CLOUD COMPUTING: LEGAL ISSUESFLORENCE APRIL 2016Lilian EdwardsProfessor of E-Governance, University of Strathclyde, Deputy Director, CREATeLilian.edwards@strath.ac.uk@lilianedwards

WHAT IS CLOUD COMPUTING? Hon and Millard (2013): “a way of

delivering computing resources as a utility service via a network, typically the Internet, scalable up and down according to user requirements. As such the cloud may prove to be as disruptive an innovation as was the emergence of cheap electricity”.

Microsoft (2010) : “cloud computing represents a transformation of the industry [which] will let you focus on your business, not on running infrastructure. It will also let you create better applications, then deploy those applications wherever makes the most sense: in your own data center, at a regional service provider, or in our global cloud. In short, IT as a Service will let you deliver more business value”

KEY FEATURES B2B and B2C : Amazon, Microsoft, Google etc B2B

services; B2C - Gmail, Facebook, Dropbox, Blogger Remote storage plus on demand self service by clients Ubiquitous access to data/resources – from office,

mobile, tablet etc – also enables group distributed working

Resource management – provides scaleable and just in time acquisition of resources by customers (“rapid elasticity”)

Pay per use – not buy and use. Cloud provision not just of data storage but services or more (see next). No need for local support, upgrading etc.

Not entirely new: logical extension of (a) data warehousing (b) outsourcing of services – involves the complicated legal issues of both.

CLOUD COMPUTING MODELS

KEY LEGAL ISSUES Data protection obligations

1. Is Cloud provider (CP) a data controller (DC) or data processor (DP)?Obligations – security; right to be forgotten

2.Data exports – can personal data be “exported” from the EC into the Cloud? How can the Cloud operate for US-based CSPs after Schrems?

3. Security breach notification Contract

Standard term contracts – are they fair to users? If not what can be done?

DATA PROTECTION – 1 - WHO IS RESPONSIBLE? Data Protection Directive (DPD) Art 2 (d) 'controller' shall mean the natural or

legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data;

(e) 'processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

Unchanged by GDPR art 4

DATA PROTECTION PRINCIPLES (DPD ART 6; GDPR, ART 5 (MAINLY) )1. Personal Data shall be processed lawfully

and fairly. (GDPR adds transparently)2. Personal Data shall be obtained only for

one or more specified and lawful purposes, and shall not be further processed in a manner incompatible with those purposes. (“purpose limitation”)

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it was processed (“data minimisation”)

4. Personal data shall be accurate and kept to date if necessary. (“accuracy”)

DP PRINCIPLES (CONT.)5. Personal data shall not be kept for a longer time

than it is necessary for its purpose. (data retention” now “storage limitation”)

6. Personal data can only be processed in accordance with the rights of the data subjects.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing (“integrity and confidentiality”). (Note new security oblign on processor, art 32 GDPR)

8. Restriction on transferring personal data to countries that do not provide adequate data protection.

GDPR adds accountability principle.

DPD -> GDPR : DATA CONTROLLERS AND PROCESSORS DPD regarded DCs as having primary legal responsibility for meeting

DP principles and other duties and paying for breaches Art 17(2) DPD : obligation on DCs to make sure they chose a data

processors who guaranteed to meet security obligation DC also had to make written contract with DP that DP acted only on

DC’s instructions (art17(3)) Cloud service providers (CSPs) mainly thought of as processors

(and sub processors) – but great uncertainty – different types of CSPs and circs.

Art 29 WP on SWIFT case – Opinion 10/2006 Held : SWIFT not just agent of Belgian banks (processor) but itself

controller Art 29 WP Report 169, Feb 2010 definition of processor vs controller –

distinction based on “the possibility of pluralistic control (“which alone or jointly with others”), and.. the essential elements to distinguish the controller from other actors (“determines the purposes and the means of the processing of personal data”). Factual not an open choice.

THE CLOUD, RESPONSIBILTY AND CONTROLLER/PROCESSOR GDPR art 24 -28 expand on old art 17(2) The controller shall implement appropriate technical and

organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation

Possibility of joint controllers made explicit in art 26 and division of responsibilities to be “transparent”

Art 28 provides that “processor shall not engage another processor without prior specific or general written authorisation of the controller” with v detailed contents mandated

Distinguishing between different CSPs as controllers, processors or sub processors become crucial.

And note the CLIENT in cloud computing will usually be solely or jointly a controller

DC:DP CONTRACTSA29 guidance and national regulator guidance (say Hon and Millard) suggests DCs should review and conduct risk assessment in cloud provision contracts now GDPR is here In particular check and give individual

instructions taking into a/c Nature and sensitivity of personal data in cloud Type of intended processing Risk assessment for future events Due diligence re selection of sub service providers Clear allocation of respective responsibilities of DC and DP Data location Data export The DPs security measures including logging & auditing

Hon and Millard regard as impractical – cloud providers cannot efficiently follow detailed instructions from every client - but should rather merely be certified generally as meeting security standards

THE DEATH OF THE CLOUD IN EU? Kitchen example: SaaS is like buying a ready

meal from M&S; Infrastructure as a S is like renting a catering service or kitchen.

You expect to be able to give detailed and unique instrns to kitchen, but if you don’t like one ready meal you buy another one.

You don’t expect or have the legal right to make M and S make one for you with less salt, or no gluten, or no onions – and if you could demand this , M and S would go bust!

Hon: imagine user X (DC) using Dropbox (SaaS, processor) built on Amazon Web Service Iaas, sub processor ?); user has no interest in giving instrns to AWS and AWS isn’t configured to deal with requests of individual DCs.

HON “KILLING CLOUD QUICKLY WITH GDPR” SCL JNL, MARCH 2016 “the GDPR would set in stone the most

prescriptive cloud-impracticable elements of [A29] WP 196 while omitting parts of WP 196 that actually recognised how cloud worked..

Rather than making data protection laws truly technology-neutral, the GDPR will perpetuate the 1970s model of computing/outsourcing embedded in the DPD”

ONE PARTICULAR OBLIGATION “Right to be forgotten”? = right to seek erasure of PD GDPR Reg, art 17-19 For hosts not just search engines! But for controllers or processors? Right to “obtain from the DC the erasure of [their]

personal data” where processing out of data, consent withdrawn, unlawful etc (art 17(1)).

But also “the controller, taking account of available technology and the cost of implementation, shall take

reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data”

What kind of obligation is this for CSPs? And which ones? Will they have to consider exceptions art 17(3)?

DP – 2 – DATA EXPORTS & LEA ACCESS

DP 8th principle in DPD “Personal Data shall not be transferred to a country

outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data subjects in relation to the processing of personal data”.

Challenge for the Cloud where data often held outside EU, in varying and changing locations (not always known to user OR CSP). Especially in US!

NB EU DP law may be held to apply to non EU DC by virtue of art 4 (has an EU establishment (expanded after Google Spain v Costeja); or uses “equipment” in EU other than merely for transit (eg wires, cookies);

DP-2- EXPORT AND LEA ACCESS Export outside EU allowed by DPD if

Finding of “adequacy” (art 25) (11 states) US safe harbor membership Art 26 – use of model contractual clauses issued by EU

Comm or BCRs Unambiguous consent – but high standard (free, informed);

also revocable; DC may not be the data subject but processing data of others (eg posting FB group photo)

A29 questioned use of art 26 exemptions in Cloud transfers if transfers “massive, recurrent or structural”;

Schrems decision (CJEU, 2015 case C362/14) held safe harbor invalid because of post Snowden awareness that US laws - FISA , Patriot Act – allowed NSA and other agencies access to personal data held in servers in US and controlled by US companies. And US public authorities could not be made subject to EU oversight by EU contracts.

“compromises the essence of the fundamental right to private life” .. “To effective judicial protection”

DP – 2 – FALLOUT Schrems resulted in safe harbour declared invalid Very bad for non EU CP B2B business – reports of

EU businesses withdrawing contracts V bad for B2C trust Law? Attempt to replace safe harbour with “Privacy

Shield” (February 2016) Some improvements eg an ombudsman for EU

data subjects to go to But no fundamental change in US law -> April 2016 A29 WP essentially declared Privacy

Shield still unsatisfactory _> CJEU?

DP- 2- ALTERNATE GROUNDS FOR TRANSFER OF DATA TO US Varying from EU DPA to DPA Schleswig-Holstein eg immediately declared all alternate

grounds – standard contract terms, BCRs etc – equally invalid on grounds essentially that US could not provide the safeguards these forms depend on as sub for “adequacy”

All need “enforceable data subject rights and effective legal remedies for data subject” (GDPR)

All German DPAs have however agreed that explicit user consent remains valid pro tem

BUT Note A29 warnings re “massive, structural” exports of PD

reliant only on consent and GDPR art 49(1) ref to such (non repetitive ltd transfers)

US unlikely to change law further? Best solutions- build Clouds in EU? Demand them?

Deutschebank, Microsoft in Germany

DP – 3- SECURITY BREACH OBLIGATIONS GDPR art 33 Controllers must notify the DPA of a data breach

“without undue delay and, where feasible, no later than 72 hours after having become aware of it ( unless the breach is “unlikely to result in a risk for the rights and freedoms of individuals”).

”Controllers must notify data subjects of a breach where it creates a “high risk to the rights and freedoms of individuals” although exceptions can apply.

Fines up to 4% annual turnover or 20 m Euro may apply for some breaches

For first time in GDPR Data Processors have independent security obligation so may be subject to these fines (CSPs??) and breach notifn oblign to DC, art 33(2)

Level of fine linked to speedy mitigation so CSPs should be on alert..

Fights over indemnities/allocation of blame in cloud contracts may get more heated?

CONTRACT Distinguish

Standard term contract service provision Negotiated contract service provision This cannot be easily mapped as B2B, B2C – eg many SMEs

and public sector bodies universities, will use Gmail. Distinguish “free”/paying ToS – former likely to have more

freedom! Terms of service (ToS) survey by Bradshaw, Millard,

Walden 2010-2013 found many problematic standard terms even in non-free services Very comprehensive limitation of liability clauses, even

including liability for poor security by CP Governing law that of US states (to exclude unfair terms

law?). Location of actual servers often not specified. Monitoring of customer activity Right to vary T-S unilaterally, or terminate unilaterally

without retaining customer data Note that German, Fr courts starting to knock down

unfair terms in digital standard form B2C contracts!