Weekend Special: Privacy, the Patriot Act and Contracting explained
Let me start with a huge distinction that is important to this topic. It is a difference whether it is legal to use a service and to what degree data is safe, whatever safe does mean to you and your company. I will look at the whole privacy topic from these two perspectives.
- Is it legal to use a cloud service
- Risks and risk management
As privacy rules and laws differ country by country I have picked Germany as my example. Please be aware that you should always check your position with your legal counsel, in house or externally, and not act solely on my statements here. I am not a legally trained advisor and just speak from experience of over a decade of outsourcing and more than 4 years of cloud sales and management.
Is it legal to use a cloud service?
Privacy laws generally look at PII (Personally identifiable information, in German: personenbezogene Daten). This is important as it points out that they do not address your trade secrets, patents, etc. So what is PII? In short it is data about your customers and employees. If you want a deeper inside about the European view on this look here: http://ec.europa.eu/justice/data-protection/index_en.htm
The basic rule is privacy data should not be transferred anywhere and access is restricted. As we all know in practice even in the past there were concepts like hosting by partners, outsourcing, etc. and still are. As a conclusion there must be rules and ways to transfer data. Let’s first look at the geographic stack of rules one by one.
- If you operate yourself you need to ensure that you follow the rules but need not to create a written agreement with yourself.
- If you task another company with operating your systems you do need a DPA (data processing agreement, in German: Vereinbarung zur Auftragsdatenverarbeitung). This puts you in a position to fulfill the local laws towards data transfer of PII (paragraph 11 of the local data protection law, Bundesdatenschutzgesetz). This is not a new piece to most customers and hosting/outsourcing providers but one step on the learning curve for software or hardware companies that have never offered services before or only in the U.S.A.
- If you / your contract /partner do fulfill the requirements for Germany a data transfer within the European Union does not require any additional agreements. This is based on the view that there is a comparable level of data protection and privacy within the EU
- If you know have a situation where the transfer of data outside of the EU is required there are two classes of countries.
- The countries where the EU recognizes the level of data protection equal of higher to the rules of the EU. Into these countries the transfer is possible without further agreement.. examples are Canada and Jersey
- Countries with a non-comparable or inadequate level of data protection. To legally transfer PII into these countries you do need to put additional agreements in place.
So there is a way to legally use cloud services as long as you have the agreements in place to transfer data. Especially for the latter group of countries which includes the U.S.A. the key question is what agreements are needed to have a legal setup. Before we look into that space I believe it is important to explain what a data transfer is?
Take physical copy of the data put it on a plane and fly it to a country or copy data from server in country A to server in country B. This is what most people have in mind when they think about data transfer. Hence the most frequently asked category of questions is: “Where is my data stored?”, “Can you guarantee my data stays in the EU?” While these are surely valid questions we need to ask ourselves is that all and are these questions really relevant? The one thing you have to keep in mind to get a grip on data transfers is that it is not about copying or storing but data access. So even if you store it in your basement as soon as you have a remote administrator accessing the system from wherever, you have data transfer or potential data transfer. So the right questions would be then “From where will the service provider, cloud or no cloud, have access to the data?”
Agreements needed to transfer data
Let’s have a look at the potential agreements needed to transfer data from Germany to the U.S.A. in a common cloud scenario.
- The cloud provider needs to present you a DPA as part of the contract as the minimum requirement. Companies like Salesfoce.com or Microsoft (O365) do this for enterprise customers.
- To move data to the U.S.A. there are certain agreements in place which are regarded with different views towards their usefulness and strength
This is an agreement between the EU and the U.S.A. about data privacy rules needed to allow a legal transfer of data. It is based on self-certification of companies providing services that include the transfer of PII (ITO, BPO, cloud, multinational operations, etc.). It is an agreement that is under fire by critics based on the concept of self-certification and the lack of control and enforcement in the U.S.A. There have been examples where companies signed up for it but where far away from fulfilling the requirements stated by the Safe Harbor Act of data.
The EU model clauses are a collection of rules that should be added to a contract without change. These rules are quite strong in many senses. As they pose certain challenges to the concept of cloud computing especially in the areas of subcontractors and auditing not many cloud service providers do yet have these embedded in their contracts. From a legal perspective the EU model clauses put you in the position, if fulfilled, to legally transfer data. There are some bits and pieces though you should keep in mind about the EU model clauses. As pointed out by the article 29 working group and the Düsseldorfer Kreis there is a challenge about how you contract a service including the EU model clauses as you seldom have a contract with the US entity but more often with a European subsidiary. And for contracts between two EU based companies the EU model clauses are not needed. You can find the commentary and suggestions of the article 29 working group on this topic here. Be sure to question the cloud service provider on his view.
- Certifications like ISO, SAS 70, TrustE, TÜV, etc.
All these certifications do have no legal impact as per replacing the agreements above. They help you though to gain an additional level of trust. In addition there is a need to control your service provider that is generated by the DPA and the EU model clauses. As pointed out earlier audits are an issue for cloud providers. Not because they are against customers conducting audits in general but as they operate large scale environments with thousands of customers, allowing customer initiated audits would heavily and permanently disrupt operations. The silver bullet to fulfill the rules and operate a data center rather than a tourist visitor center is to perform audits that are recognized by customers and authorities alike. The customer has just to ensure that the provider is recertified on a regular base and read the audit reports or at least the measures recommended by the auditors. The audits recommended are ISO and SAS 70 Type 2. Most Europeans are not familiar with SAS70 audits. Therefore allow me to point out that Type 2 is important as it involves testing the processes and controls rather than just listing them.
So my conclusion is that you can legally contract a cloud service if you have the right controls and contractual agreements in place. Is anybody wondering why we have not discussed the Patriot Act so far? This evil thing the press and many critics claim that it makes cloud services illegal. There is a simple reason. The major thing about the Patriot Act that is discussed is about fear or at least lack of trust into the U.S.A. and its agencies. And though it is always said that it is all a legal discussion, when it comes to data transfer of PII and agreements with the U.S.A, not one authority has pulled the plug and declared working with the U.S.A. illegal.
One additional remark here towards limitations in certain verticals or for specific businesses. There might be additional rules in place on top of the general data protection laws. Please work with your legal counsel to ensure that you know these and question your service provider how they handle these. One example is the banking law in Germany (Kreditwesengesetz) detailing the requirements for audits by authorities.
Risk and Risk Management
Finally this is where the Patriot Act will come into play. It will not be the main topic though. A lot of the privacy discussion is focused around the Patriot Act and creates a lot of fear. The interesting thing that an enterprise can from a legal perspective create an environment where it is reducing the risk towards legal actions quite massively by following the rules as pointed out above. But is this the major risk as perceived by the enterprises? It certainly is a part of it as nobody wants to be picked up by data protection authorities and even presented with fines but let’s face it, the bigger economical risk lies elsewhere. It is about trade secrets, patents not yet published, design of future products, etc. In addition it is about internal processes and past information. To get an idea on the value of these bits and pieces look at Toyota’s struggle with regard to their foot mats and the falsely accused self-accelerating cars or the Siemens corruption charges and the potential fines and damage to the image in both cases.
So it is about trust, the calculation of probabilities and the cost/value of the risk itself. And this is now where it starts to become difficult as the risk assessment is and individual process by each customer. It happens that two customers value the same risk completely different. And that is perfectly fine as with risk management there is no right or wrong.
The laws do not look beyond PII. So when it comes to the precious data of an enterprise how far could that be exposed and what is the cost saving in comparison to the risk. I have been in negotiation with customers that clearly stated that saving 2-3m$ per year does not counter the risk of exposing data that could produce harm of hundreds of millions either through fines or missed business opportunities.
What makes the assessment so difficult is the difficult distinction between lawful requests and cloak and dagger actions. The Patriot Act and the lack of trust towards the U.S.A. is reason for that. Most of the times the Patriot Act is referred to as the one law giving US agencies free access to any data just by sending in a letter. Let’s start dissect this a little bit. First of all the Patriot Act is a collection of amendments to already existing laws. The patriot act among other things allows new means to access data. The general procedure is to go to court get a subpoena and present this to the owner of the data and press for the release of it. This is a general process in place in countries all over the world. Then there is the so-called sealed subpoena which might go to a service provider directly to get the data immediately and without notification to the data owner. Does this sound scary? Yes and no, first of all the sealed subpoena still comes from a judge so the judicial system is involved. Secondly the question is with what probability does this happen. And how can you protect yourself if you want to? The experience shows that within 6 years of operating a cloud service one of the top cloud providers has not seen a sealed subpoena yet so it seems the risk is rather low. Secondly the means of avoiding data access are limited. As soon as you have significant subsidiary or business in the U.S.A. you are subject to the Patriot Act. You could claim that this only encompasses your US subsidiary and you do not have to hand over data hold by your European entities in European datacenters but that is wishful thinking. In doubt the US would take your US board / management team into custody to enforce an imprisonment for contempt. This is then a decision for each company to consider how to handle this situation and this is also where companies like Microsoft are quite clear that they will not send their CEO into prison to hold back customer data requested according to laws.
One quote from Toyota which I admittedly did not receive first hand: “Throughout the crisis around the foot matts and the accused self-acceleration we have learned that the US courts will get access to relevant data independent of the physical location and therefore have come to the conclusion that this is not a roadblock anymore that prevents us from using cloud computing offered by US companies.”
The other area is the cloak and dagger stuff. People have a fear for economic espionage by the US government to strengthen local business. Whether this is a valid assumption or not I cannot judge but if you believe in it you need to act accordingly. Just consider one thing; this should not stop you from using cloud computing in general. It just stops you from using it for certain areas like R&D or M&A. You could still use it in many other areas and create a benefit.
One interesting tidbit is that a lot of the discussions only came up with cloud computing but the rules are all the same for outsourcing, hosting and even self-delivered IT. Isn’t it strange that we questions things for one side of the coin but not the other? I believe in an evaluation of business options, and sourcing strategies are business options, the evaluation matrix should be the same for all. Any other approach to me is either cheating or a strategic decision that overrules the evaluation.
Additional quick overview information is available in this post: https://clouddiscussions.wordpress.com/2011/08/08/common-misperceptions-fear-uncertainty-and-doubt/
update December 15th:
EU model clauses and data processing agreement as a standard
Microsoft has taken a bold step here. So far the EU Model clauses have been granted on exception base only and the DPA (data processing agreement) has been shaky.
With these news now Microsoft is taking a lead. Google is far away from EU model clauses and DPAs in their contracts hence them not being active so far in e.g. Germany. Salesforce.com has a DPA (a good one!) and is relying on the Safe Harbour Act. This Act is under criticism for many reasons and the only other way are the EU Model Clauses.
I will need to dig a little bit to see how Microsoft finally implemented the EU Model Clauses. Critical points are:
– list of subcontractors and right to disagree
– Article 29 group comments on which parties can actually agree on model clauses contractually
– audit rights
If Microsoft takes this and gets the marketing wheels turning it could be a starting point for SaaS use in the enterprise space on a broader base.