EU businesses that provide applications to consumers through the Google Apps platform may require additional mechanisms to the new contract terms offered by Google - in order to legitimately transfer personal data collected from app users overseas, an expert has said.
Google has announced that it will offer "model contract clauses" to app providers as a means for those businesses to lawfully transfer personal data outside of the European Economic Area (EEA). Out-Law.com asked Google to provide a copy of the model contract clauses it intends to offer, but a spokesman for the company said the information was not available yet.
However, data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, has said that if it is Google's intention to store the data collected by app providers in the cloud, then complex contractual arrangements may have to exist to make that activity legitimate.
How the cloud will rain on data law
Cloud computing refers to the use of computers and software on an internet-based network to do information processing rather than the use of local computing resources. It allows internet users to access or store information without owning the software to do it and many online companies, such as Google, operate huge servers that store the data and deliver it to users.
Current EU data protection laws prevent companies sending personal data outside of the EEA except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection. The EEA includes all 27 EU member states, Iceland, Norway and Liechtenstein.
When a company wants to send personal data to other non-EEA countries, that company must ensure that adequate protections are in place, even when the transfer is from one group company to another.
What can a company do to work within the red tape?
Model contract clauses have been approved by the European Commission as one mechanism companies can use to legitimately transfer personal data they collect to other companies based outside of the EEA. The clauses insert standard provisions into a contract that enable the flow of data between EU-based businesses and those located in "third" countries, ie, a non-EEA entity that is not a pre-approved country. The clauses enable outsourcing of personal data processing to firms based in non-EEA countries.
In a company blog, Marc Crandall, senior manager of global compliance at Google Enterprise, said that the new clauses would offer app providers "an additional option for compliance" with the EU's Data Protection Directive.
Kathryn Wynn said Google was probably setting up the model contract clauses to enable it to provide overseas cloud storage of the personal data that app providers collect from users of those apps. She said though that it "can be quite difficult in a cloud computing context to put in place valid model contract clauses".
"In order to be compliant with the 'adequacy' requirement of the Data Protection Directive the app providers would have to enter into model contract clauses with the first non-EU Google entity in the contractual chain that imports the data and the model contract clauses would need to detail each jurisdiction in which the data could be hosted. This will implement valid model clauses that will ensure an adequate level of protection for the personal data transferred," she said.
"If model contract clauses are not correctly implemented and there is a risk that the adequacy requirement will not be met, app providers would need to rely on another mechanism for compliance in order to justify overseas transfers of their users' data outside of the EEA.
"In those circumstances app providers could rely on their own self assessment of adequacy to justify overseas transfers of personal data outside the EEA," Wynn said. "Self assessment is where companies look at various aspects of the data protection regime in third countries, and consider things such as the strength of local laws, the security of data centres and take into account the sensitivity of the personal data that would be transferred to those countries.
"The existence of the model clause obligations in the contractual chain, even if not correctly implemented because they are not between the correct parties - ie, if between the Google entities rather than the relevant Google entities and the apps providers, will help in the overall assessment of adequacy. However, those provisions alone will not achieve adequacy," Wynn said.
"The more sensitive the personal data the more robust the adequacy requirements. Companies relying on self assessment as a mechanism for legitimising personal data transfers need to conduct due diligence and keep an audit trail of their assessment," she added.
What do companies in the US have to do?
Model contract clauses have been popular with EU businesses looking to transfer personal data to third countries, although other existing frameworks for safeguarding personal data when sent outside of the EEA have also been developed.
The US-EU Safe Harbor scheme is an agreement drawn up between the European Commission and US Department of Commerce that allows for the transfer of personal data from Europe to the US where data protections meet EU standards.
US organisations that conform to the protection requirements in the Safe Harbor scheme are deemed as having met European safety standards outlined in the Data Protection Directive. The Directive sets out standards around the lawfulness of personal data processing as well as for the security of personal data that is held by organisations, among other things. Google is one of 2,500 US firms accredited under the Safe Harbor scheme.
Last year the Federal Trade Commission (FTC) claimed Google had breached the Safe Harbor agreement by misusing customers' personal information it collected from Gmail users in its social network service Buzz without permission. Google failed to give notice to customers that their email contacts would be shared with other users if they chose to sign up to Google Buzz when it launched in 2010, the FTC said.
Google settled the case with the FTC by promising to conduct privacy audits every two years for 20 years; promising not to misrepresent the way it deals with personal data; and promising to obtain explicit consent before sharing users' information with other companies.
Copyright © 2012, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.