US Department of Commerce Clarifies whether US-EU Safe Harbor Applies to Cloud Computing | Practical Law

US Department of Commerce Clarifies whether US-EU Safe Harbor Applies to Cloud Computing | Practical Law

The Department of Commerce's International Trade Administration (ITA) has issued guidance clarifying the US-EU Safe Harbor Framework and how it applies to the transfer of personal data from the EU to the US via cloud computing. Significantly, the ITA does not view cloud computing as an entirely new business model or as presenting unique issues for the Safe Harbor.

US Department of Commerce Clarifies whether US-EU Safe Harbor Applies to Cloud Computing

by PLC Intellectual Property & Technology
Published on 18 Apr 2013USA (National/Federal)
The Department of Commerce's International Trade Administration (ITA) has issued guidance clarifying the US-EU Safe Harbor Framework and how it applies to the transfer of personal data from the EU to the US via cloud computing. Significantly, the ITA does not view cloud computing as an entirely new business model or as presenting unique issues for the Safe Harbor.
On April 12, 2013, the US Department of Commerce’s International Trade Administration (ITA) issued a guidance document to provide clarification on the US-EU Safe Harbor Framework (Safe Harbor) and, in particular, how it applies to cloud computing. The ITA also clarifies that it does not see cloud computing as an entirely new business model or one that presents unique issues for the Safe Harbor.
The guidance document clarifies, among other things, that:
  • Both the Safe Harbor and the European Commission's (EC) adequacy decision regarding the Safe Harbor apply to cloud service provider agreements that involve the transfer of personal data from the EU to organizations in the US.
  • Cloud service providers that will receive personal data from an EU data controller must enter into a contract providing that the service provider will act only on behalf of and pursuant to the data controller's instructions and will comply with data security requirements applicable to the data controller, even where the cloud service provider is:
    • safe Harbor compliant; and
    • only receiving personal data for processing.
  • The Safe Harbor does not require that the contract for data processing incorporate the standard contractual clauses adopted by the EC. To the contrary, the standard contractual clauses are required only where the data processor is not Safe Harbor-compliant.
  • The EC has not issued new requirements that would reduce the value of Safe Harbor certification for cloud service providers.
    However, the ITA does draw attention to statements about the Safe Harbor that the Article 29 Data Protection Working Party included in its July 2012 opinion on cloud computing, but notes that it is not binding on the EC or its member states.
  • EU and European Economic Area member states cannot refuse to recognize Safe Harbor certification as demonstrating that the service provider ensures an adequate level of data protection.