THE English language is constantly evolving. Take the word “cloud”. This new meaning of this commonly-used word, as a metaphor for the internet, is also now a part of everyday vocabulary. Most UK businesses have adopted cloud services into their businesses, attracted by the substantially reduced costs and improved capabilities.
However, there is a risk which it seems many UK businesses are not aware of. And that is the risk of breaching data protection laws simply by using cloud services.
The key problem is that under UK law (the Data Protection Act or DPA), personal data cannot be transferred outside the European Economic Area (EEA), unless one of a number of conditions set by the law is met. Many cloud services operate outside the EEA and so use of those services will inevitably mean that the user’s data will be held outside the EEA. That means that unless one of these conditions is met, data protection law is breached.
So, what are the conditions to be met to ensure compliance? The most popular route to compliance is to put in place between the business customer and the service provider what are called “model clauses” (a standard contract issued by the EU).
A key problem for a UK business seeking to apply these model clauses to its relationship with the cloud services provider is that, in most cases, the service provider will require the customer to sign up on-line to a non-negotiable set of standard terms which do not include the model clauses. This is a concern for the business customer as it is the business customer’s legal responsibility to ensure compliance with UK data protection law, not the provider’s.
So, unless the UK business customer is aware of the problem and is proactive in ensuring that model clauses are entered into, simply by signing up to cloud services, that business customer could be in breach of UK data protection law and face fines, as well as reputational damage.
For transfers to cloud providers based in the US, there is an alternative to model clauses, called the Privacy Shield. US companies can register under this EU/US negotiated regime, thus allowing data transfers to flow from the EU to the US, whilst remaining within the law. To date, around 1,700 US companies have registered under the Privacy Shield, including some of the big providers such as Google and Microsoft. If a provider is registered, this allows compliance by the UK business customer without having to arrange for the model clauses to be signed.
But both of these mechanisms are under threat. Legal proceedings have been raised in Ireland challenging the validity of the model clauses. Moreover, it is still unclear if the Privacy Shield will survive, if challenged through the courts (its predecessor having already been struck down as invalid under EU law). President Trump’s recent executive order removing privacy protection in the US from non-US citizens, might, particularly if combined with increased powers for the US authorities to search data, hasten the Privacy Shield’s demise.
New data protection regulations come into play in May 2018, bringing heavier fines and penalties for companies breaching regulations. These regulations will not however remove the current issues faced by UK companies using cloud services outside the EEA.
Facilitating the free flow of data – the lifeblood of international trade and business – while protecting their citizens’ data, is a hugely important topic for governments around the world. Recent shifts towards cloud services has inevitably resulted in this topic moving even higher up the agenda. Businesses who want to take hold of the advantages and opportunities need to recognise that the price to be paid is the requirement to keep themselves compliant with the constantly evolving, ever more stringent, legal and regulatory framework on data protection.
The cloud is here to stay but it might just rain on your data parade!
l Fiona M Akers is partner, head of IP and Technology, Dickson Minto