The increasingly international nature of cloud-based services is generating new challenges for employer customers in meeting their obligations under the data protection law and the EU Directive (Data Protection Directive (95/46/EC)). The use of cloud services requires careful consideration in understanding and applying the data protection rules to formulate contractual arrangements that satisfy the data transfer restrictions, processor security obligations and other data protection obligations imposed on the employer cloud customer.

This bulletin focuses on data transfer restrictions as often employer customers not only require the use of clouds to store their employee information, but to subsequently transfer such data outside of the European Economic Area (EEA) to say, Japan.

The employer, being the data controller will remain legally responsible for any data processed and will be liable for any breaches of data protection law whether it is due to the acts of the cloud provider. To summarise the ways in which employee’s protected data may be transferred outside of the EEA are:

• If the recipient country provides an adequate level of protection for the personal data;
• Ensuring that the cloud provider has implemented the necessary security measures of that data. This must be paired with the provider and the controller (employer) entering into a legally binding contract to confirm the providers obligations in relation to security and under the strict instructions of the employer;
• To send the data to a cloud in a ‘white list country’, being for example – Canada, Isle of Man, Guernsey; the list is yet to include Japan or US;
• To transfer the data to a ‘safe-harbour-registered cloud’ – Eligible US organisations can subscribe to the safe harbour to facilitate the lawful transfer to them of data from countries in the EEA; a certificate is issued;
• On self-assessment – an employer data controller may in principle, transfer data to a non-EEA cloud that is not a white country or registered with the safe harbour provided that it has conducted its own positive assessment of adequacy consistent with national DP law, but of course, many are understandably nervous to self-approve their transfer of data;
• Ensuring they enter into legal contracts with the cloud provider with Commission recognised clauses (‘the model clauses’);
• Obtaining consent from the data subject; though the Working Party, which is composed of the representative of the national data protection authorities and the European Commission have advised to avoid solely relying on this;

It is therefore advisable that employers use the following methods:

• Store employee data with a safe harbour cloud provider and execute a written contract to satisfy the processor security obligations and instruction only obligations; or
• Use the ‘onward transfer principle’ by transferring from a safe harbour cloud provider (SHCP) to a white-list country cloud provider or oblige the SHCP to enter into an agreement such as a data transfer agreement with the non-white-list country;

In reality, the lack of publicised enforcement action against employers/cloud users for failing to comply with data protection laws and the data transfer restrictions still makes it very hard for users to assess what enforcement action would be taken, whether a DP authority would attempt to impose sanctions on all users of the same cloud service or whether they are doing the right thing generally.
For further information, please contact Koichiro Nakada – Head of Japan Business Group (koichiro.nakada@lewissilkin.com) and Yoko Nakada - Senior Associate, Deputy Head of Japan Business Group (yoko.nakada@lewissilkin.com).
Disclaimer
The information and any commentary on the law contained in this bulletin is provided free of charge for information purposes only. No responsibility for its accuracy and correctness, or for any consequences of relying on it, is assumed by Lewis Silkin LLP or Centre People Appointments. The information and commentary does not, and is not intended to, amount to legal advice and is not intended to be relied upon. You are strongly advised to obtain specific, personal advice from a lawyer about your case or matter and not rely on the information or comments in this bulletin.

This information is supplied by Lewis Silkin LLP www.lewissilkin.comm

Article top