Out-Law Analysis | 07 Sep 2015 | 1:34 pm | 9 min. read
The current draft of the EU General Data Protection Regulation being considered by EU law makers does not suit the cloud services model, and could deter non-EU cloud providers from serving the EU market or using EU sub-services.
If the current draft becomes the Regulation then all service providers who handle personal data, whether or not cloud-based, will have to renegotiate contracts with data controllers to make sure liability is properly allocated.
Only data controllers, who control the "purposes and means" of processing personal data, are required to have obligations and liabilities under the existing EU Data Protection Directive of 1995, even where they outsource personal data processing activities to data processors. However, this is set to change under the new Regulation, with the legislation intended to replace the Directive and modernise the EU's data protection regime to ensure it is fit for the digital age. The EU institutions are aiming to finalise the draft Regulation by the end of 2015, with a two-year lead time before it takes effect directly in all member states.
Whilst officials from the European Parliament, Council of Ministers and European Commission are still ironing out final wording, the reforms would subject data processors directly to a range of data protection obligations and liabilities for the first time.
On data security, processors as well as controllers would have to provide a security level 'appropriate' to the processing's risks. This means that processors would need to conduct risk assessments for each customer and intended processing activity. Varying standards of data security for different types of processing are envisaged, but there would be practical difficulties for some data processors to implement this.
In an infrastructure cloud context, where providers offer commoditised mixed-use IT resources for customers' self-service usage, there must be a question mark over the feasibility of providers customising their security measures for different customers. In reality, providers might simply apply the stiffest data security measures to cater for the riskiest processing activities, but this is likely to push up the cost of cloud services for all customers.
Processors could also find themselves having to implement data security measures for processing activities governed, for the purposes of the new Regulation, by no data controller. This might include where the processing of personal data falls under the household exemption.
For example, a consumer webmail or photo-sharing service, even if the service is itself not a data controller, would be subject to the processor obligations, including on security, under the new Regulation. This raises the prospect of processors being held liable to pay compensation for damage resulting from a data breach that stems from consumers using weak passwords or succumbing to phishing attacks and where the fault for that breach does not lie with the processor. Under the proposed Regulation, as drafted, the onus would be on the processor to prove that it was not responsible for the 'event' giving rise to the damage. For example, a consumer could upload files to a cloud storage service where the files contain personal data regarding other people, who might then attempt to sue the cloud provider if the files are breached, whoever caused the breach, thus multiplying the processor's potential exposure.
Similarly, even if a breach was the data controller's fault, those affected might choose to sue any processor 'involved' in the processing if it is perceived as having 'deeper pockets', leaving it to try to claim back from the data controller.
Beyond data security
Beyond security, data processors would be subject to a number of other rules under the Regulation, if proposals being considered are implemented. They would face restrictions on international data transfers and be subject to new record-keeping duties. Depending on whose version of the proposed Regulation prevails, processors could also be under a legal obligation to implement "data protection by design and by default", such as when designing new products and services, and to appoint data protection officers.
Some potential obligations, such as on conducting data protection impact assessments and prior consultation with data protection authorities over planned processing activities, might be shared with data controllers, although these matters still need to be clarified.
As is the case now, data processors would also have to sign up to contracts with data controllers to govern the processing activities they would carry out on their behalf. However, under the new Regulation these contracts would be longer and more complex and prescriptive than is currently the case.
Proposals backed by the Council of Ministers (the Council) would, for example, require the contract to set out the subject-matter and duration of the processing processors would carry out, as well as the nature and purpose of the processing, the type of personal data and categories of data subjects.
In the cloud context, this would require providers to ask intrusive questions of customers, including what the customers intend to use their services for and what personal data they intend to process.
Processors also look like being required to open themselves up to audits by data controllers and data protection authorities, which might include on-site inspections at data centres and other facilities, although it is not yet clear whether regulators would have this power.
In addition, if the Council's proposals are implemented, processors would face contractual obligations to help controllers comply with their own obligations regarding security, security breach notifications to regulators and affected individuals, data protection impact assessments and prior consultation with regulators, and perhaps even, the European Data Protection Supervisor recommends, data protection by design and by default. There must again be questions over how those provisions could be followed in a standardised commodity cloud environment, and over how far a cloud provider would need to go in its assistance of each individual customer.
The Council has also proposed new rules that would require data processors to "immediately inform the controller if, in his opinion, an instruction breaches this Regulation or Union or member state data protection provisions".
This would mean requiring processors to act as 'compliance police'. Every processor would need to have a thorough understanding of the GDPR and the data protection laws of the EU and every member state, and be forced to provide continuing legal advice to its controllers, which would raise costs all round. This is surely an unrealistic expectation.
As mentioned previously in relation to security, under plans being considered, data processors might find themselves on the hook for compliance failings they are not responsible for, such as where all or most of the fault for breaches lies with data controllers or consumers. Processors could be exposed to this liability risk if they are involved in any non-compliant processing of personal data, not just security breaches. The proposals are designed to make it easier for consumers to claim compensation where they have suffered any damage from their personal data being processed in breach of data protection rules.
Data processors might be given a legal right to claim back some of the money they pay out from other controllers and processors involved in the compliance failing, under the new rules, but this would require working out who is responsible for what part of the damage that is caused – no easy task.
Data processors will therefore want detailed liability allocation and indemnity provisions in their contracts with controllers, to reflect the changes in the law and clarify their exposure to risk.
The scope of the new Regulation
Data processors with an "'establishment" in the European Economic Area (EEA) and which process personal data "in the context of" that establishment's activities will be subject to the new Regulation. Those provisions are likely to be interpreted broadly, and it is not inconceivable that non-EEA processors that simply own or make use of a data centre in the EEA, with no other EEA connection, could be held to have an "establishment" in the region for the purposes of the Regulation.
Processors caught by the Regulation on this basis would need to ensure that their processing of personal data throughout the world adheres to the rules set out in the Regulation, if the European Parliament has its way.
Non-EEA processors will also be caught by the Regulation where they process personal data of people within the EU for the purpose of offering goods or services to those individuals or to monitor their behaviour, even if they do not have an establishment within the EEA.
Those provisions will have implications for cloud and other internet service providers.
For example, suppose a US business hosts its e-commerce website using a US IaaS or PaaS cloud provider or non-cloud web host, and the business offers goods or services to EU data subjects. In those circumstances, not only would the cloud customer be subject to the Regulation, the cloud provider would too, as its 'processor'. This is even though it would merely be providing IT resources for use by the customer. Not only that but the cloud provider's entire worldwide data processing activities could be subject to the EU's data protection regime. This widening of EU territorial jurisdiction to non-EU businesses seems a step too far.
Impact on the cloud market
I suggest that cloud providers that act as 'mere facilitators' of personal data processing, only providing IT resources for direct self-service use by their customers, should generally not be bound by new EU rules being proposed for data processors.
It would be unfair for cloud providers operating infrastructure or platform-as-a-service models (IaaS/PaaS), or those providing pure storage facilities, to face broad, prescriptive and burdensome data protection obligations and liabilities if they have no knowledge or control over personal data processed using their services.
However, that is a very real prospect under plans for the new General Data Protection Regulation.
If current proposals on the table make it into law, as seems likely, many cloud providers based outside of the EU could decide to stop serving the EU market. This would have a knock-on impact on price, choice and innovation in the trading bloc, particularly as many start-ups use cloud services for speed to market.
The planned reforms look like they will force data processors to take on new staff, from data security experts, to compliance police and data protection experts and advisers, and to adapt their data protection standards globally when engaging with EU-based customers.
There is a risk that this could prompt non-EEA cloud providers to raise their prices, refuse services to EU-based customers, refuse to handle personal data or at worst close their entire EEA operations. They might stop operating data centres in the trading bloc and withdraw free services to consumers. This would have a major impact on innovation and availability of services.
Another possibility is that non-EEA providers could ignore the new Regulation's most demanding provisions, particularly if they consider them to be too broad and especially if they consider that data protection authorities would have difficulty in enforcing the rules against them in practice. The potential for huge fines to be levied against those companies is likely to focus minds at those companies, however, even at boardroom level.
There needs to be a rethink of data protection rules' application to cloud computing, which is very different to past computing services that the current and indeed the forthcoming new EU data protection laws seem to reflect.
Thought should be given to providing infrastructure cloud providers with the kind of defences and immunities available to neutral intermediaries under the EU's E-Commerce Directive.
That legislation generally absolves businesses that merely host, store or facilitate access to illegal content of liability for that material, and instead places responsibility for it on authors and publishers of the content. Only where the intermediaries obtain actual knowledge of the illegal content their services are supporting do their responsibilities to remove or block access to it kick in.
A similar approach would make sense for data protection obligations and liabilities in the cloud computing environment, where providers acting as intermediaries and operators of the supporting IT systems would not be held responsible for data protection matters they have no knowledge or control over.
For example, IaaS cloud providers would not have any data protection or security obligations if data controllers upload encrypted personal data. The responsibility for data security in that context would rest with the data controller as the cloud provider would have no knowledge of the types of data being uploaded by those companies. The data controller could discharge that responsibility for example by contractually requiring the provider to backup the encrypted data, but equally it could backup the data elsewhere - the main point is that it should be for the controller to decide on and implement protection for its data.
Privacy is very important, but laws need to be sensible, and perceived as sensible and at least attempt to strike a reasonable balance between competing public interests, in order to have any chance of being respected and obeyed on the Internet.
Unfortunately, the plans for the new General Data Protection Regulation are not technologically-neutral. They require customisations which aren't likely to be possible with commodity cloud, and it seems to cast the net far too widely, while not clarifying sufficiently the allocation of responsibilities and liabilities between controllers and processors. EU law makers still have a chance to address these concerns in the final stages of negotiations.
Kuan Hon is a consultant lawyer to Pinsent Masons, the law firm behind Out-Law.com. A version of this article was published previously by the Society for Computers and Law. Pinsent Masons is hosting a series of free seminars on the General Data Protection Regulation this autumn.