Companies whose employees use 'shadow IT' services to store personal data of EU citizens on cloud servers based in Singapore, Hong Kong and Japan, among other business hubs, will be unlikely to have put in place measures to ensure that adequate data protection is in place, in line with their obligations under EU data protection laws, Skyhigh Networks told Out-Law.com.
Businesses hosting personal data in a cloud computing environment are unlikely to be compliant with EU data protection rules if that data is hosted outside certain geographic areas, the company said.
Skyhigh Networks said that there is lack of governance by businesses over the use of cloud services within their organisation. This means that businesses that store EU citizens' personal data on cloud servers based either outside of the EU and European Economic Area, one of 12 countries designated as providing adequate data protection by the European Commission, or not otherwise by a US cloud provider signed up to the EU-US 'Safe Harbour' scheme, are likely to fall foul of the EU's Data Protection Directive, it said.
EU data protection laws prevent companies from sending personal data outside of the European Economic Area (EEA) unless "adequate protections" have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, but not including the US, are deemed by the European Commission to provide adequate protection.
The European Commission and the US Department of Commerce have negotiated a separate Safe Harbour framework to facilitate personal data transfers between the EU and US. More than 3,000 US businesses are currently signed up to the framework.
In a new report into cloud adoption, Skyhigh Networks reported that nearly three quarters of cloud services breached EU data protection laws because of where the data was being stored.
However, data protection shortcomings associated with the location of stored personal data can be overcome through the use of legal mechanisms, including the use of model contract clauses that enable businesses transferring that data to so-called 'third' countries to remain compliant with EU data protection requirements.
Skyhigh Networks told Out-Law.com that it accepted there are ways for businesses storing personal data in the cloud in third countries to "be considered conformant" to EU data protection rules, but said that most were still likely to fall short of complying due to the rise of 'shadow IT'.
"The good news is that around a quarter fall into the three categories of hosting in the EU, hosted in a country with equivalent privacy laws or hosted in the US with a Safe Harbor certification," said Skyhigh Networks’ European marketing director Nigel Hawthorn. "However, this leaves 75% that are not. In theory, there are other ways that these 75% can be considered conformant – however, my belief is that most of the 75% are unlikely to be so."
Hawthorn said that one legal mechanism that can help businesses meet requirements on adequate data protection for personal data transfers outside of the EU, 'binding corporate rules', is not relevant to Skyhigh Network's report findings.
"Our report is discussing public cloud providers and not group companies and intra-group data transmissions, so this will not apply," he said.
Hawthorn said that the use of model contract clauses and organisations' own self-assessment of adequate data protection are unlikely to be applicable because of the amount of cloud services being procured outside of the control of IT departments.
"Both [model contract clauses and self-assessment] … require the data controller to have conducted contractual negotiations with the cloud provider – as IT is unaware of 90% of cloud services being used, the company will not have been in discussions with the providers that they are unaware of," he said.
Hawthorn added that although it is, in the alternative, possible to get individuals to agree to the transfer of their data to countries that do not offer adequate data protection, "in practice, it is difficult to secure consent from large numbers of people".
He said that there is a "long tail" of cloud service providers that do not store data in either the EU, another country deemed to have equivalent privacy protections or with a 'Safe Harbour' certified provider in the US.
"The report shows our figure for just how long the long-tail is, cloud providers that at the moment do not conform without the customer’s IT and legal department getting into discussions with them and signing the appropriate contractual clauses," said Hawthorn.