Compliance and the cloud

OnDemand

October 21 2014

IT & Internet Austria

Topic proposed by: P Scott Rammell, Managing Attorney - Strategy, Tesoro Corp

With governments around the world currently addressing regulations on surveillance and privacy, attention is once again focusing on the compliance issues surrounding the security of data stored in the cloud. While the effect of these developments on business appetite for cloud computing solutions is unknown, they certainly raise interesting issues around client privilege, data ownership, and IT planning in general, to ensure that companies remain compliant with international regulation, and have left many wondering about the best approaches to contractual terms and positions.

What data security rules apply to cloud computing in your jurisdiction? Are specific security requirements for cloud initiatives under consideration? Has any authority issued guidelines in this regard?

No specific data security rules exist for cloud computing in Austria. However, depending on the data categories involved, specific data-related security regulations may apply. For example, if health data were processed in the cloud, the security provisions set out in the Health Telematics Act would apply. However, from an EU law perspective, the European Court of Justice (ECJ) ruling on the EU Data Retention Directive is of particular interest for cloud services.(1) In its reasoning the ECJ criticised the fact that the directive does not require data to be retained within the European Union. The ECJ claimed that the directive insufficiently ensures the control rights of an independent authority, as explicitly required by EU data protection law (particularly the European Charter of Fundamental Rights).(2) The ECJ held that such control forms an essential component of the protection of individuals with regard to the processing of their personal data. Through this ruling the ECJ established a territoriality principle which claims that data is stored in a safe and proper environment only if it is stored within the EU territory. This consideration affects all aspects of international data transfers and, in particular, cloud-related data processing services (which are genuinely characterised by international data transfers).

What are the implications of cloud computing for data sovereignty? Is sophisticated data encryption a meaningful solution to data sovereignty concerns?

To date, the Austrian data protection regulator has not specifically addressed data sovereignty aspects in the cloud. When assessing questions related to the storage of data abroad, the regulator does not concentrate on where the data is physically stored, but rather considers the location of the company operating the data processing in question. However, the regulator has not yet addressed the question of whether the related concerns (ie, about the cloud data being subject to another country's sovereignty) can be properly tackled through data encryption. The authority has released no relevant recommendations or guidelines so far. From a market perspective, most companies basically understand data encryption as a state-of-the-art security feature, but not as a tool that might help them to tackle data sovereignty concerns.

Under what circumstances can governments (national and/or foreign) access data stored in the cloud? Must the information owner be informed before this happens? What are the rules of engagement in terms of transparency and accountability?

As in most countries, in Austria cloud data can be accessed by law enforcement services for criminal investigation purposes or if the data access serves issues of national interest, such as the restoration of public order. Military services might also be entitled to access the data if certain criteria are fulfilled. In general, the data may be accessed by the competent authorities only if the applicable requirements of statutory law are fulfilled (eg, as stated in the Code of Criminal Procedure, the Security Police Act or the Military Enforcement Act). Typically, access to data must be supported by a court order. However, under specific circumstances (eg, imminent danger), the authorities may be entitled to access and secure the data without a court order. As a general rule, the data controller affected by such investigations must be properly informed. However, if there is a substantial likelihood that such information might damage the overall purpose of the investigation, the authorities can wait to inform the controller until the data has been secured by the investigating authority.

What are the implications of cloud computing in case of litigation? What are the implications for privilege?

The US concept of litigation privilege is fairly unknown in Austrian civil law. However, the overall legitimate interest in using data for the purpose of raising or defending claims before courts or authorities is reflected in the Data Protection Act. In a nutshell, the law allows the use of personal data for this purpose provided that it is vital to use the data in the respective court or authority proceedings and only if the data to be produced before the court or authority was collected legitimately. This principle applies – without further differentiation – to cloud services. In addition, without any differentiation to cloud services, the principle of data confidentiality applies, requiring that all personal data be stored in a confidential manner and be disclosed only on valid legal grounds. That said, personal data (no matter whether it is stored in the cloud or in another environment) may be disclosed for litigation purposes only if such disclosure is supported by applicable statutory law.

How can risks relating to cloud services be mitigated (eg, contractual safeguards, insurance etc)?

To date, there has not been a homogenous market approach in Austria to tackling the risks connected to cloud services. In fact, companies are just starting to become aware of the related risks. At present, companies typically rely on safeguards as they are defined in contracts. However, the contracts used in Austria are commonly drafted by service providers and thus the safeguard provisions defined therein are designed to be less burdensome for the provider. Although most contracts provide monitoring and surveillance rights, in practice few companies make use of them. This negligence can be attributed to the fact that most companies have insufficient personnel capacity to monitor cloud services continuously. Also, in some instances, a company may not even be aware of its respective obligation to monitor.

For further information on this topic please contact Günther Leissler at Schoenherr by telephone (+43 1 5343 70), fax (+43 1 5343 76100) or email (g.leissler@schoenherr.eu). The Schoenherr website can be accessed at www.schoenherr.eu.

Endnotes

(1) ECJ April 8 2014, Joined Cases C-293/12 and C-594/12 Digital Rights Ireland.

(2) Charter of Fundamental Rights of the European Union, Official Journal of the European Communities, C-364/01, December 18 2000.

The materials contained on this website are for general information purposes only and are subject to the disclaimer.

ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.