Microsoft and model clauses - where the cloud stands after Safe Harbor

With the implications of the European Court of Justice's (ECJ) decision to strike down the Safe Harbor provisions sinking in, attention has turned back to Microsoft’s ongoing battle with the US government which threatens to make matters even worse.

The top level story so far : the US authorities took out a warrant to support its pursuit of drug investigation, demanding that Microsoft hand over customer data stored on a server in Ireland.

The government argues that as Microsoft is a US company, it is covered by US legislation and regulation that reaches across borders into operations based in other countries.

Microsoft says that the data is covered by European data privacy and protection laws - and specifically the Irish interpretation and enforcement of those.

The ramifications of the US government’s interpretation being upheld would of course set a precedent that US law enforcement agencies can demand access to data stored on servers or within US-headquartered companies anywhere around the globe.

Following the loss of Safe Harbor, and in light of the post-NSA scandal paranoia around the world, the impact of such a precedent could have major ramifications for US cloud computing firms trying to do business around the globe.

Further, it could make non-US buyers wary of dealing with US cloud firms - who make up the overwhelming majority of the cloud industry - and as such end up in a cloud computing slow lane.

Just me being alarmist? Hardly. Last month Frank Jennings of law firm Wallace LLP, recognised as one of the most informed cloud legal experts, warned on his blog:

I’m not one to be dramatic, but this ruling could affect the whole of US cloud business in the EU. If the US government can get access to data simply because there is a US provider in the supply chain, that is likely to result in customers favouring non-US supply chains.

Which is fine, but we don’t have an enormous non-US supply chain to choose from. (And before Skyscape, Huddle et al get in touch, yes, I know there are non-US options and very good ones at that, but just not as many and certainly not at global scale.)

It matters

So Microsoft v the US matters to us all - and so far the courts have been leaning in the government’s direction.

The case has now reached the Second Circuit Court of Appeals in New York, to which Microsoft's external counsel Joshua Rosenkranz submitted written argument on Tuesday in the wake of the Safe Harbor decision, claiming that it has a bearing on the Microsoft case. He wrote:

This opinion could subject US companies to charges of violating European law any time they transfer personal data to the US, especially when US law-enforcement agencies instigate the transfer.

He added that the Safe Harbor decision:

underscores that the subject of cross- border data transfers is fraught and easily gives rise to international discord. Accordingly, Congress must be permitted to decide whether the benefits to US federal, state, and local law enforcement of extending ECPA [Electronic Communications Privacy Act] abroad outweighs the risks to US industry and US-EU relations.

A ruling in the case is unlikely for months with the outcome now all the more important in light of the ECJ’s move. Earlier this week at a debate at the American Enterprise Institute in Washington DC, US privacy lawyer Bryan Cunningham warned:

We’ve seen what happens when the government feels constrained in getting the information it needs — it finds ways to break into the connections between American service providers overseas. It finds ways to get the data, and I don’t think we want to incentivize that.

Asked his view of transatlantic data transfer in light of the Safe Harbor ruling, Cunningham was blunt:

I think the summary of it is ‘chaos’.

Model moves

Meanwhile cloud services providers have been playing the ‘keep calm and carry on’ card, with several, including Salesforce and Microsoft, pointing to the use of so-called model clauses in contracts as a guarantee to customers that their data will be safe.

Microsoft’s Chief Legal Officer Brad Smith wrote to customers:

For Microsoft’s enterprise cloud customers, we believe the clear answer is that yes they can continue to transfer data by relying on additional steps and legal safeguards we have put in place. This includes additional and stringent privacy protections and Microsoft’s compliance with the EU Model Clauses, which enable customers to move data between the EU and other places – including the United States – even in the absence of the Safe Harbor. Both the ruling and comments by the European Commission recognized these types of steps earlier today.

Beginning last year, we included compliance with the EU Model Clauses as a standard part of the contracts for our major enterprise cloud services with every customer. Microsoft cloud customers don’t need to do anything else to be covered in this way.

This is something that we’re going to see a lot more of. Salesforce announced on Tuesday that:

In light of the European Court of Justice’s decision regarding the EU-US Safe Harbor Framework, Salesforce is immediately making available a data processing addendum that incorporates the European Commission’s standard contractual clauses, commonly referred to as “model clauses”.

That’s great and we’ll see a lot more of this, but this approach has its own ramifications. To the standard model clauses, users and providers are going to have to add details of data involved and what security steps are being taken to protect that.  That's likely to be mean extra time, cost and paperwork on both sides.

As Sharon R. Klein and William M. Taylor at US law firm Pepper Hamilton LLP note:

Prior to the [ECJ]’s ruling, these [model clause] alternatives were time-consuming and expensive. This [Safe Harbor] ruling is likely to make these alternatives even more expensive and time-consuming because it enhances the role of each of the 27 different data protection authorities by clarifying that each one must examine the complaints from EU citizens regarding the processing of personal data in another country, even if the Commission has ruled that the other country provides an adequate level of protection.

In addition, neither Binding Corporate Rules nor Model Contractual Clauses shield companies from US government requests for personal information. Consequently, these mechanisms are subject to the same issues cited by the [ECJ], and it remains to be seen whether they will be challenged in the future.

On his blog, Wallace LLPs’s Jennings explains:

Clauses alone are not sufficient. The data controller customer must ensure the data processing IT provider actually has appropriate data protection processes and systems in place. The UK Information Commissioner recognises that this adjustment to comply with the ruling will take time so, in the absence of data breaches, immediate enforcement against organisations is unlikely.

My recommendation, naturally, is to ensure all contracts contain robust data protection clauses. This is not just true of new contracts – where this case will make it an obvious topic of discussion – but you might need to revisit existing contracts too and adjust them.

Or as he told me yesterday:

Clauses are vital and retro fitting is fine, but they must be accompanied by processes and systems. Providers should demonstrate they comply, not just write clauses.

My take

The end of an important week for the cloud industry - and not in a good way.

For the next few weeks, we’ll see more announcements of new European in-region data centres from US vendors - hello Box! - and more US firms trotting out ‘model clauses included’ messaging, while European firms like Skyscape and Huddle will, quite rightly, play an opportunistic indigenous European card.

Somewhere in all this, we can only hope that the more fervent forces in Brussels are getting ready to back down from some of their draconian demands in order to reach some form of workable compromise with the US.

At the IP Expo trade conference in London this week, keynote speaker Jimmy Wales, founder of Wikipedia, warned:

It concerns me that we may be moving to a balkanized era, where data has to be held in a country very specifically across many different jurisdictions.

Good work everyone, good work.