By Neil S. Ende
There are a few particular areas of legal concern relating to cloud services. For end users, concerns about the adequacy of the contracts with their cloud service providers; and for cloud service providers, concerns arising out of the increased emphasis by government agencies, such as the Federal Communications Commission, on enforcing security and privacy regulations, and concerns relating to the storage of data from the European Union.
Cross Border Privacy Issues
The Cloud has facilitated the transfer of data across borders, triggering additional regulatory requirements in addition to the ones providers face for domestic concerns.
For example, European Union Data Protection Directive 95/46/EC requires that the transfer to a third country of personal data that is undergoing processing or intended to undergo processing may only occur if the country to which such data is transferred “ensures an adequate level of protection” of such data, or if such transfer is allowed as a derogation.
Thus, a company transferring personal data from the EU for processing outside of the EU must not only comply with all applicable regulations in the country where the data will be processed, but also these requirements of the EU. While this Directive applies only to EU Member States, these Member States have implemented the Directive through their own local laws, creating regulatory obligations for not only EU-based companies, but any company that transfers EU personal data for processing outside of the EU.
The U.S. has facilitated the transfer of EU personal data to the US for processing by adopting the US-EU Safe Harbor Framework, which allows US organizations to join the safe harbor list by certifying, on an annual basis, that they comply with the Framework’s seven Safe Harbor Privacy Principles. These principles require, among things, that organizations: (1) notify individuals about the purposes for which they collect and use information about them; (2) give individuals the opportunity to opt out from disclosure of their personal information to a third party or for use for a purpose incompatible with the purpose for which it was originally collected; and (3) take reasonable precautions to protect such personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
Increased enforcement practices are not limited to the FCC, it should also be noted. The FCC and the Federal Trade Commission, which is broadly empowered to enforce against unfair methods of competition and unfair or deceptive practices in or affecting commerce, meet monthly to discuss the strategies and actions they are taking. As such, while the Cloud provides many increased efficiencies and benefits, due diligence by both end users and Cloud service providers must be taken to mitigate against the increased risk that information stored in the Cloud is may be disclosed and to ensure adequate legal protection in the event a disclosure does occur.
For more information, please give us a call at 202-895-1707. For the latest telecom news and access to valuable original content, please follow Technology Law Group on twitter @TechLawGroup.