Cloud computing has provoked much debate in recent years among IT professionals, not least because of the potential data security issues it presents. Recent comments from the Information Commissioner's Office at a cloud computing seminar provide welcome comfort to users of cloud services who deal with American providers.
A longstanding concern for cloud users has been that many of the largest providers of cloud services (such as Amazon, Microsoft and Google) have headquarters in the US and are subject to the US Patriot Act. The Patriot Act gives the US government wide ranging rights to compel companies to disclose information (including personal data) they hold. It can apply equally to an American company's international offices. So even if a cloud user believes it is buying cloud services from, for example, the London branch of a US company, it can still find data it puts in the cloud being disclosed in the US. For many companies this has been a disincentive to use of the cloud (or, at least, some of the major cloud providers) for storing personal data such as HR information or customer databases.
The ICO's recent comments have indicated that where a cloud provider is asked to disclose personal data under the Patriot Act and does so, the cloud provider will be treated as the 'data controller' of that personal data for the purposes of the disclosure. That means that the cloud provider will carry the risk of compliance with the Data Protection Act 1998 in respect of that disclosure. It relieves the cloud user from the usual compliance burden and the potentially onerous financial risks of non-compliance.
The ICO has indicated that in the event of a disclosure of personal data under the Patriot Act it would not take enforcement action against the cloud user. It has said the simple act of choosing a cloud provider that has obligations to an overseas law enforcement agency does not warrant ICO action. And it would be unlikely to take action against the cloud provider where the cloud provider is responding to a disclosure request that it must comply with under law. The ICO has qualified this, however, by saying that it would need to look at the facts more carefully if a cloud provider was responding to a disclosure request from a country with unsatisfactory rule of law protections.
Companies should not, however, see the ICO's comments as carte blanche to use American cloud providers with impunity. Any use of cloud services that involves personal data entering the cloud raises data protection issues beyond the risk of Patriot Act disclosure. Any company engaging another to process its personal data needs to conduct assessments of the adequacy of the other company's data protection arrangements, and ensure suitable contractual arrangements are in place to govern the rights and obligations of the processing company in respect of the personal data. The ICO has highlighted how cloud computing risks are exacerbated by the use of the cloud with smart-phones and tablets, particularly where devices are used for both business and personal purposes.
The ICO has indicated that as a follow up to the seminar it is now preparing draft guidance on cloud computing which may include, among other things, clarification of the obligations on cloud providers and an explanation of what qualifies as 'personal data' for cloud purposes. The guidance is currently under development and the ICO will seek stakeholder opinions when the first draft is published.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at May 2012. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.
TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.