How GDPR and the Network and Information Systems Security Directive will complicate cloud computing
Part one: Pinsent Masons' consultant lawyer Kuan Hon explains how forthcoming data protection laws will complicate cloud computing
If you think the forthcoming General Data Protection Regulation is complicated enough, then the issues surrounding Privacy Shield - which may yet be struck down - and the Network and Information Systems Security (NIS) Directive will almost certainly blow your mind.
But both the GDPR and the NIS Directive are already well on the way to becoming law in less than two years and even Privacy Shield may be hit by the same kind of legal complaint that brought down Safe Harbour, the framework that handled transatlantic exchanges of personal data between the European Union and the US - with nothing to replace it.
In other words, data protection is about to become a whole lot more complicated (and expensive), and it isn't solely down to the GDPR. And, if you're processing data in the cloud, it becomes more complicated still.
Currently, we have the EU Data Protection Directive, which has been translated into British law in the form of the Data Protection Act.
The Data Protection Act regulates the processing of personal data, of data subjects (individuals), with some exceptions, such as processing for national security purposes.
But 'processing' isn't necessarily what you think it is: It's actually a technical term with a special legal meaning under data protection law, and it includes activities like storing and transmitting data.
You might not think that just holding data without doing anything to it would count as processing. But for data protection legal purposes it is, and there are certain rules that have to be complied with when processing personal data.
The rules apply to what is known as the data controller, the person who controls the purposes and means of processing personal data. So it's the controller who is on the hook. A controller (who can be an individual but, more usually, will be an organisation) can use a processor to help it process personal data. Compliance with data protection laws is supervised by national regulators, like the Information Commissioner (ICO) in the UK.
Hence, whatever you do with personal data, you need to know exactly who the controller is and exactly who the processor is. Sometimes the boundary can be blurred. With the same personal data, an organisation could be a controller in certain situations, or a processor in other situations. It is also possible to have joint controllers or co-controllers of the same personal data.
Cloud complications
With a cloud service, the eco-system can be quite complex. A cloud customer could have a direct contract with a software-as-a-service (SaaS) provider, such as Salesforce, NetSuite or Workday, or an infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS) provider.
Even if a cloud customer has a direct contract with a SaaS provider, the SaaS provider might well have outsourced to an IaaS or PaaS or even another SaaS provider behind the scenes. There could be a third-party data centre provider, connectivity providers, payment services providers and so on also involved.
So there can quite a complex chain of organisations involved in cloud computing.
If a company that is a controller of personal data uses the cloud to process personal data, then the cloud provider is generally considered its processor. Sometimes the provider is a controller in its own right (for example, certain consumer-facing cloud services), but mostly it's considered a processor when it is used by a controller to process personal data.
When a controller uses a processor - cloud or otherwise - there are certain requirements that apply. Basically, these relate to due diligence, what's got to be in the contract, and ongoing monitoring of the processor's compliance.
For most customers, cloud contracts are generally only available on the provider's standard general terms - take it or leave it. Some customers can negotiate, but they tend to be government or major financial services organisations. The majority aren't able to negotiate terms with a cloud provider.
Class-action lawsuits
The GDPR should not be confused with the Law Enforcement Data Protection Directive, which EU Member States must implement through national legislation, whereas the Data Protection Act will get directly overridden by the GDPR in 2018.
As a "regulation" rather than a "directive", the GDPR will bypass the stage of being translated from an EU directive into individual member states' laws, with the aim that it will be more uniformly applied across the EU.
Accountability is one main feature of the GDPR. It is not just about being compliant (or not being caught!), but being able to prove that you are compliant.
How GDPR and the Network and Information Systems Security Directive will complicate cloud computing
Part one: Pinsent Masons' consultant lawyer Kuan Hon explains how forthcoming data protection laws will complicate cloud computing
Potentially huge fines will be a big change: Between 2010 (when the ICO first gained its fining powers) and now, the biggest single fine levied in the UK was £400,000, on TalkTalk, for security failings that allowed a cyber attacker to access customer data. The maximum fine (called "monetary penalty") that the ICO can levy currently is £500,000.
Under the GDPR, fines could be levied in one of two tiers: at the lower-tier, the maximum fine is two per cent of the infringing group's turnover or €10m if higher; at the upper-tier, the maximum fine is four per cent of the infringing group's turnover or €20m if higher.
Whether an infringement carries a lower-tier or higher-tier fine depends on the exact rule infringed. Generally, controllers will be more exposed to higher-tier fines than processors. Points taken into account in deciding whether to impose fines, and how much, will include factors like the seriousness of the infringement, was it intentional or negligent, its impact on individuals, relevant previous infringements, how cooperative the controller or processor was with the ICO.
'Class actions' will be another possibility under the GDPR, in the sense of quasi-class-actions brought by non-governmental organisations on behalf of individuals. Class actions for data protection breaches are not common in the UK at the moment, but if you're a controller or a processor of personal data, you should be concerned about the potential for these quasi-class actions in the future.
Free online services - whereby the product or service is provided in return for the personal data gathered being used by the provider for its own purposes, as with mobile games or free webmail, for example - are likely to be affected due to tighter requirements regarding consent.
Organisational procedures are going to have to change as well for the GDPR.
Encryption, tokenisation and other security measures will be much more important. Codes of conduct or certifications will probably play a much bigger role, as they can be used to help prove compliance or allow international transfers.
Overall, you really have got to start preparing now because you have less than two years: GDPR will come into force on 25 May 2018 and businesses in the UK will not be able to dodge it, even with Brexit.
Obligations and liabilities
At the moment, it's the controller who is legally responsible for data protection obligations and liabilities. However, under the GDPR, the processor - such as a cloud provider - will also be directly liable to be fined or sued. This is going to mean big changes to cloud contracts.
For starters, where a controller uses a processor for personal data, cloud or not, there are going to be major differences. When signing cloud (and other IT services) contracts for personal data processing, due diligence is going to have to extend not only to security, but to the processor's general ability to comply with the GDPR in relation to the proposed processing. And the contract is going to have to be a lot longer because the GDPR is more explicitly prescriptive regarding what terms must be in the contract.
All of this is going to be difficult and time-consuming to work out. A lot of it doesn't sit well with cloud computing, but it is going to happen.
The European Commission (and national authorities like the ICO) has power to adopt standard controller-processor terms. So if industry bodies want to lobby for standard terms that may be appropriate to their sector and try and get them adopted that may help.
There are also big changes afoot in relation to sub-processors.
Prior consent will be needed for sub-processing, and notification of changes to sub-processors, as well as what may be called 'terms flowdown'. For example, you could have a contract with a SaaS provider, which has to contain certain minimum data protection terms under GDPR.
However, the SaaS provider's contract with their IaaS or PaaS provider, also needs to have pretty much the same data protection terms because that's a requirement of GDPR. The IaaS/PaaS provider is treated as a sub-processor, so the obligatory GDPR terms have to be "flowed down" to those subprocessing contracts.
But it's really hard to know how far down the chain this has to go - what if the IaaS or PaaS providers keep their servers with a third party data centre provider? Does the IaaS/PaaS provider's contract with the data centre provider have to include those mandatory data protection terms too? And so on... Hopefully regulators will provide guidance on this.
And this doesn't just apply to cloud, it applies to all supply chains that involve the processing of personal data.
Kuan Hon is a consultant lawyer for Pinsent Masons focusing on data protection law. She is also a senior researcher, project co-ordinator and research assistant of the Cloud Computing Project at Queen Mary University of London
Disclaimer: This article does not constitute legal advice. Specific legal advice should be taken before acting on any of the topics covered.