerkat and Periscope; we highlight a recent discovery dispute involving a deactivated Facebook account; we discuss a bill before Congress that would protect consumers’ rights to post negative reviews on websites like Yelp; and we take a look at the Federal Trade Commission’s crackdown on in-store tracking activities.

All this—plus an infographic exploring the popularity of livestreaming sites Meerkat and Periscope.

Read our newsletter.

04_17_Big Data Analytics diagram_v8As a technology law blogger and co-editor of Socially Aware, I monitor emerging developments in information technology. What’s hot in IT today? Any shortlist would have to include social media, mobile, wearable technology, the Internet of Things (IoT), cloud computing and big data.

That list is all over the map, right? Or is it? On closer inspection, these technologies are far more closely intertwined than they may appear to be at first glance.

So what’s the connection between, say, social media and the Internet of Things? Or wearable tech and cloud computing?

Here’s my theory: These technologies all reflect the ceaseless drive by businesses to collect, store and exploit ever more data about their customers. In short, these technologies are ultimately about selling more stuff to us.

With this “grand unifying theory” in mind, one sees how these seemingly disparate technologies complement one another. And the legal challenges and risks they pose become clear.

Collection of Data

Let’s start with the collection of consumer data. Of the six key trends identified above, four relate directly to such collection: social media, mobile, wearable technology and IoT.

When we use the Internet, marketers are tracking our activities; the data generated by our online behavior is collected and then used to target ads that will be more relevant to us.

If we spend time on movie sites, we’re more likely to see ads promoting new film releases. If we visit food blogs, we’re going to be served ads selling cookware.

Creepy? It can be. But such tracking and targeting make it possible for many website operators to offer online content and services for free. Indeed, many believe that such tracking and targeting are essential to the vibrancy of our Internet ecosystem. (Although Google is reportedly experimenting with an offering where one would pay not to see ads while surfing the Web.)

In the past, serious limitations existed on the ability of marketers to track and target us. We might have given our name, email and home address to a website, but not much else; now, with social media, we routinely volunteer loads of personal information—our jobs, hobbies, special skills, taste in music and movies, even our “relationship status.” And not just information about ourselves, but our families, friends and colleagues as well. As a result, social media companies have compiled huge databases about us—in Facebook’s case, nearly 1.4 billion of us.

Also, not long ago, we surfed the Web from either home or office—limiting the ability to be tracked and targeted while away from those locations. The rise of Internet-connected mobile devices has changed all that, of course—now we can access the Web from anywhere, and mobile devices can pinpoint our location, even when we’re not browsing. Marketers can track our daily journey to and from home to work and back again, even serving us “just in time” discount offers as we pass a clothing store or restaurant.

From a marketer’s perspective, social media and mobile are all about expanding the amount and type of customer data that can be collected. Thanks to mobile devices and apps, tracking and targeting are no longer desk-bound and can occur even if a customer is not connected to the Internet.

Wearable tech? Like cell phones, wearables make tracking and targeting possible while one is away from a traditional computer or not actively using the Web. These devices can also collect information that cell phones can’t – our heart rate or body temperature, or the number of hours one slept last week.

For marketers, the Internet of Things is especially exciting because it raises the possibility of being able to track and target consumers anywhere in their homes, even while they are away from their desktop computers or mobile devices.

Imagine your “smart” refrigerator not only determining when you’re low on milk, but offering a 15 percent discount if you were to buy today a quart of milk at your local market. Or your Internet-connected washing machine recommending a new laundry detergent based on its monitoring of your laundry loads.

Another hot technology trend – commercial drones – is relevant here. Although unmanned aerial vehicles (UAVs) have generated attention for their ability to facilitate package delivery and accommodate WiFi access, they can be used to collect data on consumers when they’re outdoors or near a window, even when they are without cell phones, wearables or other devices used to track their movement and activities.

Ingestibles—“smart” pills containing sensors that are swallowed, allowing the collection of data within one’s body—are a nascent technology that, as they become more widely used, may ultimately fit into this theory.

Storage of Data

With social media platforms, mobile, wearable and IoT devices and UAVs collecting information on an unprecedented scale, that data needs to be stored somewhere. Enter the cloud. All of these new technologies depend heavily on the massive storage capacity made possible by cloud systems; it wouldn’t be cost effective otherwise. (Case in point: A 2013 study revealed that 90% of all the data in the world had been collected over the prior two years.)

Exploitation of Data

Once all this data has been collected and stored in the cloud, what then?

That’s where big data enters the picture. Big data is providing companies with the analytic tools for sifting through these inconceivably large databases in order to exploit the bits therein.

For example, that photo you uploaded to Instagram can now be analyzed for marketing opportunities. Perhaps you were holding a bag of potato chips; using big data analytics, the chip maker could target you in its next online ad campaign. Or maybe a competing snack company wants to entice you to switch brands. Why stop there? What about the shirt that you were wearing? And that pair of jeans? (I’ve written on the application of big data analytics to the billions of photos hosted on social media sites here.)

Similarly, information collected from wearables, when processed by big data tools, opens up new opportunities for marketers. Your pulse rate may be of interest to the health care industry. Your jogging workouts may attract attention from retailers of athletic shoes and clothing.

But the mother lode just might be all of the marketing insights to be generated by big data analytics stemming from multiple IoT devices in one’s home—the thermostat, stove, refrigerator, coffee machine, toaster, washer/dryer, humidifier, alarm clock and so on: for the first time ever, marketers will have access to real-time information regarding once-private quotidian activities.

Legal Considerations

So that’s my theory: The adoption of today’s hottest IT technologies is being driven in large part by the insatiable desire of businesses to collect and store ever-larger amounts of consumer data, and to then use that data to more successfully market to consumers. When these technologies are viewed in light of this theory, some key legal observations emerge.

First, because these technologies all involve the collection, storage and exploitation of consumer data, privacy and data security are necessarily raised and indeed are the most important legal considerations. That’s not meant to minimize intellectual property, product liability and other legal concerns associated with these technologies; privacy and data security laws, however, are the ones specifically designed to regulate the collection, use and exploitation of consumer data.

Second, these technologies are being developed and implemented far faster than the ability of legislators, regulators and courts to develop rules to govern them. It will be essential for companies embracing these technologies to self-regulate—failure to do so will result in an inevitable backlash, leading to burdensome regulations that will undermine innovation.

Third, these technologies will present real challenges to the majority of companies that want to “do the right thing” by their customers. For example, consumers ideally should be provided with notice and an opportunity to consent prior to the collection, storage and exploitation of their personal information, but how can this be done through, say, a smart electric toothbrush? These issues need to be addressed early in the development cycle for next-generation products—it can’t be an afterthought. Moreover, are customers receiving real, tangible value in connection with the data being collected from them?

Fourth, as our social-media pages, devices and appliances become more closely tied together, and linked to massive troves of data about us in the cloud, businesses need to be aware that it takes only one weak link to put the entire ecosystem at risk. Hackers will no longer need to bypass your computer or phone’s security to capture personal data; they may be able to access your records through, say, an Internet-enabled toaster that lacks adequate security controls.

Finally, companies need to pay attention to whether they need to collect all the data that can be collected through these technologies. Ideally, they should seek to minimize the amounts of personally identifiable information they hold, in order to reduce privacy- and security-related legal risks, and liability.

No doubt this last recommendation may be hard for many marketers to embrace; after all, data-gathering is in their DNA. And that same hard-wiring is in all of our DNA—the original source code for data collection, storage and exploitation. We wouldn’t be human without it.

(This is an expanded, “director’s cut” version of an op-ed piece that originally appeared in MarketWatch.)

The latest issue of our Socially Aware newsletter is now available here.

In this issue of Socially Aware, our Burton Award-winning guide to the law and business of social media, we discuss key–and often ignored–legal concerns regarding social media assets in M&A transactions; we explore whether anti-Glass hysteria may have doomed Google Glass; we highlight a landmark case finding that parents can be held liable for their child’s online activities (yikes!); we take a look at the FTC’s latest crackdown on social media advertising; and we drill down on cloud services agreements.

All this—plus an infographic roundup of social media’s “greatest” hits in 2014.

Read our newsletter.

IBM has been receiving rave reviews in the media for simplifying its Cloud Services Agreement to a mere two pages in length. And yes, the Agreement also boasts healthy margins and a normal font. But does the Agreement’s reasonable length equate to reasonable terms?

After all, from a customer’s perspective, shorter doesn’t necessarily mean better.

Certainly IBM’s new Agreement was designed to reduce negotiation. According to the International Association for Contract & Commercial Management, which declared IBM a finalist for an award because of the Agreement’s simplified approach, IBM has competitively benchmarked the terms of the new Agreement and IBM apparently feels that the terms will meet the business requirements of most enterprise clients.

Indeed, of the customers presented with IBM’s new Agreement, 80 percent have reportedly signed it without negotiation. The remaining 20 percent, however, still chose to treat the new Agreement – simplified or not – as merely IBM’s opening draft.

Upon review of the new agreement, it becomes clear why these why these “20 percenters” chose to negotiate.

For example, the first section of the Agreement is entitled Service Performance and Commitments, but the 208 words of the section contain little in the way of actual commitments; the Cloud Services are merely “designed” to be available 24/7, and while IBM agrees to provide notice of scheduled maintenance, there are no limits on the timing or duration of such maintenance.

Customers must also review the Service Description — in a separate document — to determine what, if any, license rights, data security obligations, service levels and renewal options will apply to the Agreement.

At times, the Agreement does provide terms that a customer will want to see — such as an indemnity against third-party patent and copyright claims — but the value of these terms is often limited. (Even in the shortest contract, the devil is still in the details.)

Customers must also be careful not to skip over short statements with potentially broad implications. For example, while IBM does not ask the customer to expressly indemnify IBM, the Agreement does contain a very short — and very vague — statement making the customer “responsible for” any “violation of law or any third party rights caused by” by the customer’s content uploaded to the service or other use of the service. Could this statement require that a customer indemnify IBM for claims arising from any such violation? If so, the customer’s liability for such third-party claims could be unlimited, because the Agreement’s limitation-of-liability provision protects only IBM, not the customer.

Service providers are often urged to keep an agreement as “short and simple” as possible, and this is unquestionably an important goal that will help to reduce costs for both parties. At the same time, anyone reviewing such an agreement should bear in mind that it may have been “shortened and simplified” by the omission of key legal protections.

Ultimately, an informed customer wants an agreement that is short, simple and sweet.

The cloud computing market is evolving rapidly. New as a service (aaS) platforms are appearing and the dichotomy between public and private cloud domains has been fractured into many different shades of hybrid cloud alternatives. And while many of the key issues – privacy risk, data location, service commitment – remain the same, service providers’ commercial offerings are becoming more flexible.

Over the past 18 months, we have even started to see changes in the “take it or leave it” approach to cloud contracts. Negotiations of cloud contracts have started to occur. But at this stage in cloud computing’s evolution, even more so than for traditional ICT contracting, the key is to know what can be negotiated and how much.

Cloud Market

The global cloud computing market is reportedly worth approximately $157 billion in 2014, and is expected to reach $290 billion by 2018. The market is growing at an annual rate of almost 50%. North America continues to represent the largest share of the global cloud market with over 50% of the market, followed by the EMEA region with approximately 29%.

Software as a service (SaaS) is still the biggest sell, followed by infrastructure as a service (IaaS) and platform as a service (PaaS). The Big 3 aaS cloud offerings represent 90% of the global cloud market according to a recent survey.

Flexibility and cost savings are still the main drivers for customers selecting cloud services – while security and privacy remain the top concerns. Interestingly, some customers are starting to consider cloud offerings as a means of improving the security of their data, taking the view that leading cloud providers have more expertise in protecting data and are able to invest more heavily in evolving technologies.

As the cloud market continues to grow in volume terms, the diversity of the market offerings is also increasing.  There is more competition than ever before in most of the main cloud market segments, with well-publicized price cuts, more service offerings and many, if not most, software providers examining ways to move into service-based offerings. Traditional market leaders, such as Microsoft and IBM, experience year-on-year growth. Reputation and cost are the key factors in cloud vendor selection, followed by performance assurance related issues.

In general, most large cloud providers are showing a renewed focus on multinational clients and also want to move up the value chain and target larger institutional clients. Outsourcing arrangements now increasingly encompass a cloud computing element, and some cloud providers are prepared to offer managed services to mimic elements of so-called “traditional” outsourcing.

Genuine adoption by regulated entities, especially financial services institutions, is the next big target; although the take-up is not helped by the reticence of regulators in some key global markets (with the notable exception of the United States) to provide a road map to assist regulated entities’ engagement of the cloud model.  Nevertheless, reticence to adopt a multi-tenanted cloud solution in regulated sectors is being eroded by the availability of aaS models available through virtual private cloud services and dedicated servers.

Cloud Contracts

It remains axiomatic that contracts for cloud computing services are generally implemented on the provider’s terms. Even projecting forward at the current rate of evolution, it is hard to see that core principle changing.  However, contract terms are increasingly negotiable to some extent; although the degree of negotiability pales in comparison with the contracting model in traditional services-based outsourcing.

In our experience there continues to be a (resigned) acceptance from most customers of the providers’ terms, i.e., the terms are what they are, and there’s a general recognition that that is the place to start. After all, if a customer organization expects customization of services and a genuine negotiation of service terms, then maybe the cloud is not the right place to be considered as a solution for those specific services.

Nevertheless, we have experienced greater negotiability compared to 18 months ago, and we anticipate that trend continuing in the future. The contracting areas where we perceive the most scope for negotiation tend to be commercially oriented issues such as price, privacy and security, scope and service levels, and liability caps. Technical areas, such as the variability of service elements that depend on specific data center features, do not lend themselves to negotiation because the shared service nature of cloud facilities limits the ability of providers to agree on changes in those areas. These are areas where customers often show their naivety of how cloud computing works by asking for changes that directly contradict the commoditized nature of the service offering.  That said, some providers do not help themselves by justifying their refusal of almost every requested change based on the invariability of the technical solution, even when an issue is plainly commercial and not technical.

Among the key issues that recur in cloud contract negotiations are:

  • Customer control and visibility over subcontracting: there is a general reluctance of providers to allow approval of, or even to identify, subcontractors.  Often, that can be for very good reasons, especially in a public cloud situation;
  • The limitation of the provider’s ability to change the nature of the services provided. Again, there may be very valid reasons for this depending on the nature of the services, but, typically, the negotiation ought to focus on the commercial implications of such changes rather than the basic right itself;
  • Privacy and data security commitments by the provider;
  • Rights of the provider to suspend services under circumstances such as non-payment or violation of an acceptable use policy;
  • Limitation of liability;
  • Termination assistance provisions allowing the customer to extend service for a period after termination or expiration to allow migration to the replacement solution; and
  • The stretching of some common contracting provisions into some pretty unfamiliar directions. One motto to bear in mind when reviewing cloud terms is “never assume that you know what’s in a provision based on its heading.” Force majeure provisions are a good example. You may have thought that it would be hard to reinvent force majeure, but in some cloud instances force majeure seems to be elastic-sided enough to capture “changes in the taxation basis of services delivered via the Internet” as a force majeure event.

Another area where some providers have not helped their industry’s cause is in the proliferation of complex, multi-document contract structures which are often poorly updated and oddly worded. Customers need to wade through the many pieces of paper and URL links, and with a lack of consistency among the documents frustration mounts and patience wears thin. These multi-layered contract structures are unwieldy and often, when quizzed, even the providers’ representatives cannot navigate their way around them. It would be beneficial if the cloud industry generally – and some notable large cloud providers specifically – were to address this contracting approach over the next couple of years.

Privacy and Security

MoFo’s Global Privacy Group has already written extensively about the privacy implications of moving data to the cloud. The conjoined issues of privacy and security remain center stage in most cloud contract negotiations. The key issues generally are who is responsible for data security and how obligations should be allocated between service provider and customer. Importantly, there may be a different analysis between different types of cloud services, e.g., between IaaS and SaaS for example. But it is worth understanding the exact commercial and legal implications of a provider that commits only to be responsible for the “security of our network” and expects its customer to be responsible for the “security of its data.”

Typically, of course, providers are more willing to take responsibility for the integrity of their networks, while attempting to steer clear of obligations in relation to data. However, some service providers now accept that a failure to improve their privacy offerings may compromise future growth in certain markets and be a competitive disadvantage.

So, for example, there is an increased willingness to adopt the EU model clauses for data transfer, and most of the large cloud providers are reacting to commercial pressures from Europe-based clients to offer services from ring-fenced European data centers. Despite this, there is still a lack of appreciation among many customers of the difference between commitments in relation to data “at rest” (i.e., where the data are stored) and where data can be accessed from.

Performance

In general, most cloud contracts are still relatively light in terms of service level commitments, with availability being the main measurement metric. There is no sign yet of widespread (or, indeed, early stage) acceptance of the EU’s standardized SLA suggestions.

In terms of remedies for service failure, the concept of providing credit via further services or contract extension is still prevalent despite the illogicality (from a customer perspective) of accepting more of the same as a service remedy.

Conclusion

The old maxim “Be careful what you wish for” applies to the cloud market at this stage of development. Many commercial users of cloud services have chafed at the “take it or leave it” approach to cloud contracts. But, now that some degree of negotiation is becoming possible in some areas of the cloud market, it is clear that users need to understand more than ever what can realistically be negotiated.

At the same time, users need to clearly distinguish their reasons for adopting cloud solutions in the first place and understand the specific sector of the market that they are seeking to access. If users perceive the risks to be so great that contract negotiation seems essential before putting services in the cloud, it is possible that they need to consider whether the services that they have in mind properly belong there in the first place.

In general, customers need to approach cloud computing transactions with realistic expectations. It is unrealistic to expect to re-negotiate a provider’s cloud contract terms materially on a project with a relatively low cost/value.  Providers are either technically constricted or simply commercially unwilling to devote expensive commercial management time or legal resources to negotiate the terms of a project with a relatively low margin or revenue generation.

 

 

For many companies, the main question about cloud computing is no longer whether to move their data to the “cloud,” but how they can accomplish this transition. Cloud (or Internet-based on-demand) computing involves a shift away from reliance on a company’s own local computing resources, in favor of greater reliance on shared servers and data centers. Well-known examples of cloud computing services include Google Apps, Salesforce.com, and Amazon Web Services. In principle, a company also may maintain its own internal “private cloud” without using a third-party provider. Since many companies choose to use third-party cloud providers, however, this article will focus on that cloud computing model.

Cloud computing offerings range from the provision of IT infrastructure alone (servers, storage, and bandwidth) to the provision of complete software-enabled solutions. Cloud computing can offer significant advantages in cost, efficiency, and accessibility of data. The pooling and harnessing of processing power provides companies with flexible and cost-efficient IT systems. At the same time, however, cloud computing arrangements tend to reduce a company’s direct control over the location, transfer, and handling of its data.

The flexibility and easy flow of data that characterize the cloud can raise challenging issues related to protection of data in the cloud. A company’s legal obligations and risks will be shaped by the nature of the data to be moved to the cloud, whether the data involve personal information, trade secret information, customer data, or other competitively sensitive information. This article describes the special legal considerations that apply when moving personal information to the cloud. It also offers a framework to help companies navigate these issues to arrive at a solution that meets their own legal and business needs.

Determine the categories of personal information to be moved to the cloud

As a general principle, personal information includes any information that identifies or can be associated with a specific individual. Some types of personal information involve much greater legal and business risks than other types of personal information. For example, a database containing health information will involve greater risks than a database containing names and business contact information of prospective business leads. Also, financial regulators in many countries require specific security standards for financial information. Accordingly, a cloud computing service that may be sufficient for the business lead data may fail to provide the legally required level of protection for health, financial, or other sensitive types of information.

A company will want to develop a strategy that provides sufficient protection to the most sensitive personal information to be transmitted to the cloud. In some cases, a company may elect to maintain certain types of personal information internally, in order to take advantage of more cost-efficient cloud computing services for its less-sensitive data.

Identify applicable laws affecting your outsourcing of personal information

Cloud computing, by its nature, can implicate a variety of laws, including privacy laws, data security and breach notification laws, and laws limiting cross-border transfers of personal information.

(a) Privacy Laws

Companies operating in the United States will need to consider whether they are subject to sector-specific privacy laws or regulations, such as the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA). Such laws impose detailed privacy and data security obligations, and may require more specialized cloud-based offerings.

Europe-based companies, as well as companies working with providers in or with infrastructure in Europe, will need to account for the broad-reaching requirements under local omnibus data protection laws that protect all personal information, even basic details like business contact information. These requirements can include notifying employees, customers, or other individuals about the outsourcing and processing of their data; obligations to consult with works councils before outsourcing employee data; and registering with local data protection authorities. Similar requirements arise under data protection laws of many other countries, including countries throughout Europe, Asia, the Middle East, and the Americas.

(b) Data Security Requirements

Even if a company is not subject to these types of privacy laws, it will want to ensure safeguards for personal information covered by data security and breach notification laws. In the United States, these laws tend to focus on personal information such as social security numbers, driver’s license numbers, and credit or debit card or financial account numbers. One of the key safeguards is encryption because many (although not all) of the U.S. state breach notification laws provide an exception for encrypted data.

In contrast, many other countries require protection of all personal information, and do not necessarily provide an exception for encrypted data. Consequently, companies operating outside of the United States may have broader-reaching obligations to protect all personal information. While data protection obligations vary significantly from law to law, both U.S. and international privacy laws commonly require the following types of safeguards:

i. Conducting appropriate due diligence on providers;

ii. Restricting access, use, and disclosure of personal information;

iii. Establishing technical, organizational, and administrative safeguards;

iv. Executing legally sufficient contracts with providers; and

v. Notifying affected individuals (and potentially regulators) of a security breach compromising personal information.

The topic of data security in the cloud has received significant industry attention. Industry groups, such as the Cloud Security Alliance, have suggested voluntary guidelines for improving data security in the cloud. For example, please refer to the CSA’s Security Guidelines for Critical Areas of Focus for Cloud Computing, available at https://cloudsecurityalliance.org/download/security-guidance-for-critical-areas-of-focus-in-cloud-computing-v3/. In Europe, the Cloud Select Industry Group (CSIG), an industry group sponsored by the European Commission, recently issued the Cloud Service Level Agreement Standardization Guidelines, available at http://ec.europa.eu/digital-agenda/en/news/cloud-service-level-agreement-standardisation-guidelines. The Guidelines recommend contractual stipulations covering (1) business continuity, disaster recovery, and data loss prevention controls; (2) authentication/authorization controls, including access provision/revocation, and access storage protection; (3) encryption controls; (4) security incident management and reporting controls and metrics; (5) logging and monitoring parameters and log retention periods; (6) auditing and security certification; (7) vulnerability management metrics; and (8) security governance metrics. Providers also may choose to be certified under standards such as ISO 27001, although such certifications may not address all applicable legal requirements.

(c) Restrictions on Cross-Border Data Transfers

A number of countries—e.g., all the European Economic Area (EEA) Member States and certain neighboring countries (including Albania, the Channel Islands, Croatia, the Faroe Islands, the Isle of Man, Macedonia, Russia, and Switzerland), as well as countries in North Africa (e.g., Morocco), the Middle East (e.g., Israel), Latin America (e.g., Argentina and Uruguay), and Asia (e.g., South Korea)—restrict the transfer or sharing of personal information beyond their borders. These restrictions can present significant challenges for multinational companies seeking to move their data to the cloud. Recognizing these challenges, some providers are starting to offer geographic-specific clouds, in which the data are maintained within a given country or jurisdiction. Some U.S. providers have also certified to the U.S.-European Union Safe Harbor program, in order to accommodate EU-based customers. However, as the Safe Harbor only permits transfers from the EU to the United States, it is not a global solution. Accordingly, a company should assess carefully whether the options offered by a provider are sufficient to meet the company’s own legal obligations in the countries where it operates.

To complicate matters, international data protection authorities, particularly in the EEA, have expressed concerns about use of the cloud model for personal information. The Working Party 29 (WP29), the assembly of EEA data protection authorities, and many other local EEA authorities have issued guidance about cloud computing, covering purpose and transfer restrictions, notification requirements, mandatory security requirements, and the content of the contract to be concluded with cloud providers. This guidance includes the WP29 Opinion 05/2012 on Cloud Computing, which is discussed further below. The draft Data Protection regulation currently discussed among the EEA Member States reflects such guidance and should be accounted for prior to engaging cloud providers.

Review contractual obligations affecting your outsourcing of personal information

If your company is seeking to outsource to a cloud provider applications that involve third-party data, such as personal information maintained on behalf of customers or business partners, it is important to consider any limitations imposed by contracts with those third parties. Such agreements might require third-party consent to the outsourcing or subcontracting of data processing activities, or may require your company to impose specific contractual obligations on the new provider or subcontractor.

Select an appropriate cloud computing solution

Cloud services tend to be offered on a take-it-or-leave-it basis, with little opportunity to negotiate additional contractual protections or customized terms of service. As a result, companies may find themselves unable to negotiate the types of privacy and data security protections that they typically include in contracts with other service providers. Companies will need to evaluate whether the contract fulfills their applicable legal and contractual obligations, as discussed above. Beyond that, companies will want to evaluate the practical level of risk to their data, and what steps they might take to reduce those risks.

(a)   Public vs. Private Cloud

Broadly speaking, a private cloud maintains the data on equipment that is owned, leased, or otherwise controlled by the provider. Private cloud models can be compared with many other well-established forms of IT outsourcing and do not tend to raise the same level of concerns as a public cloud model.

A public cloud model disperses data more broadly across computers and networks of unrelated third parties, which might include business competitors or individual consumers. While offering maximum flexibility and expansion capabilities, the public cloud model raises heightened concerns about the inability to know who holds your company’s data, the lack of oversight over those parties, and the absence of standardized data security practices on the hosting equipment. Given these challenges, companies outsourcing personal information will want to understand whether the proposed service involves a private or public cloud, as well as evaluate what contractual commitments the provider is willing to make about data security.

(b)   Securing Data Before Transmission to the Cloud

Companies also may be able to take measures themselves to protect personal information before it is transmitted to the cloud. Some provider agreements instruct or require customers to encrypt their data before uploading the data to the cloud, for example. If it is feasible to encrypt the data prior to transmission to the provider, this may provide substantial additional protections, as long as the encryption keys are not available to the provider.

It is also important to account for applicable security requirements. To this effect, several countries in Europe have very specific statutory requirements for security measures, and some regulators have issued detailed security standards for cloud computing providers. Pursuant to the WP29 Opinion 05/2012, all contracts should include  security measures in accordance with EU data protection laws, including requirements for cloud providers on technical and organizational security measures, access controls, disclosure of data to third parties, cooperation with the cloud client, details on cross-border transfer of data, logging, and auditing processing. The recent guidelines from the CSIG recommends the inclusion of the following provisions in processing agreements: (1) standards or certification mechanisms the cloud service provider complies with; (2) precise description of purposes of processing; (3) clear provisions regarding retention and erasure of data; (4) reference to instances of disclosure of personal data to law enforcement and notification to the customer of such disclosures; (5) a full list of subcontractors involved in the processing and inclusion of a right of the customer to object to changes to the list, with special attention to requirements for processing of special or sensitive data; (6) description of data breach policies implemented by the cloud service provider including relevant documentation suitable to demonstrate compliance with legal requirements; (7) clear description of geographical location where personal data is stored or processed, for purposes of implementing appropriate cross-border transfer mechanisms; and (8) time period necessary for a cloud service provider to respond to access, rectification, erasure, blocking, or objection requests by data subjects.

(c)   Contract Issues

In the majority of cloud computing services, the client is the data controller and the cloud provider is the data processor. However, in certain scenarios (in particular Platform as a Service (PaaS) and Software as a Service (SaaS) in public computing models), the client and the cloud provider may be joint controllers. Under EU guidance, the responsibilities of joint controllers must be very clearly set out in the contract to avoid any “dilution” of legal responsibility.

The contract with the cloud services provider needs to set out clearly the roles and responsibilities of the parties. Unlike many outsourcing arrangements, cloud service contracts usually do not distinguish between personal information and other types of data. These contracts may still include at least basic data protection concepts, even if they are not expressly identified as such. At a minimum, companies will want to look for provisions preventing the provider from using the information for its own purposes, restricting the provider from sharing the information except in narrowly specified cases, and confirming appropriate data security and breach notification measures. Various European data protection authorities have underscored that access to cloud data by public authorities must comply with national data protection law and that the contract should require notification of any such requests unless prohibited under criminal law and should prohibit any non-mandatory sharing. Given the difficulty of negotiating special arrangements with cloud providers, it is important to select a cloud offering that is appropriately tailored to the nature of the data and the related legal obligations. It is likely that as cloud computing matures, more offerings tailored to specific business requirements, including compliance with privacy and similar laws, will be made available to companies.

Concluding thoughts

While cloud computing can substantially improve the efficiency of IT solutions, particularly for small and medium-sized businesses, the specific offerings need to be examined closely. There is no “one-size-fits-all” solution to cloud computing, especially for companies operating in highly regulated sectors or internationally. By understanding their legal compliance obligations, companies can make informed decisions in selecting cloud computing services or suites of services that best meet their needs.

In November 2012, we wrote an Alert about the European Commission’s Communication on Cloud Computing intended, it said, to “… unleash the potential of cloud computing in Europe”.  Sceptics were doubtful that the cloud industry needed much help from European regulators to thrive.

Twenty months later, the Commission has begun to deliver on its key actions in the Communication with the publication of its Cloud Service Level Agreement Standardisation Guidelines.

How helpful are these Standardisation Guidelines to the cloud sector at this point in its development?

The recently-issued Cloud Service Level Agreement Standardisation Guidelines have their origin back in November 2012.  At that time, the European Commission issued a Communication setting out a road map for the future growth of cloud computing in Europe.

In the 2012 Communication, the Commission set out a number of key actions, including to cut through the jungle of standards and to promote safe and fair cloud contracts.  The Commission believes that the development of model terms for cloud computing – and, specifically, service level agreements in the cloud sector – is one of the most important issues affecting the future growth of the cloud industry in Europe, and that standardising the approach to cloud services will enable buyers of cloud computing services to make fair comparisons between different providers’ offerings.

Continue Reading EU Cloud Standardisation Guidelines