Microsoft is eager to promote, position and if possible to differentiate its cloud product line. Microsofts eagerness should not surprise us. However, it sometimes leads to communication that is or at least seems premature and/or misleading.
We will look at the background and the flaws in Microsoft's communication and hope to conclude with some concrete guidance for the cloud providers that want to use "EU compliance" as a selling point.
Eagerness
Cloud computing (for a definition, see e.g. NIST SP 800-145) is not new, but the quite a number of new "applications" of cloud computing have been peaking and the Software-as-a-Service model is coming out of the trough of disillusionment, as is shown on this 2012 Gartner hype cycle.
Cloud computing is often considered as "commoditising" computing, which by definition means that products are considered generic and interchangeable and competition is mainly a price competition.
One can fairly argue that the first element is not entirely the case for cloud computing. One of the key risks to (corporate) cloud computing is the de facto high switching cost and vendor lock-in (see a.o. NIST SP800-144 and Enisa Cloud Computing Risk Assessment).
By consequence, being the first (corporate) cloud provider with a foot in the door is very important. With a growing number of cloud providers (see wikipedia, top10 of 2012, to watch 2013), that is a fierce race. If that market is not already a "red ocean", it is very rapidly becoming one. So the idea is to stand out, to differentiate.
And here the EU data protection legislation offers one opportunity out of probably many.
The EU data protection issue wrt cloud computing
The EU recognizes that levels of (legal) personal data protection have an influence on the free flow of such data and thus the economy. Stringent legislation on the location of personal data and/or the outsourcing of data processing can be a form of protectionism of the local market. That is why it tried to harmonize that legislation within the EU borders with its 1995 Directive.
Through that legislative action, transfer of data outside the EU is highly restricted (see articles 25 and 26 of the Directive). There are mainly three tiers in the assessment:
- either the data is only transferred to a country where an adequate level of data protection (as de facto determined by the EU Commission) is ensured (article 25);
- the data is only transferred to a recipient that commits to an adequate level of data protection (article 26.2); or
- the transfer is in scope of one of the limited exemptions (article 26.1)
The Article 29 Working Party made an assessment of how these rules are to be applied for cloud computing and published its 27 page opinion 5/2012 on 1 July 2012.
The number of countries that are considered to ensure an adequate level of data protection according to EU standards ("safe countries") is relatively low. Only 13 countries have been found to (partially) meet that standard. The USA only meets that standard partially, and the exceptions for the USA are almost continuously questioned. So that path is not valid for most cloud computing providers which have built their business model on
multinational presence of data centers. The reasons for that are
plentifold: cheap(er) labor, cheap(er) energy, high(er)
energy-efficiency e.g. for cooling the facilities, following the sun,
etc.
The limited exemptions are no basis for transfer for cloud services. A 1998 opinion of the Article 29 Working Party states that the exemption do not apply in case of recurrent, massive or structural transfers.
This leaves only one path open: the commitment of the providers. This, however, sounds easier than it is in practice. Why?
Because the agreements between the provider and the customer in principle have to be prior checked by the data protection authorities involved, if there is any transfer of personal data outside the EU. In other words, in most cases and (if the customer is a multinational group of companies) by several data protection authorities.
There is a way "around" that, namely working with Standard Contractual Clauses. Those are "clauses" - actually rather a schedule to the framework agreement, with appendices - which the EU Commission has acknowledge of being compliant with the requirements under the Directive for transfer of data to a so-called third country. National Data Protection Authorities are bound to accept the correct use of those Standard Contractual Clauses.
There are two categories of Standard Contractual Clauses: one is for transfers from controller to controller (C2C), the other for transfers from controller to processor (C2P). Without going into the details, for cloud providers the latter should be used.
However, the Standard Contractual Clauses C2P are limited in their use and userfriendliness, and therefor are not as off-the-shelf as they are sometimes presented to be.
- They are meant for a direct relationship with a provider outside the EU. So if the cloud provider has a European establishment to service its EU customers, the Standard Contractual Clauses cannot be used as such, and only through some legal "voodoo" can they be used to facilitate setting up the contractual framework.
- In principle they cannot be changed.
- The appendices are to be used to tailor the "clauses" to the specific data processing the parties want to scope.
- In some countries the Data Protection Authorities actively scrutinize the use of the Standard Contractual Clauses.
So in all, providing cloud services to EU companies is legally not a piece of cake.
The opportunity
The opportunity of any cloud provider is thus to offer its customers assurance as to their compliance with the EU data protection legislation. That way he can distinguish himself from the other cloud providers. Purely EU cloud providers have that advantage, but are a minority. So there is quite some room for the multinational players.
Obviously, that is what Microsoft is trying to sell now, but it is - intentionally (?) - a bit clumsy in doing so.
The blogpost
Thursday 10 April 2014 Brad Smith, the General Counsel and Executive Vice President of Legal and Corporate Affairs at Microsoft blogged a post with the roaring title "Privacy authorities across Europe approve Microsoft’s cloud commitments".
Apparently Microsoft received a one-page letter from the Article 29 Working Party, dated 2 April 2014 and signed by the newly appointed Chairperson of the Working Party. The blogpost makes a deeplink to the document which seems to be published on the Article 29 Working Party website, but for as far as I could reasonably search can not be found by browsing or using the search function. This makes me wonder whether or not the Data Protection Authorities actually anticipated such (fast) communication by Microsoft.
At the end of the blogpost there is a reference and link to Frequently Asked Questions (FAQ).
Despite the title "Article 29 FAQ", this is not a document from the
Article 29 Working Party, but a Microsoft document posted on the
Microsoft website. The lack of logos etc. and the context of the
blogpost nevertheless confuses us a bit in that regard. A suspicious
mind could easily see an intent to confuse in that.
The question
Microsoft makes it look like the Article 29 Working Party is backing up its cloud computing product line. But is it really ?
The letter
The letter basically states that the two documents, presented by Microsoft, not taking into regard the appendices (!),
read together do not diverge from the 2010 Commission Decision. By
consequence that combination should not be seen as an "ad hoc" document
that has to be presented to the national data protection authorities.
Two documents. The analysis of the Article 29 Working Party was limited to two documents:
- a new version of the "Enterprise Enrollment Addendum Microsoft Online Services Data Processing Agreement” (hereinafter, “MS Agreement”)
- its Annex 1“Standard Contractual Clauses (processors)” (Commission Decision 2010/87/EU).
The latter document is a document that is published as an annex to a decision of the EU Commission, and is widely used in contracts in which EU companies outsource processing of personal data. Nothing new here.
The first document is an unknown, as it is not published as an attachment to the letter of the Article 29 Working Party or in the Microsoft blogpost. All we know is that the Working Party considers that text is "in line with" the Standard Contractual Clauses document.
This leaves Microsoft's customers with two issues:
- They can rely on the basic acceptence of that text by the Data Protection Authorities of the 28 Member States, IF there are no specific national rules for which the letter makes a specific carve out ("depending on the national legislation").
- In practice, as a potential customer of Microsoft, I have no idea whether or not Microsoft presents me with the text that got the nihil obstat of the Article 29 Working Party. I would call that a flaw in the communication, both of the Article 29 Working Party and of Microsoft.
Disregarding the appendices. The letter specifically carves out the appendices of the Standard Contractual Clauses.
The analysis covers the engagements reflected in the model clauses 2010/87/EU but not its Appendixes (description of the transfers of data and of the technical and organizational security measures implemented by the data importer). According to usual implementation of the model clauses, these Appendixes need to be completed by Microsoft and its clients when signing the contract and may be analyzed separately by the Data Protection Authorities.The appendices however make the core of the Standard Contractual Clauses as they determine
- the scope of the data transfer (Appendix A)
- the minimum security requirements (Appendix B)
- they want to keep their hands free in terms of furture architecture and technical developments,
- they do not want to give away their corporate secrets for reasons of security and competitive advantage,
- they do not want to openly list their sub-contractors (to which Microsoft's customer basically should agree),
- they - sometimes understandably - cannot and/or do not want to disclose all categories of recipients (what e.g. with requests from intelligence agencies like the NSA, warrants under the local law like the Patriot Act, etc.)
- who knows?
What I would at least expect is that in the additional document or in the commitments of Appendix B, Microsoft includes a most favored customer clause in terms of minimum security.
Conclusion
As a practitioner this communication by Microsoft does not really help me forward. It creates the impression to C-level executives that there should be no obstacle to implement the Microsoft cloud products, hightening the pressure on the legal, compliance, security and/or risk management department. BUT... it does not help these latter departments in being comfortable with the solution provided. The questions remain:
- Is the text Microsoft presents us the one that was assessed by the Article 29 Working Party?
- Should I or should I not consider presenting this for prior checking to the Data Protection Authorities or other authorities (e.g. financial supervisors) in the countries where my group is active?
- What to think of the appendices: are they suffiently detailed for the Data Protection Authorities?
That is why I chose the slightly provocative title of this post.
Where Microsoft - or any other cloud provider - really to show its dedication to its (corporate) customers, it should communicate more transparently and give the risk management functions more comfort by
- providing the texts assessed by the Article 29 Working Party
- preparing an overview of the positions of the Data Protection Authorities in the 28 Member States as they have encountered them so far (they should not per se have to go so far as to provide a legal opinion, which would probably increase their legal risk exponentially)
- trying to get some sort of buy-in on the appendices as well, especially on the second appendix with regard to the (minimum) security measures
