Out-Law News 3 min. read
12 Nov 2012, 3:53 pm
The ability for users of Google's database management 'Cloud SQL' service to choose to have data stored and processed exclusively in either jurisdiction was announced on a company blog last week.
"Now you can choose to store your data and run your Cloud SQL database instance in either our US or EU data centres," Joe Faith, product manager at Google, said in the blog.
According to Google, its Cloud SQL platform "is a web service that allows you to create, configure, and manage relational databases that live on Google’s infrastructure" and "is a fully-managed service that manages and maintains your databases".
Technology law specialist Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that Google's decision to provide EU-only data storage and processing capabilities may have been prompted by concerns businesses have around data protection when using cloud services.
"While Google may not have necessarily given up the fight against the view that both information security requirements and verification of compliance through auditing arrangements require data to remain within the European Economic Area (EEA), Google obviously recognises that there is an opportunity to capture the business of some customers who just want a clear yes or no answer now as to whether or not they can use cloud services," Scanlon said.
"It goes without saying that as the market for ‘EU cloud processing only services’ develops, businesses within the EU will likely be very interested in comparing the costs associated with cloud solutions which restrict processing to premises within the EEA with those that do not. It will be interesting to see how the market develops from this point," he added.
The nature of cloud computing means that the data is often stored on huge servers throughout the world.
However, current EU data protection laws prevent companies sending personal data outside of the EEA except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection. The EEA includes all 27 EU member states, Iceland, Norway and Liechtenstein.
When a company wants to send personal data to other non-EEA countries, that company must ensure that adequate protections are in place, even when the transfer is from one group company to another.
The US-EU Safe Harbor scheme is an agreement drawn up between the European Commission and US Department of Commerce that allows for the transfer of personal data from Europe to the US where data protections meet EU standards.
US organisations that conform to the protection requirements in the Safe Harbor scheme are deemed as having met European safety standards outlined in the EU's Data Protection Directive. The Directive sets out standards around the lawfulness of personal data processing as well as for the security of personal data that is held by organisations, among other things. Google is one of 2,500 US firms accredited under the Safe Harbor scheme.
To qualify for Safe Harbor a US organisation must develop its own self-regulatory privacy policy, join an existing privacy programme, or be subject to a statutory or law body which achieves the same standards as those set in the Safe Harbor scheme. Member firms are audited annually to ensure they are complying with their commitment to the privacy of data transfers.
Earlier this year the Article 29 Working Party, a committee made up of representatives from the 27 data protection authorities in EU member states, said that businesses wishing to use cloud services to store and process personal data must use cloud providers that can "guarantee" compliance with EU data protection laws.
It said, though, that companies proposing to use cloud services cannot rely on cloud providers' "self-certification" that they comply with Safe Harbor standards as proof of compliance with the EU data protection regime.
"On the contrary, the company exporting data should obtain evidence that the Safe Harbor self-certifications exists and request evidence demonstrating that their principles are complied with," the Working Party said.
EU organisations seeking to use cloud services should "verify whether the cloud provider can guarantee the lawfulness of any cross-border international data transfers," the Working Party said. The watchdog said that data controllers must also "verify if the standard contracts composed by cloud providers are compliant with national requirements regarding contractual data processing."
Cloud providers do not normally provide information that will allow cloud clients to assess whether they comply with specific national requirements over contractual data processing, the Working Party said. Even if cloud providers claim compliance with Safe Harbor rules as a "substitute" for the lack of those guarantees, "the exporter" should still use "other legal instruments available", such as standard contractual clauses or binding corporate rules, to ensure compliance with the data transfer rules, it said.
