Outsource Magazine

In Part 1 of this article we provide an overview of some of the current data protection issues inherent within cloud computing and consider the data protection benefits gained from using the cloud. In Part 2 we'll look at the trend towards cloud usage in spite of those issues and the data protection developments to watch out for in 2012.  

Take-up of cloud computing services (CCSs), from small start-ups to corporate multi-nationals, in both the public and private sector has been growing steadily. CCS can enable considerable cost benefits due to its flexibility – clients may pick and choose services; arrange short- or long-term access to outsourced IT software and hardware solutions, terminating some in part or in whole; and choose from an ever-increasing variety of cloud computing service providers (CSPs). For many, particularly in recessionary times, the advantages have become increasingly compelling.  

CSPs and their most avid users alike will acknowledge, however, that when it comes to issues surrounding data protection, the current cloud forecast can probably, at best, be described as "plenty of grey areas, perhaps brightening up slowly later".  

An issue in itself is the complexity of the CCS options available. Depending upon the requirements of the user, a CCS agreement can provide for single tenanted service provision, used by only one customer (a private cloud), or multi-tenanted service provision involving many customers sharing resources (a public cloud), or a hybrid of the two.  A cloud user may themselves be the end client recipient or may be a software vendor recipient with their own third-party customer service recipients.  

Depending on the type of CCSs being provided, CCSs may take the form of: software application services, eg the provision of email, word processing, CRM, spreadsheets and accounting services (Software-as-a-Service (SaaS)); website platform services, eg the provision of data centres (Platform-as-a-Service (PaaS)); or computing resources and infrastructure services, eg the provision of  servers, processing, storage, network equipment, memory, CPUs, disk space, and data centre facilities (Infrastructure-as-a-Service/Hardware-as-a-Service (IaaS)).  As is to be expected, with the variety of options comes the myriad of potential data protection issues which may attach to any aspect of each of them.  

Whether you are yourself a CSP; already utilise CSPs services to good effect; or still view the benefits of moving to the cloud insufficiently outweigh the potential exposure to data protection hazards you feel you will inevitably encounter; you should be considering all the issues and some potential developments on the horizon in 2012 which should provide further clarity.

The data protection issues inherent in the cloud

Where is the data?

Under EU law¹ the position where CCSs are hosted in the EEA² is that the data controller, as opposed to the data processor, is responsible for ensuring compliance with the EU DP Directive.  When choosing a CSP therefore, the data controller, by way of suitable written contractual provisions, must ensure that:

• security measures will be enforced;
• controls are imposed over how data is held and expressly state that data will only be processed on the data controller’s instructions; and
• audit rights are granted to check such controls are in place.

The data controller should obtain assurances that the data processor has appropriate technical and organisational measures in place to keep any personal data secure and will use best/all reasonable endeavours to ensure data is kept securely, is not destroyed, will be retrieved if lost etc. It should be noted that even within the EEA, the law is not completely uniform as each state has implemented the EU DP Directive in slightly different ways.  

More significant issues arise still where personal data is transferred to a country outside of the EEA if that non-EEA entity has inadequate data protection. Non-EEA transfers may occur for a variety of reasons: eg where the CSP provides hosting services outside of the EEA as a matter of course; where additional support or maintenance services provided by third parties who are given access (with or without consent) to personal data are outside of the EEA; or where users themselves access personal data remotely, or, having obtained personal data from the cloud, physically take a device outside of the EEA.  

Is the data adequately protected?

Where personal data is transferring outside of the EEA, the data controller has the added task of satisfying itself that the importing country has an adequate level of protection, taking into account the circumstances of the transfer (e.g. whether the data is also ‘sensitive data’, how long it is to be stored, the size of the data transfers etc). Some comfort can be taken from certain non-EEA countries having already been pre-approved by the European Commission as meeting the EU’s standards (‘white-listed countries’): Andorra, Argentina, certain organisations within Canada, the Faroe Islands, Guernsey, Isle of Man, Jersey, Switzerland and US companies who have put in place ‘safe harbour’ regimes, have all been deemed acceptable.  

However, outside of those jurisdictions, or, in the case of the US, where a business is not a safe harbour organisation, data controllers must satisfy themselves that personal data will be adequately protected - no easy task to effect and achieve, even where the data controller has full knowledge, is properly informed and has done everything it can to contractually provide for all necessary safeguards to be put in place. Ensuring compliance will be made particularly difficult however if, for example, CSPs use a number of servers in different locations or move personal data around (either with or without consent) to implement business efficiencies such as to gain benefits from economies of scale. Potentially impossible, some may feel, where CSPs choose not to reveal or are not forthcoming when asked for information about where they will be storing data, either at the time users are making choices about which CSP to use or at contract negotiation stage.

Who is in control?

It would be a valid assumption that in most instances the user of the CCSs will be the data controller who instructs the CSP, the data processor, who must only process the data in accordance with the user’s instructions. CSPs will therefore legitimately argue that, as mere processors, they cannot accept liability for certain things, eg obtaining of consents from data subjects, the quality of the data stored on their servers, control of that data etc. The counter-argument for the user is that in reality they too may not have much actual day-to-day control over certain aspects of the handling of the data, such as the actual security measures in place, how the data is stored etc.

In certain situations, the balance may change.  Whilst not in ‘control’ of data, the CSP may be in a position on occasion where it must move the data in circumstances where it may not be practical to expect the CSP to consult with the user (or indeed the data subject) in every instance. The extent to which data controllers must concede the CSP’s right to deal with the data, effectively relinquishing control over it, will depend upon the situation and the bargaining power of the parties. For example, it might be appropriate where disaster recovery plans must be effected, or where capacity and storage issues mean that data must be moved to servers at different locations, if group company structures change or where subsidiaries are re-located etc, for the CSP to be allowed to maintain some control over what it does with the data.

A great concern for both CSP and user is if the CSP effectively becomes the data controller as this will result in both user and CSP being jointly responsible for control of the data, the CSP having to accept responsibility for breaches of data protection law, and the user in a difficult position regarding assurances made to its ‘data subjects’ that the user will have full and total control of the data (eg its location, who has access to it, who has rights of audit over it) at all times.

Has the data subject consented to the processing?

All processing in respect of any individual’s data must be done with the consent of the data subject in a fair and lawful manner. As has been outlined above, issues will arise where, due to the CSP’s commercial practices, data may be moved where consent has not been obtained. In addition, some CSPs may require that users consent to the passing of data to third parties, for advertising purposes for example, which, unless users have obtained a data subject’s consent, should be resisted, although that may not be possible where users are forced to deal on CSPs’ standard terms.

The data protection benefits from using the cloud

Expertise of CSPs

Despite perceptions, the cloud is not new.  With the exponential growth in CCS take-up, established CSPs have been forced to adapt and become quite expert in understanding both users’ concerns and fears and the global data protection regimes they must operate within.  By way of contrast, many companies are not as clued up about their data protection obligations, and should consider the mutual benefits gained from utilising CSPs as both a mechanism for secure offsite data storage as well as a way of becoming compliant with their data protection obligations.

Standardisation

As users, CSPs and regulators encounter new problems and issues with data protection and CCS, more standardisation is developing, in terms of the way contracts are negotiated, the way legislation and policies are being changed, and the service offerings that are being provided. All parties will benefit from greater standardisation in this area, both at EU level and globally in terms of cross-border transfers of data. (In Part 2 we'll look in further detail at the EU’s future proposals in respect of amendments to the existing data protection legislation as it applies to CCSs, Standard Contractual Clauses and Binding Corporate Rules).

Human error

We will all have seen in the news the various instances of very serious breaches in terms of data security, and it has been evident that considerable numbers of data protection breaches occur due to human error as opposed to technical failures or inadequate data protection provisions. Employees, whether due to malice, negligence, or oversight are a considerable risk to any business’ data security.  It is arguable that using CCSs as opposed to relying on individuals to store data on portable devices is perhaps the preferable option in the light of those potential hazards.

Other use of technology

Arguably, other uses of technology in the workplace are far less secure than using CCSs.  Companies frequently allow their staff to use other technology in uncontrolled environments, such as allowing general employee internet usage, the sending of inadequately encrypted highly confidential emails, use of social networking sites in the workplace, the use of contractors, sub-contractors and agents without full confidentiality agreements or IT use policies in place, etc.  Users’ and CSPs’ contractual provision for use of CCSs provides greater potential, usually resulting in a business having much greater control of its information and the way it is chosen to be stored, arguably resulting in far less exposure than the use of other technologies.

1 The EU Data Protection Directive (“EU DP Directive”) was passed in 1995 which each EU member state then implemented into their own country’s laws.  In the case of the UK this was done by way of the Data Protection Act 1998 (“DPA”).  All italicised terms in this article are as defined in the DPA.

2 The EEA is made up of the 27 EU member states plus Norway, Iceland and Liechtenstein.

About the Author

Michelle Sherwood is a partner within the Commercial and Technology Unit at national law firm Shoosmiths, working on a wide range of commercial matters with a specialism in IT. Michelle advises a variety of businesses on non-contentious commercial matters. Her areas of specialism include: IT contracts, e-commerce, software licences, convergent technologies and the internet , agency agreements, distributor agreements, confidentiality agreements, manufacturing agreements, property management agreements, outsourcing agreements, haulage contracts, supply agreements (including key raw materials and supply of services), and warehousing & distribution agreements.