Clouds and law enforcement access
When talking about use of cloud services an issue that often comes up is whether the ability of foreign law enforcement services to access data makes it illegal to use a service in that country. The law that’s most often mentioned is the USA PATRIOT Act, but plenty of other countries (including the UK and others in Europe) give their law enforcement agencies powers to access material that’s either accessible from computers in those countries or crosses their networks.
The US position is actually an interesting test for the position under European Data Protection law, because the EU formally recognises companies registered under the US Safe Harbor scheme as providing adequate protection of personal data according to EU standards. Since those same companies are subject to the USA PATRIOT Act, and EU regulators continue to promote the Safe Harbor scheme, clearly the two can't be completely incompatible. It seems an organisation subject to the USA PATRIOT Act can still provide adequate protection under EU law.
Safe Harbor only covers certain US commercial organisations, so what about transfers to other organisations, for example US universities? The Information Commissioner’s guidance explains the different ways to transfer personal data to those. Factors to be taken into account in deciding whether there is adequate protection are:
- the extent to which the country has adopted data protection standards in its law;
- whether there is a way to make sure the standards are achieved in practice; and
- whether there is an effective procedure for individuals to enforce their rights or get compensation if things go wrong.
And information is unlikely to be adequately protected if
- the transfer is to a processor in an unstable country; and
- the nature of the information means that it is at particular risk.
Neither here, nor in the detailed guidance is there any mention of law enforcement powers as a factor to be taken into account. So it seems that such powers aren’t relevant in assessing whether or not an overseas transfer is lawful.
Just because something is lawful doesn’t mean it is always a good idea. There may be other reasons, including particular privacy or confidentiality concerns, to decide not to send particular information or services to a different country. If, for example, an organisation is handling information that might be of special interest to another organisation or country then that should indeed be a factor in the decision where to process it. For the most sensitive information, a risk assessment may indicate that it shouldn’t leave the organisation at all. The JISCLegal Cloud Computing toolkit has a lot more information on assessing and dealing with regulatory and other risks.
The proposed EC Data Protection Regulation contains a hint that the legal situation may be clarified when it becomes law. Article 41(2)(a) sets out the elements that the Commission must take into account when deciding whether a third country provides adequate protection, and for the first time this explicitly includes: “relevant legislation in force ... including concerning public security, defence, national security and criminal law”. So, unlike the current situation, it seems that once a declaration of adequacy has been made we won't need to worry about a legal risk created by law enforcement powers because the Commission will have done that for us. The confidentiality risk will, of course, still be up to individual organisations to assess.
