Business is expanding across national borders at an accelerating rate. Most corporations of significant size have facilities in many countries. Cloud applications and storage offer savings and efficiencies, such as 24/7 availability of data and applications, enhanced access and elimination of costs associated with server maintenance. Multinational corporations considering implementation or expansion of Cloud use should, however, tread cautiously, and obtain guidance on applicable privacy and security issues.
For example, litigation or government oversight proceedings involving such companies may result in demands for data originating in, say, France, yet stored in Cloud repositories in other countries The servers will, for the most part, be located beyond the borders of France. Personal data, which includes emails by definition, are subject to the European Union Privacy Directives and local enabling law, which hold that the personal data of an individual may not be sent outside the European Economic Area (the E.U. member states plus Norway, Switzerland, Iceland and Liechtenstein) without the individual’s consent. Appropriately informed consent documents, then, must be drafted. Additionally, no data of any kind may be sent outside France, pursuant to the Blocking Statute, for use in a foreign judicial proceeding. Other states, such as Switzerland, have similar statutes. Criminal penalties lie for violation of these provisions. Data sent to Cloud repositories, then, with the intent of onward transfer for litigation, may run afoul of these laws. In addition, The Data Protection Authority of the German state of Schlewsig-Holstein recently opined that it is a violation of German law to send data to Cloud repositories for which the servers are located outside the European Union.
Those companies registered with the U.S. Safe Harbor Program would require amendment to comprise personal data in the Cloud repositories. The Service Level Agreements with the Cloud providers must contain provisions for E.U. levels of security and privacy in the Cloud repositories (other countries where the company does business will have similar provisions) or, perhaps, provisions that the data will not be transferred to or stored in locations outside the country in which the data were created.
Finally, multinationals considering the significant economic and security advantages the Cloud offers would need documented protocols for Legal Holds for data in Cloud repositories. Legal Holds are considered “processing” of data in the E.U., and must be done in a manner consistent with the Privacy Directives and for retrieval and production of such data to governmental agencies and courts.
Security consultants, working closely with U.S.-based counsel experienced in cross-border data disclosure conflicts, can assist in navigating the byways of this new and complicated area of information governance. This is where Aujas can help.
This article provided by Kenneth N. Rashbaum, Esq. Rashbaum Associates, LLC