Castlebridge Associates

HP have announced an "interesting" service which will allow people to print from mobile devices to printers using an email address. Your document will then be whisked off to HP's DataCentre from whence it will find its way to your printer. 

Magical.

But as with all magic there is a dark side.

1. Assume you have encrypted your laptop (to protect personal data that might be held in documents on it). Then you print off to this HP service. You are moving from a secure environment that you control to an environment that is governed by HP and may not be as secure.  When the document gets to the printer, it could sit unattended for a period of time before it is picked up by the intended recipient (I used to spend a few minutes every day in my old job dumping uncollected print jobs into the confidential waste bin as they built up during the day even under the current "state of the art").
2.  By stepping into the processing space (by reformatting documents etc) HP becomes a Data Processor under the terms of the Data Protection Acts and the Data Protection Directive. Therefore, they will be obliged to register as Data Processors in the 27 EU Member states if they are processing data for organisations (or individuals) who fall into the following categories:
   1. Government bodies & Public Authorities
   2. Financial Institutions (including, in Ireland, anyone who is licensed under the Central Banking Act 1971 or the EC Communities (Licensing and Supervision of Credit institutions Regulations 1992)
   3. Credit Institutions
   4. Insurance Undertakings (as defined, in Ireland, by S2 of the Insurance Act)
   5. Persons whose business consists wholly or mainly in direct marketing
   6. Person whose business consists wholly or mainly in providing credit references
   7. Persons whose business consists wholly or mainly in collecting debts
   8. ISPs
   9. Telecommunications/Electronic Communications Network or Service providers
   10. Anyone processing personal data related to physical or mental health
   11. Persons who process genetic data
   12. Anyone whose business consists of processing personal data for supply to others
   13. Data processors who process personal data on behalf of Data Controllers who fall under one or more of the above categories.
3. As HP would be a Data Processor, Data Controllers (i.e. companies) using the HP service will need to ensure that they have in place a contract with HP that governs the terms under which the data is being processed, the purposes for which it is being processed, and put in place mechanisms by which the Data Processor can be assured of the adequacy of internal controls etc. around the protection of personal data. One would have to ask if HP are geared up to provide this or if the terms & conditions of the service are such that that condition could be met.
4. The transfer of the personal data which might be contained in a document to the HP DataCentre raises concerns regarding where that DataCenter might actually be. EU Data Protection regulations preclude the transfer of personal data outside the EU/EEA borders (with some exceptions).
5. The potential for SPAM abuse has been identified elsewhere. The HP service would seem to straddle the world between abuse of telephony-based fax and email spam. Either of these carry significant penalties under Irish Law (and indeed under UK and other EU jurisdiction laws). A concern is that the means of operation might fall between the two stools in terms of how the communications medium is actually defined in law (relevant law in Ireland can be found here)

On one hand, the HP service is a wonderful evolution and when Google rolls out their equivalent service as part of their ChromeOs it will be part of the shift away from a desktop based working world. On the other hand however, just because you can doesn't mean you should and with great power comes great responsibility.

Data Controllers should approach services of this kind with a sensitivity to the Data Protection risks involved.