With the recent activities of the NSA and GCHQ coming to light through Edward Snowdon's disclosures, and against a background of recent case law and previous judicial intervention, business is becoming more alive to the problems of data security, access, disclosure, and information transfer, particularly when utilising cloud based solutions.
In this article I highlights some key points business should consider when looking at their IT structure, information systems, and data security and management protocols, and how this fits with their customer and client engagement terms.
Cloud based solutions
When utilising could based solutions, think about where the data will be held. Are you engaging with a US company, a provider with US parentage, or someone who utilises non-EEA servers? If this is the case your data may not necessarily be secure, and unless your customer and client engagement documentation has been properly drafted, you may be in breach of the obligations you owe to your customers under UK law.
PRISM and its fall out
PRISM and its related programmes allowed the US government to access communications data relating to foreign nationals, within the US or upon US owned networks. US national data could not be accessed under PRISM due to constitutional protections, however this was addressed by GCHQ. The ongoing fallout from PRISM is continuing to cause issue with respect to safe harbour arrangements in place between the US and the EU, and it may well be the case that these are suspended in the future at some point.
The cloud and PRISM – what you need to do
The ultimate consequence of this is that customer and client terms and conditions should properly reflect the fact that in a lot of situations data may be held outside the EEA and may be subject to a (much) lesser level of protection than if it were held in the EEA by EEA processors. Secondly, one must be careful in making guarantees where third party reliances may be present. By this it is meant – don't guarantee that your provider's security will be absolute, only undertake to use a certain level of effort to ensure that this is the case.
The consequences of PRISM and the potential suspension of the safe harbour provisions cause particular concern for regulated organisations, such as legal firms, who are obliged by their professional rules to retain client confidentially. They need to look particularly carefully at any contracts which involve the processing of client data.
Are the safe harbour protections really of any use?
Even without suspension of the safe harbour mechanism, one must question to what extent it actually provides effective protection. In the recent Microsoft case, "Microsoft Corporation and its Controlled US Subsidiaries" was listed under the safe harbour scheme (it still is). However, this did not prevent a US court requiring disclosure from them of EU data on EU servers.
From the client perspective
A good understanding of the terms upon which your data is being processed are key, and to this end it is fundamental to become aware (and if appropriate and possible negotiate amendment to) the agreements under which service providers gain access to information. Particular consideration needs to be given to sensitive information. In addition, strong internal policies and procedures relating to the handling of information need to be put in place, and adherence ensured.
Aside from considerations as regards access, one must also evaluate the effect of other legislation, particularly that aimed at the prevention of bribery and corrupt practices. The 2006 Statoil case is of relevance here. This concerned alleged bribery of an Iranian government official by a Norwegian company. In this instance two payments were routed through a US bank. This was argued to satisfy the extraterritorial jurisdictional requirement under US anti bribery laws, that means of interstate commerce were being used in connection with the relevant activity. More recently, less significant actions have been argued to bring US law into play. See for example the indictment in 2009 against Jeffrey Tesler and Wojciech Chodan. In this matter, there was focus on the sending of one fax from the UK to the US, and upon two emails sent to the US. Business needs to be alive to the fact that even though they may not be in the US addressing a US activity, US law may still be of relevance.
One should also not forget the US export restrictions, as they can apply to the movement of technical information and know how across borders. In this instance it is fundamental to have in place good information tracking and restriction protocols.
Where the law is moving
If one were to identify any trend in the law relating to information, it would be towards greater protections for the individual. See for example the recent German Higher Regional Court of Koblenz (case reference 3 U 1288/13) which weighed a claimant's rights to privacy in respect of private photographs as more important to the defendant's right of property in the photographs. The recent decision in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (13 May 2014) confirmed a right for individuals in certain circumstances to have their personal information removed from a search engine's facilities. However, whilst this trend may give some comfort, it should not give a false sense of security to those who deal in, or have concerns regarding, personal data.