Feeds

Google Apps cloud fine print may not protect EU biz

Storing private data outside the Eurozone? Welcome to a world of pain

Choosing a cloud hosting partner with confidence

EU businesses that provide applications to consumers through the Google Apps platform may require additional mechanisms to the new contract terms offered by Google - in order to legitimately transfer personal data collected from app users overseas, an expert has said.

Google has announced that it will offer "model contract clauses" to app providers as a means for those businesses to lawfully transfer personal data outside of the European Economic Area (EEA). Out-Law.com asked Google to provide a copy of the model contract clauses it intends to offer, but a spokesman for the company said the information was not available yet.

However, data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, has said that if it is Google's intention to store the data collected by app providers in the cloud, then complex contractual arrangements may have to exist to make that activity legitimate.

How the cloud will rain on data law

Cloud computing refers to the use of computers and software on an internet-based network to do information processing rather than the use of local computing resources. It allows internet users to access or store information without owning the software to do it and many online companies, such as Google, operate huge servers that store the data and deliver it to users.

Current EU data protection laws prevent companies sending personal data outside of the EEA except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection. The EEA includes all 27 EU member states, Iceland, Norway and Liechtenstein.

When a company wants to send personal data to other non-EEA countries, that company must ensure that adequate protections are in place, even when the transfer is from one group company to another.

What can a company do to work within the red tape?

Model contract clauses have been approved by the European Commission as one mechanism companies can use to legitimately transfer personal data they collect to other companies based outside of the EEA. The clauses insert standard provisions into a contract that enable the flow of data between EU-based businesses and those located in "third" countries, ie, a non-EEA entity that is not a pre-approved country. The clauses enable outsourcing of personal data processing to firms based in non-EEA countries.

In a company blog, Marc Crandall, senior manager of global compliance at Google Enterprise, said that the new clauses would offer app providers "an additional option for compliance" with the EU's Data Protection Directive.

Kathryn Wynn said Google was probably setting up the model contract clauses to enable it to provide overseas cloud storage of the personal data that app providers collect from users of those apps. She said though that it "can be quite difficult in a cloud computing context to put in place valid model contract clauses".

"In order to be compliant with the 'adequacy' requirement of the Data Protection Directive the app providers would have to enter into model contract clauses with the first non-EU Google entity in the contractual chain that imports the data and the model contract clauses would need to detail each jurisdiction in which the data could be hosted. This will implement valid model clauses that will ensure an adequate level of protection for the personal data transferred," she said.

"If model contract clauses are not correctly implemented and there is a risk that the adequacy requirement will not be met, app providers would need to rely on another mechanism for compliance in order to justify overseas transfers of their users' data outside of the EEA.

"In those circumstances app providers could rely on their own self assessment of adequacy to justify overseas transfers of personal data outside the EEA," Wynn said. "Self assessment is where companies look at various aspects of the data protection regime in third countries, and consider things such as the strength of local laws, the security of data centres and take into account the sensitivity of the personal data that would be transferred to those countries.

"The existence of the model clause obligations in the contractual chain, even if not correctly implemented because they are not between the correct parties - ie, if between the Google entities rather than the relevant Google entities and the apps providers, will help in the overall assessment of adequacy. However, those provisions alone will not achieve adequacy," Wynn said.

"The more sensitive the personal data the more robust the adequacy requirements. Companies relying on self assessment as a mechanism for legitimising personal data transfers need to conduct due diligence and keep an audit trail of their assessment," she added.

What do companies in the US have to do?

Model contract clauses have been popular with EU businesses looking to transfer personal data to third countries, although other existing frameworks for safeguarding personal data when sent outside of the EEA have also been developed.

The US-EU Safe Harbor scheme is an agreement drawn up between the European Commission and US Department of Commerce that allows for the transfer of personal data from Europe to the US where data protections meet EU standards.

US organisations that conform to the protection requirements in the Safe Harbor scheme are deemed as having met European safety standards outlined in the Data Protection Directive. The Directive sets out standards around the lawfulness of personal data processing as well as for the security of personal data that is held by organisations, among other things. Google is one of 2,500 US firms accredited under the Safe Harbor scheme.

To qualify for Safe Harbor, a US organisation must develop its own self-regulatory privacy policy, join an existing privacy programme, or be subject to a statutory or law body which achieves the same standards as those set in the Safe Harbor scheme. Member firms are audited annually to ensure they are complying with their commitment to the privacy of data transfers.

Last year the Federal Trade Commission (FTC) claimed Google had breached the Safe Harbor agreement by misusing customers' personal information it collected from Gmail users in its social network service Buzz without permission. Google failed to give notice to customers that their email contacts would be shared with other users if they chose to sign up to Google Buzz when it launched in 2010, the FTC said.

Google settled the case with the FTC by promising to conduct privacy audits every two years for 20 years; promising not to misrepresent the way it deals with personal data; and promising to obtain explicit consent before sharing users' information with other companies.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

The next step in data security

More from The Register

next story
Hey, Scots. Microsoft's Bing thinks you'll vote NO to independence
World's top Google-finding website calls it for the UK
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
OECD lashes out at tax avoiding globocorps' location-flipping antics
You hear that, Amazon, Google, Microsoft et al?
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.