Who can fail to notice the rapid proliferation of cloud computing services and technologies such as, Gmail, Office 365, and Amazon Web Services? As businesses and consumers take advantage of the technological innovations afforded by Rackspace, Facebook, Google App Engine, Dropbox and the likes, scholars, regulators, and technologists are becoming increasingly concerned about the data protection issues raised by cloud computing, such as data ownership, and security.1) W Kuan Hon, Christopher Millard, and Ian Walden, “Who is responsible for ‘personal data’ in cloud computing?—The cloud of unknowing, Part 2,” (2012) 2(1) International Data Privacy Law 3; Hassan Takabi, James BD Joshi, and Gail-Joon Ahn, ‘Security and Privacy Challenges in Cloud Computing Environments,’ (2010) 6(8) IEEE Security & Privacy 24; Viviane Reding, ‘Privacy in the Cloud: Data Protection and Security in Cloud Computing,’ Round-table High Level conference on Mobilising the Cloud organised by GSMA Europe Brussels (7 December 2011) http://europa.eu/rapid/press-release_SPEECH-11-859_en.htm accessed 23 March 2014. Indeed, such questions are at the forefront of the current reform of the European data protection laws.2) For example, the European Parliament posits that the ‘growing globalisation of data flows, via … cloud computing’ is one of the driving forces behind the current reform process. European Parliament, ‘Q & A on EU Data Protection Reform,’ (4 March 2013) http://www.europarl.europa.eu/news/en/news-room/content/20130502BKG07917/html/QA-on-EU-data-protection-reform accessed 28 April 2014. Nowadays, many in-house lawyers have to grapple with the complex and intricate data protection issues raised by cloud computing as more and more organisations adopt cloud computing technologies and services for various reasons, such as scalability, cost- efficiency, and resource maximisation. In this post, I would like to highlight an emerging trend in the fields of cloud computing and data protection which I am currently investigating. In-house lawyers may find it useful to bear this trend in mind when advising their organisations on the data protection issues raised by cloud computing.
My preliminary investigation of various data sources, such as the audits and/or investigations of cloud providers conducted by national data protection authorities,3) E.g. The investigation of Facebook conducted by the Office of the Privacy Commissioner of Canada on 16 July 2009 < http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.asp> accessed28 April 2014; the audit of Facebook conducted by the Office of the Data Protection Commissioner of Ireland on 21 December 2011 < http://www.dataprotection.ie/documents/facebook%20report/final%20report/report.pdf> accessed 28 April 2014; and the investigation of Whatsapp by the Dutch Data Protection Authority in January 2013 < http://www.dutchdpa.nl/downloads_overig/rap_2013-whatsapp-dutchdpa-final-findings-en.pdf> accessed 28 April 2014. relevant press releases and opinion,4) E.g. Viviane Reding, ‘Strong and independent data protection authorities: the bedrock of the EU’s data protection reform,’ (3 May 2012) 2ff; Article 29 Working Party, ‘Statement of the Working Party on current discussions regarding the data protection reform package,’ (27 February 2013) 2; Article 29 Working Party, ‘Opinion 05/2012 on Cloud Computing’ (2012) WP196 http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf accessed 28 April 2014, Paragraphs 3.3.1, 3.4.1, 3.4.2; Article 29 Working Party, ‘Opinion 03/2010 on Accountability,’ (2010) WP173, Paragraphs 14, 19, 33, 41, 53, 62. current and proposed data protection laws, and relevant lawsuits5) E.g. Fraley, et al. v. Facebook, Inc., et al., Case No. CV-11-01726 RS. filed against cloud providers on the grounds of breaches of data protection laws, suggests a move away from the lawsuit mechanism to the audit and/or investigation mechanism to (1) assess the compliance of cloud providers with relevant data protection laws and (2) determine whether cloud providers have breached relevant data protection laws.6) This is a tentative observation which is based on my analysis of preliminary datasets which include twenty audits and/or investigations of cloud providers conducted by national data protection authorities, current and proposed EU data protection laws, EU press releases and opinions, and relevant case law. I am currently further investigating whether the shift thesis can be supported by collecting and analysing further qualitative data from other sources, such as interviews of relevant national data protection authorities. Indeed, in recent years, there has been a rise in the number of data audits and/or investigations7) In my view, although some national data protection authorities tend to use the term ‘investigation’ rather than the term ‘audit’, the process that they conduct is very much akin to an audit as key elements of an audit, such as external checks against specified norms, and being held to account, are present in such investigations. For more on audits, see Michael Power, ‘The Audit Society: Rituals of Verification,’ (Oxford University Press 1999). of cloud providers, such as Facebook,8) See n 3. Google,9) E.g. the investigations of Google which were conducted by various national data protection authorities, including, the Commission Nationale de l’Informatique et des Libertés, the Dutch Data Protection Authority, and the Spanish Data Protection Authority. See ‘CNIL orders Google to comply with the French Data Protection Act, within three months.’ (CNIL, 20 June 2013) < http://www.cnil.fr/linstitution/actualite/article/article/cnil-orders-google-to-comply-with-the-french-data-protection-act-within-three-months/> accessed 28 April 2014. and Whatsapp,10) See n 3. conducted by national data protection authorities, such as the Irish Data Protection Commissioner. Concurrently, less litigation, on the grounds of the violation of data protection laws, is being filed against such cloud providers. For avoidance of doubt, I do not mean that lawsuits against cloud providers, on the grounds of the violation of data protection laws, are not filed any more.11) n 5.
This trend needs to be borne in mind by in-house lawyers when advising their organisations on the data protection issues raised by cloud computing. This shift indicates a significant change in the methods (e.g. on-site visits, documents-based inspection, and online inspections), processes (e.g. letter of intent to audit, self-help checklist, technical reports),12) E.g. See Irish Data Protection Commissioner, ‘Data Protection Audit Resource,’ (January 2009) < http://www.dataprotection.ie/documents/enforcement/auditresource.pdf> accessed 19 May 2014. and actors involved in assessing the compliance of cloud providers with data protection laws and deciding whether cloud providers have breached data protection laws. Additionally, further research needs to be conducted into the reasons behind the so-called rise of the ‘Audit Age’. Why are data audits or investigations becoming more acceptable to companies, such as Skype, Microsoft, and Whatsapp?
Finally, this shift tells us a lot about cloud computing regulation. In some cases, a specific data audit or investigation by a national data protection authority has far reaching regulatory effects. For example, the Office of the Privacy Commissioner of Canada recently conducted an investigation into the data practices of Facebook. The Canadian investigation had far-reaching consequences as it led to changes of key Facebook features which posed data protection issues under Canadian data protection laws for both Canadian and non-Canadian Facebook users. In other cases, the findings of an audit or investigation carried out by one national data protection authority can be heavily contested by another national data protection authority.13) For example, the Hamburg Data Protection Commissioner reopened its investigation of Facebook`s Tagging feature as it did not agree with the outcomes of the negotiations between the Irish Data Protection Commissioner and Facebook in relation to Tagging. Loek Essers, ‘Germany Reopens Proceedings Against Facebook’s Facial Recognition,’ (PC World, 15 August 2012) http://www.pcworld.com/article/260907/germany_reopens_proceedings_against_facebooks_facial_recognition.html accessed 15 May 2014. In other cases still, the practices, routines, and methods employed during the audit or investigation may vary widely from national data protection authority to national data protection authority.
Thus, important lessons can be learnt about cloud computing regulation by analysing data audits or investigations. For example, an analysis of the various cloud computing audits conducted by European data protection authorities, such as the Irish Data Protection Commissioner, the ‘Commission Nationale de l’Informatique et des Libertés’ (‘CNIL’), and the Spanish Data Protection Authority,14) n 8. highlights that the methods, procedures, and techniques used during the audits or investigations vary from data protection authority to data protection authority. For example, the Irish Data Protection Commissioner main audit methods include on-site inspections, and questionnaires.15) n 12. However, CNIL`s main investigation methods do not only include on-site visits, document-based investigations but also online inspections.16) ‘The French Data Protection Authority gets new online investigation powers,’ (SJ Berwin, 24 April 2014) < http://www.sjberwin.com/insights/2014/04/24/french-data-protection-authority-gets-new-online-investigation-powers> accessed 19 May 2014. From this viewpoint, cloud computing regulation can often be fragmented across the European Union as European data protection authorities employ different audit or investigation methodologies, practices, and resources.