There is an inherent tension between the delivery of cloud-based computing services and data protection laws. How can an organisation allow personal information to travel freely and seamlessly from server to server around the world whilst still ensuring it is subject to an adequate level of protection? How can that organisation ensure the security of this information if it doesn’t know where it is or even who holds it?
A recent ruling by the Danish Data Protection Agency (Datatilsynet) provides an example of the problems that can arise in practice and the regulatory hurdles facing the cloud computing industry.
The Danish Odense Municipality asked for an advance opinion from the Datatilsynet about its proposed use of the Google Apps online office suite. This suite of products was to be used within schools and would, amongst other things, process sensitive personal data about health, social problems and other private matters about pupils.
As a public body, the Municipality is subject to not only the general security obligations in the Danish data protection act but also the more stringent security requirements set out in the Danish
Executive Order on security measures for the protection of personal data processed by the public administration.
The Datatilsynet undertook a review of the proposed use of Google Apps. Despite its generally positive view of new technologies and cloud computing, the Datatilsynet concluded that it was not appropriate to use Google Apps to process confidential and sensitive data about pupils. There were five main reasons for this conclusion.
Inadequate terms and conditions
The Google Apps suite was to be provided by Google Ireland Limited as data processor for the Municipality. Under the Danish data protection act, the Municipality must have a written contract with Google obliging it to only act on the Municipality’s instructions and to take appropriate technical and organisational security measures. These obligations are reflected in Sections 1.4 and 1.5 of the terms offered to the Municipality (though interestingly, these don’t appear to reflect the current terms and conditions offered by Google):
“1.4 Customer therefore instructs Google to provide the Services and process End User personal data in accordance with the Google Privacy Policies and Google agrees to do the same…
1.5 …For the purposes of this Agreement … the parties agree that Customer shall be the data controller and Google shall be a data processor. Google shall take and implement appropriate technical and organisational measures to protect such personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access.”
The Datatilsynet decided that Section 1.4 was insufficient as it merely instructed Google to process data in accordance with its own policies, which it might choose to vary unilaterally. It considered that this obligation was “devoid of content in purely material terms”.
The security obligations were unacceptable. Section 1.5 satisfies the general obligation to ensure the data is kept secure. However, it does not satisfy the additional requirement arising under the Executive Order to flow the obligations in that Order down to Google. The use of generic security obligations in Section 1.5 of the terms and conditions was therefore insufficient.
Inability to ensure security
Perhaps more fundamentally, the Danish data protection act requires the Municipality to ensure that the data processor complies with its security obligations in practice, which is likely to require some sort of audit or inspection of that processor’s facilities.
This is a problem with a cloud-based solution as information is likely to flow freely between data centres. In this case, the Datatilsynet concluded that the Municipality was unaware of where its data was physically located and, on that basis, it questioned whether the Municipality would “be able to actively ensure that the required security measures are upheld at the data centres”. This was the case even though the Google Apps were subject to a SAS 70 Type II audit, meaning that independent auditors have controlled and verified Google security practices.
Specific security requirements in the Executive Order
The Municipality was also unable to demonstrate that the Google Apps service complied with a number of specific security obligations in the Executive Order. These include:
- inadequate provisions to delete personal data. While Google had strict procedures in place to overwrite and/or dispose of old hard drives, this was not sufficient to meet the stricter technical requirements of the Executive Order which require data to be overwritten multiple times in accordance with a recognised standard, e.g. DOD 5220.22-M;
- insufficient evidence that data is encrypted when transmitted between Google’s data centres. This was a particular issue given that sensitive personal data would be transmitted as part of this process;
- inadequate monitoring and control of unsuccessful login attempts. There was no evidence that unsuccessful login attempts (which may be evidence of an attempt to hack the system) were logged or that access would be blocked following repeated failures to access the system; and
- inadequate usage/audit logs. It was unclear how the Municipality would comply with the requirements in the Executive Order to keep usage/audit logs on the processing of personal data.
In light of these conclusions, it is unsurprising that the Datatilsynet also concluded that the Municipality had failed to carry out a proper risk assessment, as required in the Executive Order. Of particular concern was the fact Google did not encrypt data “at rest” on its servers. In particular, Google’s position is:
“Encryption is a commonly accepted way to protect data and Google regularly considers encryption for each of its applications. However, while encryption secures data, it also negatively impacts the speed of search and collaboration. For this reason, Google consciously decided not to encrypt Google Apps data at rest on its systems. The data is, however, 'obfuscated' or masked using proprietary algorithms.”
The Datatilsynet suggested that a better approach would be to adopt the approach outlined by ENISA in its publication, Cloud computing - Benefits, risks and recommendations for information security. This contains a comprehensive list of risks posed by cloud computing services and a detailed list of security questions to ask a cloud computing provider.
Transfers outside the EEA
The Datatilsynet final concern related to international transfers of personal data. The Google Apps services was said to be provided from Google data centres in the EEA and the US. The data centres in the EEA do not involve the transfer of personal data to a third country and Google has joined the US Safe Habor. This should be sufficient to meet any data protection concerns. However, the Datatilsynet was still concerned that transfers to other third counties might take place and, if so, may not be justified.
Dark clouds ahead?
The Datatilsynet’s opinion provides a useful practical example of the data protection issues that arise from the use of cloud computing and a warning that European data protection regulators may scrutinise such offerings in detail. Google and other companies offering cloud computing solutions will, no doubt, be considering the implications of this decision. There are a range of options available to them, including to:
- adopt a “gold standard” approach and seek to comply with all data privacy laws across the EU. This highest common denominator approach would be difficult and expensive given the stringent requirements imposed by some European Member States, such as the Spanish security regulations which inter alia require the encryption of sensitive personal data. This approach would also have to be supported by a thorough audit programme to provide comfort to data controllers that their data would be kept secure in practice;
- adopt a jurisdiction by jurisdiction approach and provide greater protection to some jurisdictions. For example, Danish public authorities could be provided with an enhanced package of protections to allow them to comply with the Danish Executive Order. However, this is the antithesis of a commoditised utility computing model and the additional costs of complying with multiple national standards may make it more expensive than adopting a gold standard; or
- maintain their current offering and leave it up to their customers to determine if its offering complies with local data protection laws.
Google appears to be adopting the final option. One of its security and privacy FAQs is “Is my organization compliant with the European Commission Directive on Data Protection if we use Google Apps?” The answer refers to Google US Safe Harbor registration and then states “Generally, an organization must decide whether its use of Google Apps is compliant with any regulations it may be subject to.”
The Datatilsynet opinion is available here.
By Emma Linnér, Stockholm