1. UK - ICO's position
The UK data protection regulator, the ICO, recently published a statement on this issue. It doesn't seem to have been publicised much, and is worth noting.
I quote it in full below but, to summarise, the ICO has stated that a UK cloud customer who processes personal data in the cloud won't face regulatory action from the ICO just because the provider might potentially be forced to disclose the personal data to foreign authorities. In other words, the possibility that a provider may be subject to foreign authorities' requests for customer data isn't, in itself, a bar to using foreign providers.
The provider is normally treated as a mere "processor". However, if and when the provider makes such a disclosure, it would become a " controller" of that personal data, with attendant data protection law responsibilities/liabilities. Nevertheless, the ICO is unlikely to take regulatory action against the provider, because the provider was legally obliged under foreign law to disclose the data. However, if the request came from a country with a "questionable rule of law", the ICO would consider the position on the facts.
What the ICO didn't clarify was, how likely is it that it will take action if the provider discloses personal data following a mere request, rather than under legal compulsion?
Here's the full ICO statement (my emphasis):
"Compulsory disclosure of personal data by cloud providers
We outlined our position on the compulsory disclosure of personal data by cloud providers to foreign law enforcement agencies eg under the USA PATRIOT Act. Our view is that under normal circumstances a cloud provider is the data processor on behalf of the cloud client who is the data controller.
If a provider is required to comply with a request for information from a foreign law enforcement agency, and does so, the provider will be the data controller in respect of that disclosure. This is because it is making the decision to disclose based on a legal obligation it is under regardless of the client’s wishes. Regulatory action against the client is unnecessary because the client has not acted wrongly simply because it has chosen a provider which is subject to foreign law enforcement agency requests. Regulatory action against a provider, in its role as a data controller, is unlikely because it is responding to a request it is legally obliged to comply with. However if the request comes from a country which has questionable rule of law - then we would have to consider the issue on the facts of the matter."
All this ties in with the analyses in a couple of papers by the Cloud Legal Project (where I'm a consultant, part-time) - one on responsibility for personal data in the cloud, including who's considered "controller" and who's simply a processor, and one on law enforcement access to cloud data.
2. US PATRIOT Act and EU cloud users generally
I previously summarised the original version of Prof Ian Walden's paper on law enforcement agents' access to cloud data. It's since been updated to add discussion of the PATRIOT Act issue.
To summarise the PATRIOT Act points he makes:
- We shouldn't lose sight of the fact that the US isn't the only country where authorities may make service providers disclose data for law enforcement or national security/anti-terrorism purposes. Many if not most other countries, including in the EU, also have laws giving broad powers to law enforcement authorities to access data. Fears voiced about US providers may be more reflective of their current dominance in the global cloud market. A greater source of concern is the differences between US and EU privacy laws.
- If US authorities ask providers for data stored by cloud users in EU facilities, providers usually have the right, as against the customer, to disclose the customer's data to authorities. This is because, as discussed in a separate Cloud Legal Project paper, most cloud providers' standard contract terms reserve rights for the provider to disclose users' data to authorities if required by law (or, in some cases, simply upon official request). This isn't surprising, as providers need something like that in their TOS for their own protection, to avoid being caught between a rock and hard place.
- The trickier question is, will disclosure of personal data to authorities of non-EEA countries, such as US authorities under the PATRIOT Act, breach EU data protection laws? (This assumes that the provider, who becomes a "controller" on making the disclosure, is subject to EU jurisdiction - which is yet another matter...).
- EU data protection laws do allow or exempt certain processing for law enforcement purposes, e.g. where necessary for "prevention, investigation, detection and prosecution of criminal offences". However,there's no such exemption when it comes to the restriction on transferring personal data outside the EEA. (Note that this restriction only applies to "personal data". There's no such restriction relating to non-personal, anonymous data, whether confidential or not: other laws might be relevant in that case, but not data protection law.)
- Therefore, personal data can be transferred to US or other non-EEA authorities only if it would be "adequately" protected in the recipient country, or if an exemption or derogation applies.
- What's "adequate protection" here? ("Adequacy" has a special, limited meaning in this context: please see the article on the transfer restriction for more details).
- Transfer to authorities of a white-listed country would be considered "adequate", for example - but the US isn't on the whitelist.
- Some EU countries, like the UK, allow the controller to make its own assessment of adequacy. In such cases, the provider might decide there was adequacy based on representations by the requesting authority, e.g. regarding domestic judicial oversight of the subpoena for the data. The provider might also take the view that a Mutual Legal Assistance Agreeement between the EU and the US could be relied on to provide assurance of "adequacy" for disclosures to US authorities, although the MLA's data protection provisions don't seem to meet minimum criteria laid down by EU data protection regulators regarding content and enforcement/procedures.
- But if the provider decides there isn't adequate protection", then it can't transfer the requested personal data outside the EEA unless, essentially, there's an exemption. As mentioned above, there's no law enforcement or anti-terrorism exemption here, so one possibility might be the exemption for transfers "necessary or legally required on important public interest grounds". EU regulators have already ruled that this refers to the important public interests of an EU country only. The interests of other countries, e.g. the US, aren't enough to trigger that exemption here. However, it's not clear whether something that's necessary in the US public interest could also be in the public interest of the EU country in question, ie could there be a "dual" public interest? Many serious crimes, like terrorism, may be transnational in nature, so the same conduct might constitute criminal offences in several countries. If a non-EEA authority claims there's a "dual" public interest in its obtaining the requested data, can the cloud provider just accept that claim, or would it be expected to ask authorities in the EU country to confirm that that was the case?
- All this mean that any disclosures of personal data by providers to non-EEA law enforcement authorities may well be unlawful under current EU data protection laws (although in the UK the ICO has indicated, as mentioned above, that it's unlikely to take regulatory action against the provider, at least where it's disclosing data under a court order or other legal requirement of a country with "non-questionable" laws).
- This legal uncertainty obviously represents an obstacle to cloud computing, which the proposed reform of data protection laws needs to address.
The updated paper by Prof Ian Walden detailing the above is available for free download: Accessing Data in the Cloud: The Long Arm of the Law Enforcement Agent.
Posted by Kuan Hon, is part-time consultant to the Cloud Legal Project, and a joint law and computer science PhD candidate at Queen Mary, University of London.