Cloud computing and data protection – black clouds over the cloud?
12 May 2017
Edited by, Bachir El Nakib, Senior Consultant, Compliance Alert (LLC)
Cloud computing has gained wide publicity over recent years and is said to be one of the key technologies for the next level of industrial evolution. However, this technology challenges entrepreneurs in various ways, in particular in terms of data security and data protection. The judgment of the European Court of Justice (ECJ) of October 6, 2015, which rendered the EU Commission’s US Safe Harbor decision invalid with immediate effect, has led to uncertainties.
Challenges posed by cloud computing
Cloud computing is the collective term for several kinds of services: in contrast to conventional data processing, hardware and software are offered as a service. Instead of purchasing their own IT systems, companies only pay for the use of such systems. The systems are operated in a decentralised manner and are shared with other customers. Flexibility and scalability are thus increased while at the same time costs are lowered. However, the ubiquity of data and information tends to result in the reduction of controllability of data-processing and security systems. This also means that there are potentially fewer possibilities for determining where and by whom data is stored and processed.
The legal requirements with regard to data protection thus at first seem contrary to the features of cloud computing.
The legal requirements, in particular with regard to data protection, thus at first seem contrary to the features of cloud computing. According to the German Federal Data Protection Act, the collection, processing and use of personal data are only permitted with the consent of the individual concerned or if expressly permitted by law. The law also includes the ‘purpose limitation principle’, meaning that the use of the data is in general restricted to a specific purpose and any use for another purpose has to be approved individually. Furthermore, there is a transparency requirement entailing information and notification obligations on the part of the data-processing entity.
In contracts with cloud providers a distinction has to be made as to whether data is transferred within the European Economic Area (EEA) or to ‘unsafe’ third countries, which include the USA.
Cloud providers in Europe
Within the EEA, ‘commissioned data processing’ is possible and recommended. To this end, the customer has to enter into a formal agreement with the cloud provider according to which the customer retains the right to issue instructions and exercise control. Furthermore there has to be an agreement about where exactly the customer’s data will be stored and that they have to be returned in a standard format at the end of the contract term. In the course of the commissioned data processing, the customer as client remains responsible for the use of the data while the cloud provider as contractor only uses the data for the purposes defined by the customer and in accordance with the customer’s instructions.
Cloud providers in the USA and other third countries
With regard to third countries the situation is considerably more difficult, as it includes a transfer of data which has to be specifically justified. The transmission of data to a third country requires a two-stage review. In stage 1, the data transfer to the cloud provider has to be justified, and in stage 2, the export of the data from the EEA has to be justified.
Unlike within the EEA, there is no privilege for commissioned data processing in the first stage so that a legal basis for transferring data to the provider is required. In many cases, companies can invoke their legitimate interest for the transfer. However, in these cases the Federal Data Protection Act still does not allow the transfer of sensitive data (so-called special categories of personal data), such as that pertaining to racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, health or sex life.
Before the decision of the ECJ, the Safe Harbor self certification of the US provider was an option.
In the second stage, an adequate level of data protection has to be ensured when transferring personal data out of the EEA. In this context, a distinction has to be made between ‘white list countries’ (Andorra, Argentina, Australia, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, Canada, New Zealand, Switzerland, Uruguay) and other third countries. For these third countries, including the USA, an adequate level of data protection has to be ensured through additional measures, e.g. by standard contractual clauses, binding corporate rules or the consent of the individual affected. Before the decision of the ECJ, the Safe Harbor self-certification of the US provider was an option in these cases but is now no longer admissible.
Background and impacts of the Safe Harbor decision
As the ECJ has rendered Safe Harbor invalid, the selfcertification no longer serves as justification for data export to the USA. One reason for this decision is that the applicable rules and laws of the USA allow US authorities to access data of USbased cloud providers at their own discretion. From the EU point of view, this environment does not qualify as a ‘safe harbor’ for personal data.
The decision could directly affect any company transferring personal data from the EU to the USA, for example a German company providing employee data to its US-based parent company based on Safe Harbor. Indirectly, it can also be relevant for companies that depend on data transfers to the USA by their customers within the scope of their service provision, e.g. cloud providers and other IT service providers based in the USA rendering services to companies in Germany.
Cloud computing cannot be used in the same way everywhere.
Besides obtaining consent, which is in general not practicable, other available alternatives are the European standard contractual clauses and binding corporate rules. The standard contractual clauses have, however, increasingly been subject to criticism since the court decision and the regulatory authorities have announced that for the time being they will not approve of binding corporate rules. It remains to be seen whether the USA and Europe can politically agree on better data protection standards. Customers in the EU can currently only be recommended to protect their data transfer to US cloud providers by using European standard contractual clauses, and to follow the coming developments very closely.
Using the cloud – but only with special security measures
In summary, cloud computing cannot be used in the same way everywhere and is not equally suitable for all types of data. Sensitive data and business secrets should only be saved in a cloud with special security measures such as encrypting the data on the desktop first. When using providers outside Europe, customers should carefully study the applicable legal framework.
Data protection and privacy are often considered key risks when storing personal data in a cloud. The risks to your data in the cloud include:
loss or damage by your service provider and their staff
unauthorised disclosure or access
malicious activities targeting your service provider - eg hacking or viruses
poor security practices compromising data protection
Before choosing a cloud computing service, you should carry out a risk assessment of these hazards and their potential impact on your business.
Cloud and data protection laws
If you store or process personal data in the cloud, you will most likely have the overall responsibility for complying with the Data Protection Act 1998.
Under the data protection laws, a cloud customer is usually viewed as a data controller. This is because they determine the purposes for which and the manner in which the data is being processed. You are therefore likely to have the responsibility for how the data is handled, even if you don’t have full control over the cloud.
As a data controller, you must ensure that:
any processing of personal data is secure, even if this processing is being carried out on your behalf by a cloud provider
data isn't transferred outside of the European Union area, unless the destination country and the circumstances of transfer provide adequate level of protection
you have a written contract in place with your provider and their agreement to apply a high level of security to the data and only process this data in accordance with your instructions (eg delete it on request)
You will also want to establish:
what level of responsibility the provider will assume for the security, functionality and continuity of service
whether there are any provisions for compensation in the event of a security breach
If a cloud provider doesn't offer you assurances regarding the security or location of their service, it may indicate that they don’t put enough onus on data protection and the risk of falling foul of data protection legislation may be higher than necessary.
Levels of data protection
Service providers operate - and usually host - all the server requirements for a cloud computing system. These can include database management systems for data-intensive applications, such as those required for e-commerce or customer relationship management.
High levels of data protection are necessary for such applications, and you should check your contract or service level agreement carefully to find out what security measures your provider takes to protect your data.