Cloud – Sourcing vs. IT-Security & Privacy: a short legal assessment
Dr. Jens Bücking, Rechtsanwalt und Fachanwalt für IT-Recht, Lehrbeauftragter an der Hochschule für Technik, Stuttgart
I. Initial situation
In Germany, Austria and Switzerland, the economy and public sector are very cautious about the trend topic of cloud computing. They point to issues such as security concerns, data protection, individual and collective labour law and company protection of secrets.
A conventional approach to establish trust in this area is to define standards and policies that can be integrated as mandatory requirements in the cloud contracts between the provider and the user and the corresponding compliance certification by independent institutions that are recognised by expert circles, such as DEKRA, TÜV and the industry associations VOI and BITKOM in Germany.
- (Still) prevalent opinion on non-European clouds
The main reason for the uncertainty is that the data protection officers of the individual states sometimes have diametrically opposed opinions, and the supervisory authorities responsible for auditing the companies often pursue different approaches. Until recently, the prevalent opinion in Germany was that the export of personal data to the cloud structures of an US provider
· who operates his data centres at locations around the globe that are not definitely guaranteed,
· who cooperates with unnamed subcontractors and
· who does not enable his customers to give him or his subcontractors instructions and
· who does not allow them to inspect the facilities or have them inspected
would be a third-country transfer that cannot be covered by any privilege under data protection law, i.e. not even via data outsourcing, but that this would be a categorically prohibited data transmission to an insecure territory whose data protection level does not correspond to that of the EU/EEA.
Even a certification via the US Department of Commerce according to the “Safe Harbor” principles was regarded as insufficient, as the companies can often obtain this certification for a mere list of criteria without any substantive technical/organisational scheme with appropriate protective measures. Therefore, it has been demanded that such a certification must also be checked in detail.
Moreover, data protection authorities considered the possibility that US homeland security regulations (e.g., Patriot Act) could clandestinely access data from the EU/EEA to be unacceptable, making the use of cloud services of large US providers such as Amazon, Microsoft and Google a no-go.
- Newly emerging opinion
However, consultancies such as ourselves have been able to increasingly soften this opinion through numerous successful projects in the recent past, in which we showed that by tuning a number of parameters in the ICT systems of companies, it is possible to make adjustments in order to guarantee an adequate measure of data security as well as data protection. Regardless of the technical/organisational measures, the main objective was always to relieve the companies of the considerable worry of being subject to prohibition and data remigration orders as well as fines of up to EUR 300,000 per incident (plus additional damage compensation consequences and even disgorgement in the case of commercial data protection breaches) in the event of a breach of regulations under data protection law.
We were also able to prove that an intervention by US homeland security authorities – though such cannot be fully excluded even if security-by-design measures are taken – does not represent a substantively different threat situation than the currently existing substantial arsenal of intervention and confiscation possibilities under German and European telecommunications, criminal proceedings, police and constitutional law.
Accordingly, the long-standing initial situation under which most German data protection officers were of the opinion that clouds operating outside the EU/EEA were unacceptable for the processing of personal data has changed.
True, data protection law limits the export of data outside the EU/EEA. However, this only means that some categories of highly sensitive data must definitely not be transmitted. Moreover, the export of financial data generally requires a bilateral agreement between the authorities of the exporting country and the authorities of the importing country. Special caution is also required when it comes to company secrets or other data from fields of banking and finance that need to be protected.
II. Measures for compliance with data security and data protection law
However, the transmission of personal data even to non-European economic areas is permitted if certain requirements are observed that need to be examined in detail on a customer-specific basis. These requirements can be checked by means of criteria lists. This can be done by qualified consultants or by the responsible auditors within the scope of a special cloud certification. In the event of an inspection by the authorities, a certificate of a large IT industry association such as VOI or a certification according to EuroPriSe serve as sufficiently trustworthy evidence of reliable, objective and independently verified corporate data protection conformity. It is legitimate and commonly accepted to have experienced auditors conduct a preliminary audit and to get conditioned for the certification procedure.
- The role of “global cloud-players” (such as Amazon, Google, Microsoft…)
Even if the legal assessment in preparation of the use of cloud services (and the subsequent support) is handled by consultants or auditors, the (prospective) user of cloud services will still have to do some basic work himself (see 2. below). Sometimes, the remaining part will be handled by the cloud provider.
Global providers like Google took various measures in order to ensure compliance with data protection laws throughout the EU/EEA (e.g., certification according to ISO 27001). Various security and encryption standards as well as additional services and functions, such as archiving, recovery and tools against loss or compromising of data, can be booked. Using the example of Google, this security is supplemented by technical/organisation measures and assurances that Google eventually introduced in 2012 in the form of the so-called EU model contract clauses (model 2010) in order to gain additional trust.
- Preliminary work of the cloud provider
The company is responsible for checking its data processing processes. If the company has an international group structure, the individual responsibilities must be defined and clearly demarcated, especially in the relationship between the data-processing entity and the data outsourcing provider. As is known, company groups do not enjoy any privilege. Within a group, it may therefore be necessary to conclude a bundle of data outsourcing contracts up to the input of the data in cloud structures.
Once this has been done, the next step is the externalisation of the data and processes. The data should be classified by categories and risk groups, such as highly sensitive data, personal data, financial data, data whose publication is mandatory, general business data, business data in need of special protection and other data. In this phase, the company must ask itself which classes are to be kept in the cloud. Moreover, any rights of the works council/staff council must be taken into consideration. At this level, it may turn out that an alternative concept or a workaround is needed.
All in all, the user must create a (new) cloud data protection concept in which the security technology made available by the provider at the respective processing level is to be included. One aspect is the re-identifiability. Strictly speaking, data that are depersonalised through encryption are no longer personal data. Although the security measures that some cloud providers offer depersonalise the data, they generally do not exclude the possibility of re-identification. The prevalent opinion is therefore that encryption alone does not in itself make cloud services generally legitimate for business purposes.
In this context, another noteworthy aspect is the establishment of an EU-compliant standard by the EU model contract clauses 2010. The EU model contract clauses put high demands on the providers of cloud-based solutions. For example, this includes a highly differentiated audit right and the disclosure of subcontractor agreements. On the user side, this framework contract is complemented by a data outsourcing contract that is aligned with the German Federal Data Protection Act (BDSG) (in addition to the EU model contract clauses), especially including the list of protective measures pursuant to Section 11 (2) BDSG.
Next, the Safe Harbor certification of all utilised cloud operators is required. Global providers usually fulfil this requirement. However, in addition to the Safe Harbor privacy statement, according to which the US provider must undertake to cooperate with the domestic data protection authorities and the cloud user as customer must make sure that the certificate is valid and applies to the respective data, the resolution of the “Düsseldorf circle” of German data protection officers of 28 April 2010 requires the user to proactively check the compliance with this protection level with respect to the minimum criteria. This check may also be performed by third parties or engaged companies on site. Direct auditing of the systems, security precautions and logs of the provider is recommended and may be performed by third parties or subcontractors, especially also in other countries.
At any rate, as already explained, the data should be encrypted before they are transferred to the cloud. In this case, the data will be secure even if the cloud operator is not permitted to inform the affected customers of a data transfer (e.g., gag order/Patriot Act).
It was already mentioned that the user can fulfil his obligation to check the compliance with the technical/organisational measures to ensure data protection before the beginning of the data processing and regularly thereafter by means of on-site inspections or via certification by an independent, trustworthy third party that does not have any own interest in positive certification. Here as well, cloud providers can help by making available appropriate certificates. The user can supplement this canon of technical/organisational measures with own measures or a checked list of criteria, which may be created within the scope of a workshop or during the preparation for an audit to obtain a cloud certificate.
The legal conformity of use largely depends on the appropriate preparation by the company that plans such use. The company can be supported in this process by suitable experts, especially practitioners from the fields of data protection and data security, and auditors who have gained their experience in certification processes – especially also in cloud certification – in order to be braced for a possible audit under functional supervision law. According to our opinion, certification may be a visible quality symbol (and as such, a decisive advantage over market competitors), though not legally required for a data protection audit by local authorities.
Our experienced senior partners are active both as data protection officers and as auditors. Their approach consists of initially conducting a basic workshop with the decision makers, IT managers, data protection officers, possibly members of the works council and managers of the finance, controlling and HR departments and – last but not least – with the company administration, which may, depending on how much preliminary work the company has done, already comprise an executive target/as-is analysis as the basis for the further elaboration of a process flow model for the cloud under consideration of data protection law. For a medium-sized group of companies whose data processing organisation is based on division of labour, perhaps also across the organisational boundaries of the individual subsidiaries and even across national borders, this workshop would take 2 to 5 days (including the evaluation of the results), depending on the complexity.
- Drafting of contracts
This can be followed by the preparation of the contracts to be concluded on this basis, either directly by the company’s legal department or by the consultants already entrusted with the workshops. In this process, the templates and certifications provided are initially matched with the criteria required under data protection law. Adjustments are agreed with the contact partner at short notice. The individual data outsourcing contract according to national law is enclosed with the framework contract. This work usually takes about 1 to 4 days.
Another 3 to 5 workshop days must be expected to prepare for certification by one of the large cloud certification services. The preparation would be done by experienced auditors who have already worked on the certification level. The company would be made “100% fit” for the certification.
The e|s|b law firm offers the services 1, 2 and 3 individually at a day rate or as an overall package at reduced conditions to be agreed individually. The number of workshop days cannot be determined in advance without knowledge of the company structures.