As general counsel for a corporation with offices and employees spanning multiple countries, the risk-management part of your job necessarily entails understanding the laws and regulations implicated by your corporation's activities. Meanwhile, the ubiquitous nature of electronic communication, along with the high cost of maintaining an internal information technology infrastructure fast enough to keep pace with the speed of business, has ushered in the use of cloud computing services to store and move your company's electronic data. Cloud computing vastly improves network storage capabilities by allowing on-demand access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Whether applied to your internal business metrics or an email system, cloud computing both increases efficiency and reduces information technology costs.
But cloud computing involves the dispersal of data across servers located anywhere in the world. The manner in which the cloud transcends national boundaries creates potential dangers by moving data into, or allowing access to data from, countries with restrictive data privacy and protection laws. If a corporation using the cloud to store electronic information becomes embroiled in an investigation or litigation, the corporation must consider relevant laws before gathering, reviewing, and producing responsive electronic data.
This article provides an overview of the factors corporate counsel should consider before contracting for cloud computing services and allowing electronic data to be moved and accessed across borders.
Most data privacy and protection statutes are enacted to protect the personal information of each country's citizens. These laws generally govern the ability of entities and individuals to "process" (i.e., collect, preserve, organize, store, use, etc.) the data of others, and they apply when information is stored, collected, processed, or communicated to or from the country. Given the increasingly common use of mobile devices for business purposes, a Mexican citizen working in Canada whose communications are stored by a cloud computing services provider located in Brazil would likely trigger certain provisions within all three countries' statutory schemes. In order to avoid transgressions of these laws, a general counsel needs to keep track of his or her corporation's electronic data as it moves across borders.
The primary focus of most data privacy laws is consent – in order to process an employee's personal information, the employer (i.e., the "data user") generally must first obtain the employee's (i.e., the "data owner's") consent to do so. Accordingly, you will need to know when and how you must obtain consent from employee or customer data owners. For example, under Spanish law, data users must obtain express consent from data owners in writing, and that consent is revocable at any time. If you have employees in Spain (or a country with a similarly stringent data privacy statute), you will need to obtain consent from each individual employee and then exercise selectivity in terms of placing any personal information into the cloud.
Some data privacy statutes include an exception from obtaining consent when gathering or processing personal data in connection with a judicial proceeding or for the purpose of fulfilling legal obligations. For instance, Argentina's fairly strict data privacy law includes such an exception, but nonetheless states that any cross-border transfers of personal data out of Argentina may only be made to countries that provide similar data protection (i.e., not the United States), unless the transfer is done pursuant to: (1) express consent, (2) an executed data transfer agreement prepared with regulator guidance, (3) international judicial cooperation, or (4) other very limited exceptions.
In addition, you will need to understand the security and reporting requirements of each implicated data privacy regime. In Mexico, the 2010 Federal Law on the Protection of Personal Data Held by Private Parties requires maintenance of industry-standard physical, technical and administrative security measures designed to protect personal data from unauthorized damage, alteration, loss or use. Moreover, where there has been a breach of personal data, data users must promptly notify each and every data owner whose personal data may have been affected. This is a common requirement, so companies using cloud computing services should have communication processes capable of quickly and effectively notifying employees, or other data owners, about any potential breach in security.
Argentina's data protection law requires all data users to register public and private databases with its data protection agency. However, because Argentina's law was passed in 2000, it understandably does not fully anticipate the current use of cloud or Internet-based networks physically located outside of Argentina but reaching into the country for electronic personal data. For this reason, it is unclear how far Argentina's registration requirement reaches. While it seems clear that a company setting up a server in Argentina for use by employees working in the country would fall within this requirement, there is no guidance in how the requirement may apply to a cloud system that extends into the country. If the law works similarly to Spain's data protection law, the data user established in Argentina would register its database and identify its cloud services provider (i.e., data processor). In turn, that provider would be subject to the law even if it (and its subcontractors) is actually located outside Argentina.
Some countries, such as Uruguay, expressly allow cross-border transfers of personal data between or within a group of companies without any additional authorization in situations where the parent, subsidiary, affiliate, or branch receiving the personal data has adopted a conduct of code duly registered with the proper data protection authority. Once again, if your corporation operates in multiple countries, you should research these kinds of requirements before placing electronic data into the cloud.
Finally, you should research the enforcement mechanisms and potential penalties tied to any transgression of an applicable data privacy regime. Mexico, for instance, created a federal agency, the Instituto Federal de Acceso a la Información (or "IFAI"), to oversee its 2010 data protection regime. IFAI, which has operational, budgetary, and decision-making autonomy, is responsible for, among other things, proactively monitoring and enforcing compliance with the data protection regulations, responding to complaints from data owners, and imposing sanctions for non-compliance. IFAI has exercised its enforcement authority in the private sector, imposing several significant sanctions since Mexico's law went into effect. For instance, in December 2012, the IFAI imposed sanctions of over two million Mexican pesos (over $162,000 USD) on Pharma Plus S.A. de C.V., a company which operates pharmacies in Mexico, for failing to provide a sufficient privacy notice to patients filling prescriptions for psychotropic medications whose information Pharma Plus's pharmacies systematically collected. See Computerworld Mexico, Farmacias San Pablo, primera compañía multada por violar la LFPDPPP (Dec. 5, 2012).
Before you contract with a cloud computing services provider to put your company's electronic data into the cloud, or even if you already have, you can do so carefully and knowledgeably by examining the following four core issues.
Consider what kind of data you are putting into the cloud. Sensitive, critical, or regulated information requires additional security and may need to be segregated. Personal information, as noted above, is often governed by data protection laws and regulations.
Ask where your cloud provider's servers are located, where its primary users work and how your data is transferred. The answers to these questions impact legal jurisdiction and data protection laws, which you will have to research and understand for each country implicated.
Discern the cloud provider's policies for intrusion detection, reporting, and security audits. Ensure that the cloud provider communicates with you during every step of the data oversight process. This is crucial for complying with data privacy and protection laws, which often require prompt notification of any data breach and documentation of all steps taken to remedy the problem.
Understand who will have access to your corporation's data. Make sure you know what categories of employees at the cloud provider access your data, and confirm whether the provider uses any subcontractors who may require access. In addition, implement a process through which you can responsibly gather and process potentially responsive data from employees when faced with litigation or an investigation. This will often entail drafting a consent form, documenting the legal justifications for requesting the data, and engaging or consulting with outside counsel to better understand the local authorities.
By considering each of these four issues, and by reviewing and understanding the data privacy and protection laws that apply to your corporation's data, you can help reduce the risk of sanctions or heavy consequences for inadvertent missteps.
About the author
John C. Eustice is a member at the law firm Miller & Chevalier, chartered in Washington, D.C. His practice focuses on the counseling and representation of businesses and individuals facing complex civil litigation. He is a contributing member of The Sedona Conference® and regularly writes about and speaks on technological, cloud computing, and electronic discovery matters. He can be reached at firstname.lastname@example.org.