The information on this blog is not legal advice. You should not rely on it and we don't accept liability in connection with it. Please read our full disclaimer and let us know if you would like us to advise on any legal issue.
On 7 February, the PCI (Payment Card Industry) Security Standards Council issued the PCI DSS Cloud Computing Guidelines Information Supplement. The PCI Security Standards Council develops, manages and raises awareness around payment data security though its PCI Data Security Standard (PCI DSS). PCI DSS compliance is a benchmark for online merchants and payment service providers. The Cloud Computing Information Supplement sits alongside, and does not replace, PCI DSS. The guidance will be of use to both cloud service providers and merchants using cloud technologies for the storage and processing of cardholder data. Using the guidance will help cloud providers and cloud customers to identify and define their respective security responsibilities, a process that is essential in achieving and maintaining PCI DSS compliance.
It looks like Europe’s Article 29 Working Party on data protection’s New Year’s resolution was to be helpful to data processors, as it has decided to launch Binding Corporate Rules (“BCRs”) for data processors from 1 January 2013. Previously, using BCRs to manage cross-border personal data flows was only an option for data controllers.
As a reminder, BCRs are a set of rules which an entity can voluntarily put in place between members of its corporate group, wherever they are located. The rules need to be blessed by the Information Commissioner, but once that has been achieved they provide some valuable benefits, including:
they allow personal data to be transferred freely intra-group; and
the whole corporate group is considered “adequate” under European data protection law meaning each member is able to receive personal data from others - so safeguards do not have to be assessed each time data is going to be transferred by a processor outside of the EEA and other adequate jurisdictions.
Data controllers (any entity which processes personal data relating to, say, its own employees) have been able to benefit from BCRs for some time but now data processors, like multinational outsourcing companies and cloud service providers which process personal data (e.g. payroll, or medical data) as part of their external business operations (i.e. the services they offer to customers), will be able to take advantage. So an outsourcer based in the EEA could collect personal data from a customer located in the EEA, and then transfer that data to a subsidiary in India, under cover of the group BCR’s. Obviously many outsourcers and cloud service providers use this business model now, but data protection compliance is an ongoing task signing up to the approved model clauses with each new customer.
Putting BCR’s in place and obtaining ICO approval is not a particularly quick or easy procedure, but it is a one off – apart from some required notifications. This new development offers an interesting opportunity for organisations which process significant amounts of customer personal data, to potentially cut costs, reduce compliance risks, and perhaps find a new selling point as an ICO-approved cross-border data protection compliant service provider. Obviously someone in marketing might want to come up with a catchier strap line.
I have been advising recently on a potential claim relating to “ownership” of data, where a company outsourced some of its administrative functions and now, due to a perfect storm of a poorly implemented subcontracting arrangement, and an insolvency, it now has no contractual right to obtain its data from the storage provider ultimately holding the data relating to the outsourced functions.
There are plenty of lessons to be learned from this scenario but for this post I’ll comment briefly on ”ownership” of data or information because last month, in an entirely unrelated data-related kerfuffle, the Technology and Construction Court refused an application made by Fairstar Heavy Transport to require an individual (its ex-CEO) and a cloud storage provider to hand over emails which had been forwarded to the ex-CEO’s service company’s email address, meaning that responses had not reached Fairstar’s servers. Worse for Fairstar, the forwarded emails were apparently automatically deleted from Fairstar’s servers. It was thought that the emails contained information important to Fairstar in respect of a different dispute involving a Chinese shipyard.
The application was made on the basis that Fairstar had a proprietary claim to “ownership” of the content of the emails – in other words, that Fairstar owned the content of the emails as property. Other legal issues prevented Fairstar from making other possible claims such as contractual “ownership” or an intellectual property claim – primarily that Fairstar was seeking to avoid enforcing the ex-CEO’s service contract for other reasons.
The judge dismissed the application after a review of the relevant case law, which he noted suggest strongly that in English law there is no general proprietary right in content or information. It’s a timely reminder that, despite increasingly expressed views that “the data belongs to X”, legal rights in data and information are less robust, and more complicated, than one might think. Various intellectual property rights may potentially exist in a data set, or an email exchange, depending on the circumstances, and the use of data or information provided by one party to another might be limited by contract – but don’t simply assume that “it’s our data”: it might not be that straightforward.