“Cloud” is the collective term for server-based offerings for data processing.
Cloud computing has become an essential element of the IT sourcing strategy for many companies.
IT, legal, and procurement staff in companies are faced with the fact that comprehensive know-how in many areas — not only in technology — is now necessary if cloud services are to be used responsibly, economically, and in a way that is legally compliant with the regulatory frameworks that apply.
There is no way around data protection when planning cloud services. For companies, the use of cloud services often implies that personal data of others are stored and processed on IT infrastructures of cloud service providers. Thus, data protection aspects inevitably should be taken into account from the very beginning.
The European General Data Protection Regulation (GDPR) will become binding as of 25 May 2018. It is a must to prepare for it ahead of time.
The European General Data Protection Regulation (GDPR) will become binding in all EU countries as of 25 May 2018. It establishes a fundamental and modern legal framework that impacts many aspects of cloud computing – on technical, organizational, and economic layers.
The GDPR impacts enterprises not only within the EU, but also abroad. With this, the EU is sending a clear signal with the intention of showing how a society can react to rapidly changing technical circumstances.
But the GDPR is a challenge for many companies – for providers and users of modern IT services alike. This challenge should not be underestimated, and it is a must to prepare for it ahead of time.
The Cloud Privacy Check (CPC)
In four simple steps, the Cloud Privacy Check advises on questions to be asked of cloud service providers.
To help companies tackle this challenge, EuroCloud Europe has launched a dedicated stream “Cloud Know-how” under which EuroCloud Europe presents tools, checklists, and further know-how to help companies implement the required To Do's.
The Cloud Privacy Check (CPC) is one element of the stream “Cloud Know-how”. The CPC's achievement is to present a seemingly complex topic – data protection – in a way that is easily understandable. The CPC identifies suitable and practicable courses of action to become compliant when moving data into the cloud. The CPC does not replace legal expertise, but it structures and simplifies a complex subject without the loss of essential information.
Within the CPC, the questions cloud users should address to cloud service providers are grouped in four simple steps. The questions help cloud users understand the future setup they will find. And as understanding is a prerequisite for control, the CPC helps to guide cloud users on their journey into the cloud.
The Cloud Privacy Check was developed by the authors of this article. Subsequently, the European CPC Network, a network of more than 50 lawyers from within Europe, Switzerland, and Turkey, assessed and approved the methodology. The European CPC Network is the result of a cooperation between law firms in around 30 countries. The information provided here, i.e. the CPC itself and the individual country reports, can also be downloaded from the CPC website: cloudprivacycheck.eu
How We Are Making Things Difficult for Ourselves
With the GDPR, things have become serious. Any grave mistake can result in serious commercial and legal consequences as well as damaged reputations. It should also be noted that the fines stipulated by the GDPR for non-data-protection-compliant outsourcing can range up to 20 million Euro or 4 percent of the previous year’s global revenue of an offending company, depending on which sum is greater.
Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. However, prior to the new GDPR coming into effect, the combination of the often small but nevertheless significant differences between various EU member states could make it an almost insurmountable challenge without proper legal accompaniment from the very outset.
Guidelines like the CPC will be of fundamental importance in the transition period after the GDPR comes into effect.
With the GDPR’s entry into force on 25 May 2018, certain data protection laws will be harmonized across the EU, thereby causing national particularities to take a back seat. But in turn, a new source of uncertainty will be introduced, namely the application of the GDPR in the context of the use of cloud services. For the GDPR creates a new legal framework that can no longer be applied in the respective national “legal tradition”, instead necessitating EU-wide uniform application of the GDPR regulations. This leads to uncertainties regarding the way in which the new and simultaneously quite complex requirements of the GDPR are to be interpreted and applied in concrete use-cases. Particularly in the transition period immediately after the GDPR comes into effect, i.e. until standards for its jurisprudential interpretation and application have emerged, guidelines like those offered by the CPC will be of fundamental importance.
Data Protection and Cloud Computing
Cloud services provide a high potential for increasing efficiency in the business world. However, from a data protection perspective, the following aspects are identified as critical:
- Risk due to involvement of a third party: With the cloud service provider (CSP), a third party becomes involved in the processing of personal data by the cloud service customer (CSC). From the point of view of the affected person whose rights are to be protected, this represents an increase in the risk that unauthorized persons might be able to access the data being processed.
- Loss of control: An increase in the number of people authorized to access the processed data means an increase in the challenge of obligating all involved persons to act according to data protection laws, as well as the challenge of verifying the observance of all data protection obligations. The term “loss of control” refers to the fact that the affected person often does not know who the authorized third parties are, or has no way of monitoring them.
The use of cloud services seems to be accompanied by serious obstacles for the cloud user in terms of data protection.
There is no doubt that data protection law is capable of regulating cloud services in compliance with data protection requirements. The problem is largely one of perception.
These concerns can be put into perspective as follows, however:
- On risks due to the involvement of a third party: These risks are not actually new. Prior to the introduction of cloud services, the division of labor in the digital world had already been characterized by the involvement of third parties for the processing of personal data. In fact, data protection law already offers a suitable tool for managing this situation in the form of so-called “contracted data processing”. Properly devised cloud services are actually capable of providing better protection against unauthorized accessing of personal data than traditional outsourcing infrastructures.
- On the fear of loss of control: This concern may have been fueled by the image of the “cloud”. While it is true that the provision of cloud services often occurs with the involvement of third parties as well as across national borders, this is nothing new to data protection laws and has already been standard practice for a long time.
The peculiarity of cloud services may be the fact that such constellations are now coming into widespread and mass-market use. This does not change in any way the fact that that these constellations are perfectly controllable from the legal perspective of data protection. For the involvement of subcontractors, data protection law offers the tool of contracted data processing, and the individual data protection laws stipulate specific requirements for transborder data processing.
In summary, there is no doubt that data protection law is capable of regulating cloud services in compliance with the requirements of data protection. The reason for concerns regarding cloud services is apparently twofold: (1) various data-protection-related requirements apply to cloud services; (2) the circumstances affecting them are complex.
The Cloud Privacy Check Solves a Perception Problem
The CPC clarifies the fundamental questions and points out the relevant instruments provided by data protection law.
Experience has shown that legal analysis in terms of data protection is overly complex in parts, which promotes legal uncertainty rather than reducing it.
The Cloud Privacy Check mitigates this complexity by clarifying the fundamental questions and pointing out the relevant instruments provided by data protection law:
First and foremost, the CPC establishes that the fundamental questions can be approached systematically. The various current national data protection legislations as well as the new GDPR pose the same fundamental questions, which the CPC clearly identifies and discusses.
Furthermore, the CPC also shows that the abovementioned fundamental questions can be answered using the appropriate instruments (CPC Toolbox) provided by data protection law.
The Four Steps of the CPC
The CPC relies on four steps, marking four criteria that need to be analyzed when assessing the legality of a cloud computing setup:
Step 1 (personal data) and Step 2 (third party involvement) together address the question of whether the use of the cloud service is relevant in regard to data protection law. Taken together, these two criteria mark the transition point in the analysis relating to data protection law. The CPC considers these two criteria in steps 1 and 2. It identifies action items that may need to be implemented.
Steps 3 and 4 of the CPC address the measures required under data protection law for certain constellations that are typical for cloud services (the cloud service provider is located abroad and/or the cloud service provider uses subcontractors).
The result of this four-step process is the CPC. Please visit cloudprivacycheck.eu to learn more about the CPC and run through the CPC workflow.
Overall, the CPC relies on a modular approach to deal with legal issues. Just as is the case for the CPC, the authors also break down other GDPR-related work into packages so a customer can easily understand the measures that will need to be implemented to achieve GDPR compliance. Please contact the authors to learn more or visit cloudprivacycheck.eu, eurocloud.org.
Tobias Höllwarth has worked as a corporate consultant specialized in IT projects for over 20 years. In addition to his work at the Vienna University of Economics and Business he also founded the companies Höllwarth Consulting, ICT Advisory Network and Sourcing International. Tobias Höllwarth was a founding member of EuroCloud Austria where he is today a member of the Board and is the director for the international StarAudit program and president of EuroCloud Europe. He acts as an expert for questions pertaining to certification at the Austrian Standards Institute and is leader of the Austrian delegation that participates in negotiations with the International Organization for Standardization (ISO) where cloud computing is concerned.
Dr. Jens Eckhardt is an Expertise Lawyer in IT-Law and Attorney-at-law in the dmp Derra, Meyer & Partner as well as a certified Privacy Auditor and Compliance Officer. He is also a member of the executive board of EuroCloud Deutschland_eco e.V. Since 2001, he has been practising law in the fields of IT-law, Privacy Law and Telecommunications Law. Since then he has also been regularly holding lectures and has published articles and books, in particular on the various aspects of Privacy Law and IT-Law.
Dr. Christian Laux, LL.M., lawyer, is a partner at LAUX LAWYERS AG, a Zurich and Basel based law firm specializing in all areas of information law. Dr. Laux has many years of experience with, and advises clients comprehensively on, legal issues related to information technology, data governance, and data protection. In particular, he supports the planning, procurement and implementation of outsourcing and IT implementation projects and advises on complex projects with regard to data protection law. After completing his legal studies in Zurich, Paris and Stanford University (CA) Dr. Laux gained working experience in large law firms in Zurich and Mountain View/San Francisco. He has earned a PhD at the University of Zurich, gives regular presentations on current topics of his work, and occasionally publishes comments to case law. Dr. Laux is fluent in German, English, and French, and speaks Russian.
Hon. Prof. Dr. Clemens Thiele, LL.M., lawyer, is founder and partner of Goetzl Thiele EUROLAWYER® Salzburg. He was one of the first Austrian attorneys holding a registered trademark for his legal profession. He delivers high quality legal advice to small as well as international enterprises, mostly regarding data protection issues and IT/IP-law. After completing his legal studies in Salzburg and San Francisco (GGU) Dr. Thiele gained working experience in German, Austrian, and US lawfirms. He publishes regularly in Austrian law reviews and online and gives various lectures and seminars on topics of his working experience. In 2014 the University of Salzburg (department for civil law) conferred the title of Honorary Law Professor on Dr. Thiele for his outstanding jurisprudential and academic achievements.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.