12 May 2017

Edited by, Bachir El Nakib, Senior Consultant, Compliance Alert (LLC)

Cloud computing has gained wide publicity over recent years and is said to be one of the key technologies for the next level of industrial evolution. However, this technology challenges entrepreneurs in various ways, in particular in terms of data security and data protection. The judgment of the European Court of Justice (ECJ) of October 6, 2015, which rendered the EU Commission’s US Safe Harbor decision invalid with immediate effect, has led to uncertainties.

Challenges posed by cloud computing

Cloud computing is the collective term for several kinds of services: in contrast to conventional data processing, hardware and software are offered as a service. Instead of purchasing their own IT systems, companies only pay for the use of such systems. The systems are operated in a decentralised manner and are shared with other customers. Flexibility and scalability are thus increased while at the same time costs are lowered. However, the ubiquity of data and information tends to result in the reduction of controllability of data-processing and security systems. This also means that there are potentially fewer possibilities for determining where and by whom data is stored and processed.

The legal requirements with regard to data protection thus at first seem contrary to the features of cloud computing.

The legal requirements, in particular with regard to data protection, thus at first seem contrary to the features of cloud computing. According to the German Federal Data Protection Act, the collection, processing and use of personal data are only permitted with the consent of the individual concerned or if expressly permitted by law. The law also includes the ‘purpose limitation principle’, meaning that the use of the data is in general restricted to a specific purpose and any use for another purpose has to be approved individually. Furthermore, there is a transparency requirement entailing information and notification obligations on the part of the data-processing entity.

In contracts with cloud providers a distinction has to be made as to whether data is transferred within the European Economic Area (EEA) or to ‘unsafe’ third countries, which include the USA.

Cloud providers in Europe

Within the EEA, ‘commissioned data processing’ is possible and recommended. To this end, the customer has to enter into a formal agreement with the cloud provider according to which the customer retains the right to issue instructions and exercise control. Furthermore there has to be an agreement about where exactly the customer’s data will be stored and that they have to be returned in a standard format at the end of the contract term. In the course of the commissioned data processing, the customer as client remains responsible for the use of the data while the cloud provider as contractor only uses the data for the purposes defined by the customer and in accordance with the customer’s instructions.

Cloud providers in the USA and other third countries

With regard to third countries the situation is considerably more difficult, as it includes a transfer of data which has to be specifically justified. The transmission of data to a third country requires a two-stage review. In stage 1, the data transfer to the cloud provider has to be justified, and in stage 2, the export of the data from the EEA has to be justified.

Unlike within the EEA, there is no privilege for commissioned data processing in the first stage so that a legal basis for transferring data to the provider is required. In many cases, companies can invoke their legitimate interest for the transfer. However, in these cases the Federal Data Protection Act still does not allow the transfer of sensitive data (so-called special categories of personal data), such as that pertaining to racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, health or sex life.

Before the decision of the ECJ, the Safe Harbor self certification of the US provider was an option.

In the second stage, an adequate level of data protection has to be ensured when transferring personal data out of the EEA. In this context, a distinction has to be made between ‘white list countries’ (Andorra, Argentina, Australia, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, Canada, New Zealand, Switzerland, Uruguay) and other third countries. For these third countries, including the USA, an adequate level of data protection has to be ensured through additional measures, e.g. by standard contractual clauses, binding corporate rules or the consent of the individual affected. Before the decision of the ECJ, the Safe Harbor self-certification of the US provider was an option in these cases but is now no longer admissible.

Background and impacts of the Safe Harbor decision

As the ECJ has rendered Safe Harbor invalid, the selfcertification no longer serves as justification for data export to the USA. One reason for this decision is that the applicable rules and laws of the USA allow US authorities to access data of USbased cloud providers at their own discretion. From the EU point of view, this environment does not qualify as a ‘safe harbor’ for personal data.

The decision could directly affect any company transferring personal data from the EU to the USA, for example a German company providing employee data to its US-based parent company based on Safe Harbor. Indirectly, it can also be relevant for companies that depend on data transfers to the USA by their customers within the scope of their service provision, e.g. cloud providers and other IT service providers based in the USA rendering services to companies in Germany.

Cloud computing cannot be used in the same way everywhere.

Besides obtaining consent, which is in general not practicable, other available alternatives are the European standard contractual clauses and binding corporate rules. The standard contractual clauses have, however, increasingly been subject to criticism since the court decision and the regulatory authorities have announced that for the time being they will not approve of binding corporate rules. It remains to be seen whether the USA and Europe can politically agree on better data protection standards. Customers in the EU can currently only be recommended to protect their data transfer to US cloud providers by using European standard contractual clauses, and to follow the coming developments very closely.

Using the cloud – but only with special security measures

In summary, cloud computing cannot be used in the same way everywhere and is not equally suitable for all types of data. Sensitive data and business secrets should only be saved in a cloud with special security measures such as encrypting the data on the desktop first. When using providers outside Europe, customers should carefully study the applicable legal framework.