Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users?

10 Juni 2013 Taylor Wessing - Essay Competition 2013 Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users? by Katarina Kesselová, LLM. Introduction There are various definitions of cloud computing ranging from clouds means somewhere on the Internet to more sophisticated definitions, one of them provided by The National Institute of Standards and Technology. 1 In NIST s view cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST sets five essential characteristics of cloud computing: on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service. In cloud computing three service models are distinguished: Software as a Service (SaaS, applications), Platform as a Service (PaaS, application development) and Infrastructure as a Service (IaaS, data storage). All those business models will fall into the scope of the Regulation, if it is adopted by European Parliament. A proposed reform package contains two legislative texts. Data protection Regulation 2 which addresses the general privacy issues, intended to replace Directive 95/46/EC and a proposed Directive dealing with criminal investigations and regulating the rules regarding judicial activities. 3 We will discuss how the proposed Regulation will reshape the rules for cloud computing providers and clients. 1 MELL, P., GRANCE, T. The NIST Definition of Cloud Computing. Geithersburg : U.S. Department of Commerce, September 2011 Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-145/sp800-145.pdf 2 Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data 3 Police and Criminal Justice Data Protection Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties, and the free movement of such data.

What's in the clouds for cloud service providers and clients? By adopting data protection rules in a form of a Regulation, single legislative act will apply simultaneously in all 28 member states. Proposed Regulation will harmonize different application of Directive in each state, as each provision will become part of the national legal systems as is and will be binding for individuals and entities directly. 4 International companies like cloud computing businesses are welcoming single data privacy law stretched across Europe. However, full harmonization will not be achieved. Within the limits of Regulation, member states are allowed to adopt their own data protection laws to ensure specific safeguards for processing for health purposes and in the employment context. 5 This remaining fragmentation at domestic level will burden cloud computing business working in those specific areas. At the present state providers based outside Europe, may become subject to the EU Data Protection laws. The Directive in force claims jurisdiction over foreign data controllers when a controller makes use of equipment on the territory of a member state. According to Article 29 Working party 6 the Directive regards cookies that have been put on the personal computer of individuals in the EU in order to identify the PC to the web site in view of linking up that information with others as such equipment. This concept of equipment was abandoned. Proposed regulation will apply to the processing of personal data by a controller not established in the Union in two circumstances. First, when he processes data of data subjects residing in the Union in order to offer them goods or services and when he is monitoring their behavior. As to the kind of activity that is covered by monitoring of behavior, it is aimed at companies using behavioral profiling to show targeted ads on the websites the individual is visiting. Both the Directive and Regulation distinguish between data controller and data processor. Data controller determines the purposes, conditions and means of the processing of personal data. Data processor merely processes personal data on behalf of the controller. At the first sight cloud service client should be a controller and cloud service provider should have the legal standing of a processor. In cloud computing context, particularly in some cases of public PaaS and SaaS, the distinction is not so clear. Both cloud service client and provider determine the means of the processing. Service provider could in principle be considered as joint controller. 7 Knowing who is who is crucial to determine liability. Data controller is responsible towards the data subjects. Conversely, processor has no regulatory responsibility but he has to comply with the contractual obligations with the controller. Also, if a client and a provider are regarded as 4 See Article 288 TFEU for direct applicability of regulations. 5 Article 81 and 82 of the proposed Regulation. 6 Article 29 Working Party. Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-eu based web sites. 7 La Commission Nationale de l'informatique et des Libertés (CNIL) the French Data Protection Authority recommendations.

joint controllers, they may both be monitored and potentially sanctioned by Data Protection Authority. In some cases the cloud computing provider will claim to be neither a controller nor a processor, but just a facilitator. 8 Even though the Working Party provided some guidance on how to interpret these definitions, the roles need to be determined on a case-by-case basis. 9 Some argue 10 that this controller-processor-model should be abandoned all together and anyone processing personal information, regardless of its means, conditions or purposes should be viewed upon as a processor. Definition and responsibilities of sub-processors are not dealt with in Regulation. The definition of personal data is condensed into any information relating to a data subject. 11 Unlike the Directive proposed Regulation explicitly recognizes online identifiers as personal data. 12 IP addresses and cookies are indispensable for providing cloud services, for instance, to keep a user logged in. However, recital 24 states that identification numbers, location data, online identifiers [*] as such need not necessarily be considered as personal data in all circumstances. It is when they leave traces and are combined with unique identifiers and other information received by the servers in order to create profiles of the individuals making them identifiable, they are considered personal data. Regulation introduces the requirement of explicit consent given either by a statement or by a clear affirmative action. The controller would have to prove that the data subject has consented to the collection and the use of the data. In written form, consent must be presented separately from other matters, so that data subject is aware that consent is given. Consent hidden in the privacy policies or general terms will not suffice for processing to be lawful. If the controller wants to have the explicit consent, cloud providers will have to adopt the new consent requirement in their software and systems and end-users will be bothered by more contracts and pop-ups. We have seen similar strengthening of consent requirement in relations to cookies. Five EU countries implemented Privacy and Electronic Communications Directive from 2009 13. Whilst firstly it sufficed if a user was given the opportunity to opt out of the tracking, now condition of user s consent determines whether storing and accessing information on users' computers is lawful. In UK as one of the countries that amended their legislation, only 2% of websites rely on explicit cookie consent 14 (a pop-up window) others are inferring the implied consent from the (lack of) actions of the user (not disabling cookies, using the service). Consent shall not provide a legal basis for the processing, where 8 SCHELLEKENS, B.J.A: The European Data Protection reform in the light of cloud computing. Master Thesis. Tilburg University. 9 Ibid 8 10 HERT, P. D.,& PAPAKONSTANTINOU,V. (2012). The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals. Computer Law & Security Review, 28(2), 130-142. 11 Article 4 (2) of the proposed Regulation. 12 Article 4 (1) of the proposed Regulation. 13 Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 14 www.out-law.com/en/articles/2013/may/kpmg-figures-show-just-2-of-websites-relying-on-explicit-cookie-consent/

there is a significant imbalance between the position of the data subject and the controller. 15 It is a case when data subject is in a situation of dependence from the controller, for example in the employment context. The distinction will be difficult to do in practice, since it is still possible to have genuine consent within a basically imbalanced relationship. 16 If we insist on explicitly given consent, we might end up with a law that is unfriendly to both end-users and cloud service providers. At the present cloud service clients are usually not interested in what country are their data physically located and providers are reluctant to disclose the nature of the security measures they use. Proposed Regulation extends customer s and provider s obligations with respect to data processing. Article 26 for example requires the controller (cloud service client) to choose a processor (cloud service provider) that uses technical and organizational security measures in accordance with Regulation. CNIL offers some guidance 17 on how to assess the level of protection given by the service provider and proposes models of contractual clauses. However, users are not usually able to negotiate providers terms, since they sign one-sided and nonnegotiable click-wrap agreements. Only bigger clients with more purchasing power want to contract on their own standard terms. According to the research 18 security and privacy terms are the third type of most negotiated terms in cloud computing contracts. Contract should also address what will happen at the beginning and end of the contract period. What happens to data after the provider goes out service is not stated in the Regulation. Whether and how the data will be returned to client or destroyed should be negotiated. Regulation adds a provision that goes beyond the current rules. Contract will have to prohibit the provider from retaining the services of a third party without the permission of the client. 19 This would for example prevent SaaS provider, from using an IaaS provider s services without the customer s permission. 20 One-stop shop provision of the proposed Regulation solves one of the business barriers having to deal with supervisory authority in each member state in which the provider does business. If the controller or processor is established in more than one member state, the company would designate a main 15 Article 7 (4) of the proposed Regulation. 16 The Information Commissioner's Office (ICO): Proposed new EU General Data Protection Regulation: Article-by-article analysis paper. 17 La Commission Nationale de l'informatique et des Libertés: Recommendations for companies planning to use Cloud computing services. Retrieved from: http://www.cnil.fr/fileadmin/documents/en/recommendations_for_companies_planning_to_use_cloud_computing_servic es.pdf 18 HON, W. K, MILLARD, Ch. and WALDEN, I.: Negotiating Cloud Contracts - Looking at Clouds from Both Sides Now 16 STAN. TECH. L. REV. 81 (2012); Queen Mary School of Law Legal Studies Research Paper No. 117/2012. 19 Article 26 (2d) of the proposed Regulation. 20 MARCHINI, R. Cloud Computing under the European Commission s Proposed Regulation To Revise the EU Data Protection Framework. Bloomberg BNA: World Data Protection Report. Volume 12, Number 2.

establishment that would be decisive for the determination of the supervisory authority. The Data Protection Authority of the main establishment will supervise the processing of the controller or the processor in all member states. Unnecessary general notification duties 21 of the controller are left out of the Regulation. On the other hand, cloud service customer would be obliged to notify the supervisory body about personal data breach and communicate that breach to the data subject. 22 The proposed Regulation creates more rights for data subject. Heavily debated right to be forgotten is actually already in the present Directive 23 in a form of right to erasure and blocking. 24 It was also the reason for a referral 25 of the Spanish Data Protection Authority. In this case against Google, main question sounds like this: do individuals have the right to oblige search engines to erase or block search results that point to personal information? If the wording of article 17 of the proposed Regulation comes to force, answer will be yes. In Advocate General's opinion, 26 the current Directive does not establish a general right to be forgotten and does not view Google as a data controller in this context: The erasure and blocking of data provided in the Directive concern data whose processing does not comply with the provisions of the Directive, in particular because of the incomplete or inaccurate nature of the data. This does not seem to be the case in the current proceedings. According to proposed Regulation, on the data subject's request controller will have to erase links, copies or replications of personal data and inform third parties which are processing such data about data subject s request. Right to be forgotten can come in conflict with the principle of free speech. 27 It is noteworthy that right to delete is set as a rule and right of freedom of expression and public interest as an exception to the rule. 28 With easy dissemination of information over the internet, right to be forgotten is technically impossible to enforce. 29 Data subjects are also granted right to data portability i.e. the right to transfer personal data (processed by electronic means and in a structured and commonly used format) from one service provider to another, for instance, from Facebook to Google Plus. 21 Articles 18-21 of the Directive 95/46 22 Articles 31-32 of the proposed Regulation 23 Commission of the European Communities, Commission Staff Working Paper, Impact Assesment, SEC(2012) 72 final, 25 January 2012. 24 Article 12(b) of the Directive 95/46/EHS 25 Reference for a preliminary ruling from the Audiencia Nacional (Spain) lodged on 9 March 2012 Google Spain, S.L., Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (Case C-131/12) 26 Opinion of Advocate General delivered on 25 June 2013 (1) Case C 131/12 Google Spain SL Google Inc. v. Agencia Española de Protección de Datos (AEPD) Mario Costeja González 27 WEBER, R. H. The Right to Be Forgotten: More Than a Pandora s Box?, 2 (2011) JIPITEC 120, para. 1. 28 Article 17 (3) of the proposed Regulation 29 www.theregister.co.uk/2011/11/15/right_to_be_forgotten_might_not_be_enforcable/

Conclusion Fragmentation of the data protection rules and difficulties of individuals to stay in control of their personal data were concluded as main problems with the current data protection framework by the EU s impact assessment. 30 Proposed Regulation tackles these obstacles, however, some of these expanded provisions may make it more difficult than the current Directive to use cloud services. Proposed wording is also more stringent than what is usually found under U.S. law. 31 While the new data protection regime leaves off abundant notification duties, it requires controllers and processors to be more accountable. Since there is no explicit regulation of cloud computing on European level, cloud service providers must solve complex legal puzzles. With ecommerce Directive 32 introducing safe harbor liability protection for hosting providers, E-Privacy Directive covering the processing of personal data in the electronic communications sector and Data Retention Directive, it is not yet clear how the Regulation will interact with other legislative acts. Cloud service providers will encounter the negative effects of the division between a general data protection framework and the independent sector specific directives. 33 30 Ibid 23 31 GILBERT, F. The proposed EU data protection regulation and its impact on cloud users. Retrieved from: http://searchcloudsecurity.techtarget.com/tip/the-proposed-eu-data-protection-regulation-and-its-impact-on-cloud-users 32 Directive 2000/31/EC on electronic commerce 33 SCHELLEKENS, B.J.A: The European Data Protection reform in the light of cloud computing. Master Thesis. Tilburg University.

List of references Legislation Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market ('Directive on electronic commerce') Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) Proposal for a Police and Criminal Justice Data Protection Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties, and the free movement of such data. Literature GILBERT, F. The proposed EU data protection regulation and its impact on cloud users. Retrieved from: http://searchcloudsecurity.techtarget.com/tip/the-proposed-eu-data-protection-regulation-and-its-impacton-cloud-users HERT, P. D.,& PAPAKONSTANTINOU,V. (2012). The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals. Computer Law & Security Review, 28(2), 130-142. HON, W. K, MILLARD, Ch. & WALDEN, I.: Negotiating Cloud Contracts - Looking at Clouds from Both Sides Now 16 Stanford Technology Law Review. 81 (2012); Queen Mary School of Law Legal Studies Research Paper No. 117/2012. MARCHINI, R. Cloud Computing under the European Commission s Proposed Regulation To Revise the EU Data Protection Framework. Bloomberg BNA: World Data Protection Report. Volume 12, Number 2 MELL, P., GRANCE, T. The NIST Definition of Cloud Computing. Geithersburg : U.S. Department of Commerce, September 2011 Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-145/sp800-145.pdf SCHELLEKENS, B.J.A: The European Data Protection reform in the light of cloud computing. Master Thesis. Tilburg University.

WEBER, R. H. The Right to Be Forgotten: More Than a Pandora s Box?, 2 (2011) JIPITEC 120, para. 1. Documents Commission of the European Communities, Commission Staff Working Paper, Impact Assesment, SEC(2012) 72 final, 25 January 2012. Article 29 Working Party. Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-eu based web sites, 5035/01/EN/Final WP 56, adopted 30 may 2002. The Information Commissioner's Office (ICO): Proposed new EU General Data Protection Regulation: Article-by-article analysis paper. V1.0 12 February 2013 Opinion of Advocate General delivered on 25 June 2013 (1) Case C 131/12 Google Spain SL Google Inc. v. Agencia Española de Protección de Datos (AEPD) Mario Costeja González La Commission Nationale de l'informatique et des Libertés: Recommendations for companies planning to use Cloud computing services. Retrieved from: http://www.cnil.fr/fileadmin/documents/en/ Recommendations _for_companies_planning_to_use_cloud_computing_services.pdf Websites www.out-law.com/en/articles/2013/may/kpmg-figures-show-just-2-of-websites-relying-on-explicit-cookieconsent/ www.theregister.co.uk/2011/11/15/right_to_be_forgotten_might_not_be_enforcable/ Author (extern) Katharina Kesselovà, LLM. Winner of the TW-Essay Competition 2013