A three-judge panel of the U.S. Court of Appeals for the Second Circuit today unanimously reversed a lower court’s denial of Microsoft’s motion to quash a warrant seeking the content of emails for a customer of its Outlook.com email service. The decision is surprising in that that U.S. courts, including the Second Circuit, have traditionally enforced government process seeking documents or data stored abroad from entities that have control over the information under the test of “control, not location.” This case could have a significant impact on cloud providers’ decisions to store information abroad. It also serves, in the midst of debates about the newly enacted Privacy Shield and the recent challenge to Standard Contractual Clauses now before the Court of Justice of the European Union, as a counterbalance to arguments that some make about the U.S. legal system not respecting personal privacy.
Emerging technologies, such as cloud computing and the “smart city,” have the potential to greatly advance our quality of life. The use, retention, and storage of data that go along with them, however, have raised citizen concerns about privacy risks. The National Institute of Standards and Technology addresses these concerns in a new draft report titled Privacy Risk Management for Federal Information Systems, which was released on May 29, 2015. The report introduces NIST’s Privacy Risk Management Framework, which anticipates and addresses privacy risk resulting from the processing of personal information. NIST intends that the framework will lay the foundation for establishing a common vocabulary that facilitates better understanding of (and communication about) privacy risks and how to effectively implement privacy principles. Although the report is directed at federal systems, the principles outlined may be useful for any business that processes personal information. The NIST report focuses on the development of two key pillars of the PRMF: privacy engineering objectives and a Privacy Risk Model.
On July 31, a U.S. District Court judge ruled from the bench that Microsoft could be forced to turn over customer emails in the context of a law enforcement investigation even though those emails were stored on servers located in Ireland. Microsoft had contested the government’s request, arguing that the data was subject to Irish law and that the U.S. government was required to utilize law enforcement treaty channels to obtain the data. Since the ruling, many have expressed surprise that the ruling gave such seemingly expansive jurisdiction to the U.S. government. But it shouldn’t come as a surprise to those who follow these issues, including readers of Hogan Lovells’ white papers on government access that U.S. law enforcement can compel companies subject to its jurisdiction to produce data stored abroad, much as it shouldn’t come as a surprise that many other countries’ governments provide the exact same authority.
Hogan Lovells today published an update to the White Paper A Sober Look at National Security Access to Data in the Cloud, which compares national security access to data stored with Cloud service providers in a number of countries. The White Paper adds analyses of the laws of Brazil, Italy, and Spain, and reflects the April 2014 opinion of the European Court of Justice invalidating the EU Data Retention Directive. The updated paper now compares the national security access laws of the United States, Australia, Brazil, Canada, France, Germany, Italy, Spain, and the United Kingdom.
Two developments in Russian law this summer could significantly limit the ability of cloud and other online services to publish online content and to make Russian data remotely available online. The first is the advancement of legislation requiring data operators to store locally in Russia information of Russian citizens. The second is the countdown to the effective date of new rules that impose onerous registration, content, and censorship requirements on certain website operators and electronic communication services. We address each here in turn.
Earlier this week, The New York Times published “Europe Aims to Regulate the Cloud,” an article considering the impact on cloud computing of the proposed European Data Protection Regulation which quoted Hogan Lovells Partner Mark Taylor. Taylor commented that over-regulation in this area could impact the adoption and use of cloud services in the EU, and this in turn could have a broader economic impact given the level of penetration which cloud-related services are now achieving. This blog post contains a link to the article.
Hogan Lovells has published a White Paper demonstrating that, contrary to recent reports, the limitations applied to U.S. law enforcement access to data stored in the Cloud during national security and foreign intelligence investigation surpass in many cases restrictions applied during similar investigations in other countries. “A Sober Look at National Security Access to Data in the Cloud,” written by Christopher Wolf and Winston Maxwell, lawyers in Hogan Lovells’ Privacy and Information Management Practice based out of the Washington D.C. and Paris offices, was released today at a panel of the authors which was presented by the OpenForum Academy in Brussels. The authors also will discuss the paper tomorrow in Paris at a roundtable discussion comparing U.S. and French government access to data in the cloud presented by the American Chamber of Commerce in France.
CNIL’s recently-released annual report gives insight from France’s authority into sanctions, the right to be forgotten, whistleblowing, and what it believes are several shortcomings in the proposed EU regulation.
The French CNIL’s new guidelines on cloud computing revisit the tricky question of whether a cloud provider is a data processor or a data controller under French data protection law. The CNIL’s guidelines contain seven recommendations for cloud customers, and a list of recommended contractual clauses. The CNIL points out that when the cloud provider is located in a non-European country “local government authorities can send requests to the provider to have access to the data.”
The Council of Europe’s 2012 Octopus Cybercrime conference closed today in Strasbourg, France. Hogan Lovells partner Winston Maxwell presented the firm’s white paper on government access to data in the cloud. This blog contains links to the conference materials.
Hogan Lovells has published a White Paper with the results of a study about governmental access to data in the cloud around the world. The White Paper debunks the frequently-expressed assumption that the United States is alone in permitting governmental access to data for law enforcement or national security reasons. The White Paper concludes that businesses are misleading themselves and their customers if they believe that restricting Cloud service providers to one jurisdiction better insulates data from governmental access. It is incorrect to assume that the United States government’s access to data in the Cloud is greater than that of other advanced economies. The White Paper examines the laws of the ten countries, including the United States, with respect to governmental authorities’ ability to access data stored in or transmitted through the Cloud, and documents the similarities and differences among the various legal regimes. The paper was written by Christopher Wolf, co-director of Hogan Lovells’ Privacy and Information Management practice, and Paris Office partner Winston Maxwell. It was released today at a program presented by the Openforum Academy in Brussels at which both Wolf and Maxwell spoke. This blog post links to a copy of the White Paper and summarizes its findings.
Privacy and data security were at the forefront of the May 11 PLI seminar program entitled “Cloud Computing 2012: Cut Through the Fluff and Tackle the Critical Stuff,” with presenters including Hogan Lovells partners Chris Wolf and Philip Porter. This blog post contains summarizes the panel discussions, with topics ranging from breach preparation to cloud contracting.
Following the example of the French Data Protection Authority, the Spanish Data protection Authority has opened a public consultation on cloud computing to learn the opinions and experiences of service providers and users.
On January 10, Peter Hustinx, the European Data Protection Supervisor, released his annual “Inventory” of issues of strategic importance for 2012, indicating that he would be focusing on, among other issues, the proposed EU data protection framework, IP rights versus privacy rights, cloud computing, and financial sector reform.
Hogan Lovells Privacy and Information Management practice leader Chris Wolf will moderate a complimentary lunchtime panel on cloud computing on Tuesday, November 15th in Washington, DC featuring government and industry leaders. Readers of the Hogan Lovells Chronicle of Data Protection are invited to attend and participate. For a place at the event, please send an e-mail to firstname.lastname@example.org
The French Data Protection Authority (the Commission Nationale de l’Informatique et des Libertés or CNIL) opened a public consultation on cloud computing, citing the growing significance of the cloud computing market: “already €6 billion at the European level, with a yearly growth of approximately 20%”. The CNIL is focusing on five areas: definition of cloud computing, role of the parties, applicable law, international transfers of data outside the European Union and data security. Public input into the issue is sought by the CNIL, as explained in this blog entry.
The German data protection authorities on September 26, 2011 adopted an “Orientation guide – cloud computing.” The guide sets out mandatory and recommended content for any agreement between German users of cloud computing services and cloud computing serving providers. It highlights the customer’s responsibility for full compliance with German data protection requirements for the cloud. Based on this orientation guide, customers and providers will have to review existing agreements in the German market.
Data stored in the cloud will be subject to numerous data security laws, explains Hogan Lovells partner Phil Porter in a recent article. Specific types of data will trigger different security regulations, ranging from HIPAA rules for health data, to Gramm-Leach-Bliley Act rules for financial service data, to COPPA for data about children. Data hosted in the cloud in the U.S. might also subject the data to U.S. national security rules, including USA Patriot Act. Cloud service providers and customers need to tailor their contractual provisions to match these regulatory imperatives.
After a year of hearings, including meetings in Washington with the FTC and DOJ, a French parliamentary commission released its findings on the protection of individual rights in the digital revolution. The 384-page report from the French National Assembly contains recommendations on cloud-computing, privacy by design, and EU privacy law reform.
Recent guidance from the National Institute of Standards and Technology (“NIST”) encourages federal agencies to take advantage of cloud computing. It also provides draft security and privacy guidelines for federal agencies to follow when engaging cloud providers. The draft guidelines serve as roadmaps for how to negotiate meaningful privacy and data security protections from cloud providers. Though prepared for federal agencies, the draft guidelines could prove influential to the private sector as an increasing number of private businesses use cloud services. NIST has requested comments on the drafts by no later than February 28, 2011.
Cisco has launched a Privacy and Security Compliance Journey web site with a variety of useful materials and resources. Hogan Lovells is pleased to have its primer on legal issues in Cloud Computing including privacy and data security concerns as the first featured content on the Cisco site. A link to the primer is contained in this blog entry.
On November 2, the General Services Administration published the Proposed Security Assessment & Authorization for U.S. Government Cloud Computing guidelines, developed by an interagency team composed of representatives from the CIO Council, GSA, the National Institute of Standards and Technology (“NIST”), and other organizations. This blog entry describes the proposals.
The European Network and Information Security Agency (ENISA) has just published a paper on cloud computing, which discusses the benefits and risks of cloud computing from a security perspective. The paper also includes recommendations for improving information security in the context of cloud computing and provides a – in our view very helpful – set of questions that organizations can use to assess whether or not providers of cloud computing services are sufficiently protecting the data entrusted to them.
Details regarding the FTC’s recently released agenda for the first of three privacy round tables it will hold over the course of the next few months.