UIA - The New EU General Data Protection Regulation Use of Cloud Computing after the Digital Rights Ireland judgment Luís Neto Galvão, Partner, SRS Legal
Judgment of the CJEU (Grand Chamber) of 8 April 2014 (joined cases C-293/12 and C-594/12): the Court declared the invalidity of the Data Retention Directive The Directive Historic context of Approval Scope Types of Data Retained Findings: the EU legislator exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter of Fundamental Rights of the European Union Transatlantic impact? 2
Directive allows acquiring very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented. By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. 3
However, the retention does not adversely affect the essence of the fundamental rights to respect for private life and to the protection of personal data: i. the directive does not allow the retention of content ii. the service or network providers must respect certain principles of data protection and data security. It satisfies an objective of general interest, namely the fight against serious crime and, ultimately, public security. 4
By adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality. The interference of the directive with the fundamental rights was not limited to what is strictly necessary. The type of retained data provides a lot of information on the people in question, including: the identity of the person with whom the communication took place and by what means, and the time of the communication as well as the place from which that communication took place and The frequency of the communications with certain persons during a given period. 5
Main problems with the directive: Covers, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime. Fails to lay down any objective criterion which would ensure that the competent national authorities have access to the data and can use them only for the purposes of prevention, detection or criminal prosecutions concerning offences that may be considered to be sufficiently serious to justify such an interference. Refers in a general manner to serious crime as defined by each Member State in its national law. 6
Does not lay down substantive and procedural conditions for access to and subsequent use of the data: access to is not made dependent on prior review by a court or by an independent administrative body. The minimum retention period of six months does not make any distinction between the categories of data on the basis of the persons concerned or the usefulness of the data in relation to the objective pursued and no criteria are provided for justifying maximum retention period of up to two years. No sufficient safeguards provided to ensure effective protection of the data against the risk of abuse and against unlawful access and use of the data (e.g. service providers can have regard to economic considerations when determining the level of security) and it does not ensure the irreversible destruction of the data at the end of the retention period. 7
Last (unexpected) concern of the Court: The Directive does not require that the data be retained within the EU: in doing so, it does not fully ensure the control of compliance with the requirements of protection and security by an independent authority, as is, however, explicitly required by the Charter. Control of a DPA, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data. Important decision for cloud computing: the Court seems to imply that retained data (or any sensitive data) must be stored and processed exclusively within the European Union What message did the Court intend to transmit? 8
International transfer issues for cloud computing Introduction to cloud computing: models, cloud providers (controllers and/or processors), main contractual issues, concerns International transfers under Directive 95/46/EC (BCRs, Model Clauses Controller-Processor (2010), ad hoc Contracts, Safe Harbor) Article 29 WP Working Document of a Co-operation Procedure For Issuing Common Opinions on Contractual Clauses considered compatible with the EC Model Clauses Approval of model clauses of Microsoft and Amazon Web Services 9
International transfer issues for cloud computing Safe Harbor Regime under scrutiny/transatlantic discussions for an umbrella agreement Data Nationalism and its impact in cloud computing (Brazil, Europe, Australia, Russia, France, Portugal) Microsoft Case (US), Schrems v. Data Protection Commissioner (CJEU) 10
International transfer issues for cloud computing Transfers of data by EEA based cloud providers to sub processors outside the EEA how to solve the problem? UE + EEA Company WP29, Working document 01/2014 on Draft Ad hoc contractual clauses EU data processor to non-eu subprocessor ; Supplier of Cloud Service Subcontractor How can we improve model clauses and make them more effective? Impact of the draft EC Data Protection Regulation on data transfers Sub-subcontractor in a third country 11
Obrigado Thank you. Luis Neto Galvão Sócio/Partner T +351 21 313 20 00 F +351 21 313 20 01 luis.galvao@srslegal.pt www.srslegal.pt 12
LISBOA R. Dom Francisco Manuel de Melo, nº21, 1070-085 T. +351 21 313 2000 F. +351 21 313 2001 FUNCHAL Av. Zarco, nº2, 2º, 9000-069 T. +351 291 20 2260 F. +351 291 20 2261 Em parceria com_ Simmons & Simmons (*) Andreia Lima Carneiro & Associados _ANGOLA _BRASIL _MACAU _MOÇAMBIQUE PORTO (*) R. Tenente Valadim, nº215, 4100-479 T. +351 22 543 2610 F. +351 22 543 2611