Data Protection, Software Licenses and other Legal Issues in the Cloud

Data Protection, Software Licenses and other Legal Issues in the Cloud Dr. Hendrik Schöttle Rechtsanwalt, Fachanwalt für IT-Recht OSDC 2012, Nuremberg 26. April 2012

Overview Introduction Data Protection Principles Special Requirements of Cloud Computing Software Licenses Other Issues Liability Exit Management

History Federal Data Protection Act outdated Intitially planned as protection against the state (1977) Way behind technical development Federal Constitutional Court has to fill the gaps Many unclear and open terms and clauses Data protection law fragmented and incomplete 3/46

Roots European legal sources: Data Protection Directive Directive concerning the processing of personal data and the protection of privacy in the telecommunications sector E-Commerce Directive Directive on privacy and electronic communications 4/46

Overview Introduction Data Protection Principles Special Requirements of Cloud Computing Software Licenses Other Issues Liability Exit Management

Data Protection Introduction Only personal data is being protected Section 3 Federal Data Protection Act (BDSG) (1) Personal data means any information concerning the personal or material circumstances of an identified or identifiable individual (the data subject). Examples: name, address, email address, account details, etc. Very broad interpretation by courts/supervisory authorities (Google Street View, IP addresses etc.) 6/46

IP address as personal data Static IP address: Personal data Dynamic IP address: Data that can be related to individuals Link to a person easily possible personal data (example: access provider, local administrator) Link not possible or only possible with difficulties no personal data In doubt: treat it as personal data 7/46

Processing The processing of personal data is not allowed, unless it is explicitly permitted i.e. each processing of personal data requires a justification Processing is also defined very broadly: Includes e.g. storage, modification, transfer and deletion of data Consequence: almost every dealing with personal data requires a justification! 8/46

Justification Possible justifications Consent of the data subject (in the future only restrictedly allowed regarding employees) must be on an informed and voluntary basis revocable at any time Processing covered by the purpose of a contract (Sec. 28 Para. 1 no. 1 BDSG) Overriding interests (Sec. 28 Para. 1 no. 2 BDSG) Special regulations for employees (Sec. 32 Para. 1 BDSG) Company agreement ( Betriebsvereinbarung ) 9/46

Overview Introduction Data Protection Principles Special Requirements of Cloud Computing Classification Applicability of German Data Protection Law Demands of the German Data Protection Supervisory Authorities Transfer of Data Software Licenses Other Issues

Special Requirements of Cloud Computing Data protection and privacy concerns primarily the relationship between the cloud user and the cloud provider Customer/Employee Cloud User Customer-/Employment contract Service contract/adv Cloud Provider 11/46

Special Requirements of Cloud Computing Generally, the data protection supervisory authorities regard the user as the responsible entity Responsible entity is someone who: Collects personal data for himself, or processes or uses personal data (or has this done by subcontractors), and while acting alone, or jointly with others, has control over the purposes and means of processing personal data 12/46

Special Requirements of Cloud Computing Users should only take advantage of cloud services if: They are able to entirely perform their duties as a responsible entity, and They have checked and approved the requirements for data protection and information security implemented by the provider 13/46

Overview Introduction Data Protection Principles Special Requirements of Cloud Computing Classification Applicability of German Data Protection Law Demands of the German Data Protection Supervisory Authorities Transfer of Data Software Licenses Other Issues

Applicability of German Data Protection Law According to 1 para 5 BDSG, German data protection law applies when a non- European cloud provider collects, uses or processes data in Germany If an EU Member State based cloud provider collects, uses or processes data from Germany, then the law of that EU Member State applies ( 1 para 5 BDSG) In practice, it is difficult to enforce German law against foreign providers 15/46

Overview Introduction Data Protection Principles Special Requirements of Cloud Computing Classification Applicability of German Data Protection Law Demands of the German Data Protection Supervisory Authorities Transfer of Data Software Licenses Other Issues

Guidance of the Data Protection Supervisory Authorities In 2011, the supervisory authorities adopted a guidance regarding cloud computing on how to comply with data protection law According to 34, 35 BDSG, it is the cloud user who remains obliged to correct, delete or block data, and to provide such information to those persons concerned But: the user has (if at all) only a very limited administrative, operating and controlling access to the infrastructure of the cloud provider Data protection authorities require: Agreement on contractual penalty against provider Obligation of the provider to arrange such rights with respect to sub-providers This is difficult in practice 17/46

Overview Introduction Data Protection Principles Special Requirements of Cloud Computing Classification Applicability of German Data Protection Law Demands of the German Data Protection Supervisory Authorities Transfer of Data Software Licenses Other Issues

Transfer of Data Even according to the planned amendment of German law regarding protection of employees' data the following will still apply: Group members are not privileged ( kein Konzernprivileg )! This means: Each transfer between group companies is to be treated as a transfer to a third party Transfer and processing by a group member is only permitted if justification is given In practice commissioned data processing helps 19/46

Data Transfer Cloud User Cloud Provider Customer/Employee ( data subject ) Cloud User( controller ) Cloud Provider ( processor ) Data transfer between cloud user and cloud provider is either Transfer pursuant to Section 28 BDSG OR Possible If: Necessary for a contractual relationship between data subject and controller (generally not given) or Necessary for legitimate interests of the controller, if no reason given that legitimate interests of the data subject regarding the exclusion of the processing prevails (risky solution as the supervisory authority could evaluate interests differently) Commissioned data processing pursuant to Section 11 BDSG Possible If: Agreement on commissioned data processing exists which was concluded in writing, meets the other requirements of Sec. 11 BDSG as well as is complied with. Company is then regarded as controller s right hand, i.e. no third party 20/46

Commissioned Data Processing Cloud User Cloud Provider Important requirement of commissioned data processing: Data processing must in fact be commissioned by cloud user According to the Düsseldorf Working Group the following criteria indicate commissioned data processing: No decision-making power by the processor concerning the data The controller is processing data under its own responsibility with respect to third parties Absence of an independent legal relationship by the processor to the data subjects 21/46

Commissioned Data Processing Cloud User Cloud Provider The following criteria argue against a commissioned data processing: Controller provides an independent right to use the data to processor Controller's lack of reasonable control to parts of the data processing The responsibility for the legitimacy of the data processing and the accuracy of the data shifts to the processor Processing of data, which were collected only on the basis of an independent legal relationship by the processor 22/46

Commissioned Data Processing Requirements of 11 Para. 2, sent. 2 BDSG The contract shall be in writing and has to specify in detail: Subject and duration of the contract The extent, nature and purpose of the data processing Technical and organizational security measures Process for the correction, deletion and blocking of data Controls Eligibility for subcontracting 23/46

Cross-Border Data Transfer Data processing in the Cloud is not localized Generally, users will not know, where their data is currently being processed Therefore: the provider must inform the users of all possible processing sites before the conclusion of the contract! 24/46

Data Transfer to EU Countries Within the EU/EEA If the data processing is physically held within the EU/EEA, it is generally not subject to any special requirements Provider as a data processor is not a third party Contractual obligation required, obliging the cloud provider to use only technical infrastructure within the EEA (also applying to possible subprocessors) 25/46

Data Transfer to non EU Countries Customer/Employee Cloud Provider Group member Data transfer in countries outside the EU: EU Commission: in general no adequate level of data protection is given outside the EU Background: only few other countries in the world have data protection standards comparable to those in the EU Consequence: each transfer of personal data from an EU member state to a non EU country requires additional measures 26/46

Data Transfer to non EU Countries Possible measures: Obtaining consent of the data subject (i.e. customers) Safe Harbor certification (only USA) maybe not sufficient any more in the near future Corporate binding rules Best solution: Agreement based on the EU model contracts between service provider and group member The transfer of personal data into non EU countries is generally not permitted without one of these measures! 27/46

Consequences of Data Protection Law Infringements Penalties Fines up to EUR 300,000.00 (+ skimming off excess profits) Possible compensation claims of those affected Criminal relevance in the case of intent + intended profits/damages / secrecy of telecommunications Injunctive relief and and claims for damages concerning employment law Inadmissibility of (improperly obtained) evidence Prohibition of specific processing of data Damage of reputation / bad press Especially in the case of customer data Highest risk in the practice 28/46

Overview Introduction Data Protection Principles Special Requirements of Cloud Computing Software Licenses Other Issues Liability Exit Management

Software Licenses the copy decides on license requirements Any reproduction of software requires the consent of the copyright holder, 69c Nr. 1 Copyright Law (Urheberrechtsgesetz - UrhG). Already the execution of software requires consent for its reproduction In the case of Cloud Computing, the question of who reproduces the software is difficult to answer 30/46

Software Licenses - transferable decision? Who makes the copy? The question of who is making the reproduction, has only to be regarded from a technical point of view. The reproduction as a physical definition of a work is a technical-mechanical process [...]. Therefore, manufacturer of reproductions is the one who technically takes care of this physical definition. It does not matter whether he uses technical means, even if these are provided by third parties." Federal Supreme Court, Judgment of 22. April 2009, I ZR 216/06 ("shift.tv") Transferability to Cloud Computing is controversial 31/46

Software Licenses Consequences of this Decision If, from a legal perspective, the user makes the copy: Cloud Computing users need usage rights for the software. The Provider must have these rights himself. The Provider must also be legally capable to transfer these rights to its customers. 32/46

Software Licenses Open Source and Cloud Computing Open Source Software under the GPL: Under the GPL, whoever changes and distributes software, must make the changes, including the source code, available to all third parties also under the GPL ( viral effect of the GPL). Is the use of customized open source software as part of cloud computing considered as distribution? Customizing services should be free and the source code should be available to third parties. Otherwise, according to the GPL, all usage rights terminate. Any such further use will constitute copyright infringement. 33/46

Software Licenses - GPLv3 Regulation of GPLv3: "Mere interaction with a user through a computer network with no transfer of a copy, is not conveying", Number 0 ("Definitions") Para. 7 GPLv3. If there is no transmission of a binary code, then GPLv3 does not apply The interpretation is uncertain. So far, no court desicions. Google, etc. use the uncertainty in order to avoid publication of sources for software used in cloud services The customer should insure themselves by contract (exemption, warranty) 34/46

Software Licenses - Best Practices As a supplier, be prepared that the traditional software license has become obsolete As a customer, get the provider to guarantee that he will give you the necessary rights to use the solution Agree on an indemnification for any claims from third parties with regard to license violations 35/46

Overview Introduction Data Protection Principles Special Requirements of Cloud Computing Software Licenses Other Issues Liability Exit Management

Standard of Liability A person acts negligently if he fails to exercise reasonable care. ( 276 Para. 2 German Civil Code) 37/46

Liability of the Company From production delays: Compensation from the delay, contractual penalties Breach of confidentiality agreements: Damages for Breach of Contract under 280 BGB If the recipient is not a contractual partner: Compensation for damages under 823 BGB Data compromised = Property infrigement (functionality and internal order) Organizational negligence of the management Contributory negligence 254 BGB ( Mitverschulden ) 38/46

Recommended Course of Action No security policy = Breach of care Insufficient IT security measures = Breach of care (i.e. Business-critical data in a public cloud) Cologne District Court 2003: In order for external service providers to develop an IT security policy: A written security policy is necessary for the implementation of security measures Clarification of legal issues in creating an IT security policy, or legal due diligence of the completed IT security policy before implementation Compliance with applicable IT security standards 39/46

Overview Introduction Data Protection Principles Special Requirements of Cloud Computing Software Licenses Other Issues Liability Exit Management

Change of Provider and Exit Duties of the old Provider The private contract is fulfilled The old provider is not obliged to help, but must only execute his contract and stop provision of services at the effective date of termination 41/46

Change of Provider and Exit Responsibilities of third parties Relevant with respect to software publishers as copyright holders There is no obligation to transfer their licenses at the request of customers, provided there has been no exhaustion of the distribution right 42/46

Change of Provider and Exit Conclusion Customer has only limited possibilities to exert influence on the old provider After all: Even the old provider should be concerned about his reputation 43/46

Change of Provider and Exit - Problems Support Services The old provider fulfils the contract, and does not support the transition. He is not required to support the transition to a new provider. Complete change of provider may fail 44/46

Change of Provider and Exit Best Practice Temporary maintenance of service Oblige old provider to provide further services after termination of the agreement Agree on fixed rates for transition services from the beginning. These conditions should remain unchanged Give the customer a contractual right to order separate services 45/46

Data Protection, Software Licenses and other Legal Issues in the Cloud OSDC 2012, Nuremberg 26. April 2012 Dr. Hendrik Schöttle Rechtsanwalt Fachanwalt für IT-Recht T +49 (0) 89 5434 8078 M hendrik.schoettle@osborneclarke.de www.osborneclarke.de