Legal Guide to the Cloud for SMEs

How to protect personal data in cloud service contracts 

Cloud computing technologies and services have evolved as fast as they have spread amongst client organisations. However, contracts regulating the provision of cloud computing services have not evolved at the same pace. The contracts are often offered by cloud providers in a standard and non-negotiable form, which may make it difficult for clients, whether they are private companies or public authorities, and which typically cover the role of data controllers under EU law, to discharge their duties towards data subjects and local or supranational Data Protection Authorities. This document provides some basic guidelines to cloud clients when entering a cloud computing contract. A series of recurrent contractual issues have been identified and addressed in a short and comprehensive way from the data protection law standpoint. References to other checklists and standards tackling issues critical for cloud services are also provided when relevant. In developing the document, the provisions of Regulation (EU) 2016/679 (“GDPR” or simply “Regulation”), which entered into force on 5 May 2016 and will start applying from 2018, were taken into account and incorporated, where relevant, in the text of the document. 

Date of publication: November 2016

 

Pre-contractual phase

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared  pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that  can be rapidly provisioned and released with minimal management effort or service provider interaction.” 

Users are attracted to cloud services due to the features inherent to the cloud model, such as the possibility to access a broad network, the ability to pool and optimize resources, accessing services with elasticity and scalability, all while reducing the costs and, to some extent, the regulatory risks. 

The outsourcing of computational, storage and platform services to cloud service providers, however, does not come without risks, especially for the protection of personal data processed in the cloud. 

The Supervisory Authorities of the Member States (SA) have divided the main risks for privacy and protection of personal data in the cloud into two categories :  

  • Lack of control over personal data

  • Lack of information on the processing of personal data

Pondering the trade-off between the expected advantages of outsourcing to cloud providers and the risks arising for personal data in the cloud is a preliminary step that every organization has to take before  purchasing cloud services.

In view of contracting cloud services with big providers, customers are advised to perform both an internal and external due diligence check. 

Legal tips and recommendations

For internal due diligence, clients should:

  • Define their privacy, security and compliance requirements; 

  • Identify what data, processes or services they want to move to the cloud; 

  • Analyse the risks of outsourcing services to the cloud; 

  • Identify what security controls are needed to protect their employee data once transferred to the cloud; 

  • Define responsibilities and tasks for security control implementation; 

For external due diligence, clients should:

  • Assess whether the provider meets their privacy and data protection requirements using the Privacy Level Agreements (PLA); 

  • Check whether the provider holds any certification or attestation released by an independent third party; 

  • Consider whether the terms of service can be amended, how and by whom. 

 

Entering a cloud service contract: major issues

The following represent some recurrent issues identified when negotiating a contract for the provision of cloud services.

Cloud service contracts often contain clauses whereby the competent jurisdiction and the applicable law are set by the agreement between the parties involved.

A distinction has to be made between the two concepts. 

Jurisdiction: Finding the competent jurisdiction means allocating the enforcement of the contract to a certain, competent judge, whereas finding the applicable law means finding the set of substantive rules applicable to a given contract. A possible consequence of this distinction may be that a judge of Member State “A” is called to enforce a cloud computing contract, or a part thereof, on the basis of the law of Member State “B”. 

From a purely contractual standpoint, the parties autonomously decide in what jurisdiction they want the contract to be enforced. Theoretically, the possibility to mutually set the competent jurisdiction is recognized by the principle of contractual liberty.I In practice, the cloud service provider is the entity that decides the competent forum, whereas the client often only has the opportunity “to take it or leave it”.

Applicable law:  Regarding the applicable privacy law, Regulation (EU) 2016/679 sets out the territorial scope in Article 3. In particular, at paragraph 1, the Regulation sets out that its provisions apply to “the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”. Therefore, if either the data controller’s (CSC) or data processor’s (usually, the cloud service provider is the data processor) establishment is in the EU, the provisions of the Regulation apply.

Moreover, paragraph 2 of Article 3 sets out that, the Regulation also applies where neither the controller, nor the processor are established in the EU, but “the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”  The latter case is likely to catch most of the cloud service providers established outside the Union in the scope of European data protection rules. The Regulation, in fact, has a wider territorial scope than its predecessor piece of legislation, the Directive 95/46/EC. 

Another piece of relevant legislation is the e-privacy Directive 2002/58/EC, whose application is triggered by the provision of publicly available electronic communications services in public communications networks (telecom operators) by means of a cloud solution. When the cloud service provider is also a provider of publicly available electronic communications services in public communications networks, this law applies.

 
Legal tips and recommendations:
  • Contractual arrangements regarding the jurisdiction and the applicable law are found in the Cloud Service Agreement;
  • The reform of European data protection rules has widened the territorial scope of the latter; the GDPR may very likely apply to Cloud Service Providers established outside the European Union, regardless of what contracts provide;  
  • Bear in mind that under the GDPR the data processors have now direct legal obligations which are also enforceable by the data subjects.

Privacy Roles

A correct understanding of the roles in the processing of personal data performed by means of cloud computing technologies is functional to the correct allocation of legal obligations and responsibilities between the parties of a cloud computing contract.

According to the standard allocation of responsibilities ,  the controllership of personal data processed in the cloud belongs to the client, whereas the cloud service provider is usually the data processor.  

Departing from the rationale underpinning Directive 95/46/EC, the GDPR has substantially increased the level of accountability directly required to data processors. As a consequence, for example, cloud service providers can now be the direct addressees of a claim by data subjects for material or immaterial damage they have undergone as a result of an infringement of the GDPR, in particular of the obligations therein specifically directed to processors; this holds true also when the cloud service providers acted outside or contrary to lawful instructions of the controller.

Moreover, cloud service providers have the obligation to keep the records of processing activities (when they have more than 250 employees), to notify the controller without undue delay after becoming aware of a personal data breach, regardless of whether the controller is a provider of publicly available communication services, to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, to seek the data controllers’ authorization before engaging another processor, and to impose on the latter the same data protection obligations as set out in the contract or other legal act between the controller and the processor.

 

Legal tips and recommendations:

  • Clearly allocate the data protection roles between the parties; 

  • Choose a cloud service provider which guarantees compliance with European data protection law;

  • Define the degree of autonomy left to the cloud service provider, acting as data processor,  in the choice of methods and technical or organizational measures; 

  • Bind the cloud service provider, acting as a data processor, by means of a specific data processing agreement, or at least make sure that the boundaries of the data processing are clearly defined in the cloud service agreement and that the activities outsourced to the cloud service provider are adequately identified;

  • Avoid cloud service providers that use complex chains of sub-contractors located outside the EU; if this is not possible, decide whether to provide CSPs with a general or specific authorization to engage further cloud service providers;

  • Verify whether the contract contains provisions aimed at limiting the cloud service providers’s liability for breach of data protection rules;

  • Verify whether the contract contains provisions aimed at avoiding that the controller is entitled to claim back from the processor involved in the same processing that part of the compensation corresponding to their part of responsibility for a damage, where a controller has paid full compensation for the damage suffered by the data subject according to European data protection rules.

Amendments to the contract

Vendors of cloud services often include clauses in contracts whereby they retain the right to unilaterally change the cloud contract for themselves. 

In legal terms, this is quite problematic and it is paramount to verify whether the contract requires the provider to give an acceptable notice for any changes to the services, or establishes the client’s right to terminate the contract in face of materially detrimental changes to it. 

Legal tips and recommendations:

  • Contracts should clearly regulate which services and under what conditions, including procedural ones, can be modified in the course of the provision of services; 

  • Changes that are materially detrimental to the level of a mission critical service or/and to the level of protection of personal data should be explicitly excluded in the contract; 

  • Changes should not be implemented without giving notice to the client; 

  • The written agreement of the client, or at least the client’s right to be prior notified of any changes to the contract, may be foreseen therein; 

  • The clients should verify whether the contract provides for their right to terminate it upon unwanted, unnoticed and/or detrimental amendments to the contract.

 

According to the Regulation, personal data can be transferred outside the European Union on the basis of an adequacy decision related to the country where the recipient of the transfer is located, pursuant to Article 45 thereof, or where specific safeguards have been put in place, in accordance with Article 46 thereof (one particular example of such safeguards are the Binding Corporate Rules, which are specifically addressed in Article 47) or if one of the derogations contained in Article 49 applies.

Therefore, for a personal data transfer to be valid, one of the provisions contained in Articles 45, 46, 47 or 49 must apply. Given that only a few countries have been awarded an adequacy decision by the European Commission (full updated list is available here), and that the derogations in Article 49 apply in limited cases, most situations will require adequate safeguards to be adopted, pursuant to Articles 46-47.

 

Legal tips and recommendations:

  • Verify if the processing of personal data takes place in countries that have been subject to an adequacy decision; in that case the transfer can be lawfully carried out;  

  • In case the processing takes place in countries that have not been subject to an adequacy decision, one of the following “adequate safeguards”, in accordance with Article 46, must be in place:

    • The cloud service provider has adopted binding corporate rules in accordance with Article 47; 

    • SMEs and CSPs enter into standard data protection clauses adopted by the Commission (the ones adopted with Decision 2010/87/EU can still be used); 

    • Small & medium enterprises and cloud service providers enter into standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2); 

    • The small & medium enterprise and/or the cloud service providers adhere to an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or

    • The small & medium enterprise and/or the cloud service providers hold an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

Processing of personal data by sub-contractors

Providers may outsource part of the processing necessary for the functioning of the cloud to sub-contractors. These sub-contractors may receive personal data from the client of cloud services, and may be located outside the EU. They can lawfully process personal data flowing from the EU only when one of the conditions mentioned in the preceding paragraph have been met.  

The chain of sub-processors may be very long and scattered, and this may result in loss of control over personal data, difficulties in the exercise of data subject’s rights, and lack of accountability on the side of the data processor. 

 

Legal tips and recommendations:

  • In Opinion 5/2012 ,  the European DPAs recommended Processors/providers to inform the client about the sub-processing in place, detailing the type of service subcontracted, detailing the type of service subcontracted, the characteristics of current or potential sub-contractors and that these entities guarantee to the CSP to comply with the applicable EU data protection legislation;

  • Under the GDPR, the CSP must ensure that its sub-contractors are contractually bound to him by the same obligations and standards he has agreed to with the controller; the model contractual clauses approved by the European Commission constitute a useful tool to this effect;

    • Under the GDPR, the Supervisory Authorities may adopt standard clauses for the purpose of regulating the relationship between data processors and sub-processors; if such a set of clause is available, the CSC should ensure it is used by the CSP with its sub-processors;

  • The CSC has the possibility to decide whether to provide the CSP with a general or specific authorization to engage further providers; the CSP cannot engage sub-providers without such authorization by the controller;

  • The controller should have contractual recourses against the processor in case of any breach of the contract caused by the sub-processor.  

 

In the framework of the Regulation, the data subjects have the following rights: 

  • right of access (Article 15);  

  • right to rectification (Article 16);  

  • right to erasure (Article 17, “right to be forgotten”);  

  • right to restriction of processing (Article 18);

  • right to data portability (Article 20);

  • right to object (Article 21);

  • right not to be subject to a decision based solely on automated processing (Article 22);  

  • right to compensation (Article 82). 

When reading a cloud computing contract, the client should check whether the CSP guarantees full cooperation in ensuring an effective and easy exercise of rights on the part of the data subjects, including in cases when data is further processed by subcontractors.

 

Legal tips and recommendations:

  • The contract between the client and the CSP should stipulate that the CSP supports the client in facilitating the exercise of data subjects’ rights and ensuring that the same holds true for his relation to any subcontractor;
  • Verify whether the contract contains provisions aimed at avoiding that the controller is entitled to claim back from the processor involved in the same processing that part of the compensation corresponding to their part of responsibility for a damage, where a controller has paid full compensation for the damage suffered by the data subject according to European data protection rules.

 

The lock-in effect may be a consequence of the CSP using proprietary data formats and service interfaces, which render the interoperability and portability of data from a CSP to another difficult if not impossible. It is noteworthy that the GDPR introduces a brand new right to data portability that should enable the data subject “to transmit those data to another controller without hindrance from the controller to which the data have been provided”.

The right to data portability Is surely enforceable against private data controllers, whereas according to Recital (68) of the GDPR “by its very nature, that right should not be exercised against controllers processing personal data in the exercise of their public duties”. Data portability however depends on the availability of standards which lead to interoperability. Therefore, SMEs should ensure that the CSP they choose uses interoperability standards that would make the data portable at the request of the data subjects; as clarified above, the latter obligation does not apply to PAs processing personal data in the cloud in the exercise of their public duties.

The lock-in effect might also hurdle the migration of services that the client developed on a platform offered by the original CSP (PaaS).

Legal tips and recommendations:

  • Focus on whether and how the CSP ensures data portability (for moving data between systems) and interoperability (when upgrading software or when migrating between two competing systems). Ensuring the data subject’s right to data portability is mandatory for SMEs when the conditions contained in Article 20 of the GDPR are met.

 

Service Level Agreements constitute a very important component of a cloud computing contract. 

SLAs identify the services and the service level objectives that the cloud provider offers to the cloud client. The SLAs are expressed in terms of metrics on the performance of the services; the metrics are usually measured in numbers. Neither the terminology of SLAs nor the willingness to negotiate SLAs are the same between different cloud providers. This has triggered initiatives aimed at standardizing Service Level Agreements between cloud providers and clients at the European and international levels .  

SLAs may define the performance of the services (e.g. the availability of the service, the response time etc.), the security (e.g. service reliability, authentication and authorization, security incident reporting and management etc.), the way data are managed (data classification, data lifecycle etc.) and sometimes also relevant provisions concerning the protection of personal data. 

 

Legal tips and recommendations:

A client should attentively read and analyse the SLAs; 

Clients should also verify whether the cloud service agreement provides for remedies to service levels breaches or if it sets out service credits for SLA breaches (such as money back rebates or monetary compensation).

 

Termination of cloud computing contracts is a critical phase which initiates a process in which the client must be able to retrieve the data transferred to the cloud, within a specified period of time, before the provider irreversibly deletes them. 

 

Legal tips and recommendations:

  • The steps of the termination process must be clearly identified  in the cloud service agreement  between the parties; 

  • A good cloud service agreement should contain provisions regulating the data retrieval time i.e. the time in which clients can retrieve a copy of their data from the cloud service. The data retention period should also be included, as well as the procedures followed by the provider in order to transfer personal data back to the client or to allow the latter to migrate to another provider.

 

Privacy Level Agreements (PLAs) are intended to be used as an appendix to Cloud Services Agreements to describe the level of privacy protection that the cloud service provider will maintain. An exhaustive outline of PLAs has been provided by the Privacy Level Agreement Working Group established within the Cloud Security Alliance .  

In the PLAs the cloud service provider defines the level of privacy and protection it affords to personal data hosted in the cloud. 

PLAs may tackle several issues: 

  • Identity of the CSP (and of Representative in the EU, as applicable), its role, and the contact information for the data protection officer and information security officer; 

  • Categories of personal data that the customer is prohibited from sending to or processing in the cloud;

  • Ways in which the data will be processed;

  • Personal data location;

  • Data transfer;

  • Data security measures;

  • Monitoring;

  • Third-party audits;

  • Personal data breach notification;

  • Data portability, migration, and transfer-back assistance;

  • Data retention, restitution, and deletion;

  • Accountability;

  • Cooperation;

  • Law enforcement access;

  • Remedies;

  • Complaint and dispute resolution;

  • CSP insurance policy   

Legal tips and recommendations:

  • PLAs could be used as a guide to compare the privacy policies of different cloud service providers; 

  • PLA checklists and guidelines may be a useful tool to get acquainted with the minimum level of data protection that a cloud provider must ensure.


 

A Final Word

Cloud computing solutions are offered in a wide variety of models; they change considerably from one CSP to another. As already specified above, the guidelines contained herein deal with cloud computing contracts from a general perspective, with particular emphasis on CSCs being SMEs or public authorities. The guidelines identify, at high level, some of the clauses that require great attention by the CSCs.

Solutions to the majority of issues listed in this document may significantly change according to the deployment model (private, public or hybrid cloud computing) and in consideration of the service model (SaaS, PaaS, IaaS).

Moreover, the nature and size of both the CSP and the clients has a significant influence on the way contractual clauses are drafted and viable legal solutions found.

Big clients with a considerable “countervailing buying power” are able to exert greater pressure on CSPs. Additionally, entities such as governments, or even smaller public administrations, might have specific needs in terms of data security and business continuity because of the mission critical services they provide to the public. These are all cases that often require the provision of tailored cloud services and specific legal guidance.

Some useful legal tools are now available to the large public thanks to the effort made at the EU level under the European Commission’s initiative called “European strategy for Cloud computing – unleashing the power of cloud computing in Europe”, such as:

Cloud Service Level Agreement Standardisation Guidelines 

Certification in the EU Cloud Strategy 

A further tool has been added to the ones already available in 2015, when the Cloud Select Industry Group on Code of Conduct completed its task and delivered a code of conduct for the cloud computing providers that has been submitted to the Article 29 Working Party for approval.

The “Code of Conduct for CSPs” Revised v1.0 was published on 22 June 2016 and intends to “make it easier and more transparent for cloud customers to analyse whether cloud services are appropriate for their use case”. In particular, it is hoped that “the transparency created by the Code will contribute to an environment of trust and will create a high default level of data protection in the European cloud computing market, in particular for cloud customers such as Small and Medium enterprises (SMEs) and public administrations. 

 

Download and keep the guide [November 2016]

Download the previously version [November 2014]

Watch the CloudWATCH webinar on Cloud Contracts, SLAs and the EU Code of Conduct