Global Privacy and Data Security Developments—2013 By Katherine Ritchey, Mauricio Paez, Veronica McGregor, and Maria Sendra* Privacy and data security continue to be a focus for corporations, regulators, law enforcement, and consumer groups across the globe. Imaginative ways to ac- cess and use information create significant challenges in how we protect individ- uals, nations, and an interconnected world economy. These issues touch virtu- ally every aspect of modern life, from the use of smart phones to global security against terrorism. This survey covers significant developments in global privacy and data security and topics to watch in the coming year. P RIVACY IN THE C LOUD Cloud computing services challenge traditional privacy law concepts as well as regulators who struggle to keep up with technological developments. “Cloud” refers to a distributed internet-based infrastructure used on a shared basis 1 in which user data may be stored in different or multiple data centers around the world. J URISDICTION AND A CCESS TO D ATA A key area of ongoing debate regarding the cloud is jurisdiction and territori- ality, which are central to privacy regulation. The legal framework regulating data transfers lags behind cloud computing innovation, 2 and there is not agree- ment on a new legal framework. Generally, there are two bases for jurisdiction over the cloud: 1) location of the infrastructure (e.g., data centers) and 2) loca- tion of the providers. 3 * The authors are partners at Jones Day who advise on a broad range of privacy and data security issues, including worldwide legal requirements regarding data protection, transfers and breaches, worldwide policies and compliance procedures for handling and safeguarding personal and company information, litigation, payments, and other issues. The authors thank Emily Douglas, Louise Doyle, Eric Fleekop and Nandini Iyer for their assistance. 1. P ETER M ELL & T IMOTHY G RANCE , T HE NIST D EFINITION OF C LOUD C OMPUTI ng (Sept. 2011), available at http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf. 2. E UR . P ARLIAMENT D IRECTORATE -G EN . FOR I NTERNAL P OLICIES , S TUDY : F IGHTING C YBER C RIME AND P RO- TECTING P RIVACY IN THE C LOUD (Oct. 2012), available at http://www.europarl.europa.eu/committees/ en/studiesdownload.html?languageDocument=EN&file=79050. 3. See id . at 38. 245
246 The Business Lawyer; Vol. 69, November 2013 The Patriot Act 4 and the Foreign Intelligence Surveillance Act 5 are examples in which provider-based jurisdiction potentially conflicts with infrastructure-based jurisdiction. U.S. companies may be required to disclose the cloud data of an EU citizen stored in an EU data center to the U.S. government under the Patriot Act. 6 The U.S. laws in this regard are not unique. For example, German law en- forcement has tapped cloud data abroad using mutual law enforcement treaties. 7 EU finance regulations permit auditing of data in the cloud because it is consid- ered outsourcing. 8 Expect continued activity as regulators struggle with jurisdic- tion in the cloud. EU V . U.S. A PPROACHES TO THE C LOUD As various regulators impose a privacy framework on the cloud, their differing approaches to privacy are fueling debate. Both the European Union and United States provided guidance regarding cloud data last year. Not surprisingly, they are not in agreement on the topic. In September 2012, the European Union is- sued an advisory communication 9 that calls for greater data protection in the cloud. By the end of 2013, the Commission expects to create model contract terms and a model code of conduct for cloud providers. 10 The European Data Protection Supervisor (“EDPS”) supports rethinking data protection in the cloud because, according to the EDPS, currently it is impossible for data controllers purchasing cloud computing services to comply with legal data protection requirements. 11 For example, data controllers are held account- able for compliance with EU privacy laws even though they may not know where or how their data is stored by the data processor (the cloud provider) in the cloud. 12 The EDPS suggests clearly defining a “transfer” of personal data in the cloud as well as other solutions as the European Union moves toward in- creased regulation of the cloud. 13 4. USA PATRIOT Act of 2001, Pub. L. No. 107-56, 115 Stat. 272 (codified in scattered sections of the U.S.C.). 5. 50 U.S.C. §§ 1801–1811, 1821–1829, 1841–1846, 1861–1862, 1871 (2012). 6. Zack Whittaker, Patriot Act Can “ Obtain ” Data in Europe, Researchers Say , CBS News (Dec. 4, 2012, 3:59 PM), http://www.cbsnews.com/8301-205_162-57556674/patriot-act-can-obtain-data-in- europe-researchers-say. 7. Johanna Laas, . . . and the Cloud Again: German Government’s Response to Formal Inquiry , P RIVACY E UR . B LOG (Apr. 29, 2013, 9:31 AM), http://www.privacy-europe.com/blog/and-the-cloud-again-german- governments-response-to-formal-inquiry/. 8. Lokke Moerel, Global Cloud Contracts: How to Navigate the EU Requirements in a Global Contract 4 − 5 (IAPP Global Privacy Summit, Mar. 6–8, 2013), available at https://www.privacyasso ciation.org/media/presentations/13Summit/S13_Closing_the_Deal_PPT.pdf. 9. Communication from the Commission, Unleashing the Potential of Cloud Computing in Europe , at 8, COM (2012) 529 final (Sept. 27, 2012). 10. Id . at 12 − 13. 11. Opinion of the European Data Protection Supervisor on the Commission’s Communication on “ Unleashing the Potential of Cloud Computing in Europe ” ¶ 25 (Nov. 16, 2012), available at http://goo.gl/ FG9Dz. 12. See id . ¶ 24, 82. 13. Id . ¶ 74.
Global Privacy and Data Security Developments—2013 247 The International Trade Authority of the U.S. Department of Commerce (“ITA”) has downplayed these concerns. Currently, U.S. privacy protection does not meet EU “adequacy” requirements, so moving data to the United States generally is not permitted unless the U.S. importer has certified to Safe Harbor Principles or entered an approved EU standard contract clause with the EU data exporter. 14 The ITA stated that it “does not believe that ‘cloud computing’ rep- resents an entirely new business model or presents any unique issues for Safe Harbor.” 15 This type of debate will continue as regulators struggle to address the cloud and other new technology. M OBILE P RIVACY Mobile applications and “bring your own device” issues were significant in global mobile privacy debates in the last year. M OBILE A PPLICATIONS Increased use of mobile devices and applications in lieu of personal computers is fueling privacy concerns. Mobile industry trade groups are encouraging self- regulation in an effort to limit government regulation. 16 Likewise, the PCI Secur- ity Standards Council released proactive Mobile Payment Acceptance Security Guidelines in September 2012, which provide global guidelines for payment ap- plications operating on consumer mobile devices. 17 In the United States, California Attorney General Kamala Harris continues to take a leadership role in the debate: After giving notice of her privacy concerns to popular mobile application operators, in December 2012, the California Attor- ney General filed a legal action alleging privacy deficiencies with a mobile appli- cation. 18 In January 2013, the California Attorney General also released a set of privacy best practice recommendations, including using clear and conspicuous privacy policies and limiting the personally identifiable information collected. 19 14. U.S. D EP ’ T OF C OMMERCE , C LARIFICATIONS R EGARDING THE U.S.-EU S AFE H ARBOR F RAMEWORK AND C LOUD C OMPUTING 1–2 (Apr. 12, 2013), available at http://goo.gl/IwqY2p. 15. Id . at 1. 16. See, e.g ., A Status Update on the Development of Voluntary Do-Not-Track Standards: Before the S. Comm. on Commerce, Sci. & Transp ., 113th Cong. (2013) (statement of Luigi Mastria, Managing Dir., Digital Advertising Alliance). 17. PCI S EC . S TANDARDS C OUNCIL , PCI M OBILE P AYMENT A CCEPTANCE G UIDELINES FOR D EVELOPERS (Sept. 2012), available at https://www.pcisecuritystandards.org/documents/Mobile_Payment_Security_ Guidelines_Developers_v1.pdf. 18. Press Release, Cal. Attorney Gen., Attorney General Kamala D. Harris Files Suit Against Delta Airlines for Failure to Comply with California Privacy Law (Dec. 6, 2012), available at http://oag.ca. gov/news/press-releases/attorney-general-kamala-d-harris-files-suit-against-delta-airlines-failure. The Delta suit was dismissed based on Airline Deregulation Act preemption. Karen Gullo, Delta Wins Dis- missal of California App Privacy Lawsuit , B LOOMBERG . COM (May 9, 2013, 1:36 PM CST), http://www. bloomberg.com/news/2013-05-09/delta-wins-dismissal-of-california-app-privacy-lawsuit.html. 19. C AL . D EP ’ T OF J USTICE , P RIVACY ON THE G O : R ECOMMENDATIONS FOR THE M OBILE E COSYSTEM (Jan. 2013), available at http://oag.ca.gov/sites/all/files/pdfs/privacy/privacy_on_the_go.pdf.
Recommend
More recommend
