Back in 2009, the European Consumer Commissioner Meglena Kuneva stated: "Personal data is the new oil of the Internet and the new currency of the digital world." Seven years later the value of personal data is still rising rapidly as our ability to collect and analyse it continues to grow.

We take the internet for granted, except for those frustrating few minutes when we can’t connect, but we don't need a sophisticated understanding of the technology which drives it in order to realise that a significant part of its accessibility is offered by cloud computing services.

The use of cloud computing services has allowed organisations to concentrate fully on their own strengths while abstracting away from the technicalities. Since cloud providers have multiple users, all using a slice of the same infrastructure, they are able to provide a high level of protection and functionality at a reasonable price. Otherwise, dealing with vulnerabilities in networks, operating systems and applications, would be a full-time job for organisations, not to mention an expensive exercise.

The legal framework in the EU for personal data in the cloud

The benefit of cloud computing services has been recognised at a European level. The European Cloud Initiative is among the sixteen initiatives of the Digital Single Market strategy, adopted on 6 May 2015. It has been estimated that the European Cloud Initiative "could have the potential to add a cumulative total of EUR 449 bn to the EU 28 GDP (including the public sector), of which EUR 103 bn in the year 2020."(sic). Further, "between 2015 and 2020 approximately 303,000 new businesses could be created, particularly SMEs, thanks to the availability and adoption of cloud-based computing."

Approximately a year later (on 17 May 2016) the Council formally adopted a Directive concerning measures for a high common level of security of network and information systems across the EU, which must still be approved by the European Parliament at second reading and is expected to enter into force in August 2016 (NISD). NISD introduces a definition of "cloud computing services" which covers "services that allow access to a scalable and elastic pool of shareablecomputing resources. Those computing resources include resources such as networks, servers or other infrastructure, storage, applications and services. The term 'scalable' refers tocomputing resources that are flexibly allocated by the cloud service provider, irrespective of the geographical location of the resources, in order to handle fluctuations in demand. The term 'elastic pool' is used to describe those computing resources that are provisioned and released according to demand in order to rapidly increase and decrease resources available depending on workload. The term 'shareable' is used to describe those computing resources that are provided to multiple users who share a common access to the service, but where the processing is carried out separately for each user, although the service is provided from the same electronic equipment". Those falling within this definition will have to comply with security incident notification provisions under NISD in addition to their obligations under the GDPR.

The increasing value of personal data has also been recognised at a European level, and we have just witnessed the biggest transformation of data protection law in the last twenty years with the finalisation of another important initiative, the General Data Protection Regulation (GDPR). The GDPR has been adopted and will apply from 25 May 2018, giving organisations two years to become compliant.

The impact of the GDPR on cloud service providers

Cloud computing services will be significantly affected by the rigorous new EU data protection rules. Under current European data protection law, cloud providers which act as data processors by processing personal data on behalf of their customers and under their instructions, have few direct responsibilities. The GDPR, however, introduces various direct obligations on processors of personal data (as outlined in our article), together with hefty fines for non-compliance.

Top tips for cloud service providers on preparing for the GDPR

We are expecting detailed guidance at an EU and local level with respect to the processing of personal data by data processors under the GDPR. However, the clock is already ticking and cloud providers should be focusing on the following as an initial map to help them reach the destination of GDPR compliance in a timely manner:

  • Process personal data only for purposes you have initially agreed upon with your cloud customer. If you want to use the personal data for any other purpose, make sure there is a valid ground for such processing (e.g. consent within the meaning of the GDPR);

    Many cloud providers reserve their right to use personal data for various purposes which have not been agreed with their customer. This is especially common in the cases where the cloud services are offered for free. If, for any reason you determine the purposes and the means of use of personal data, you will be considered a "controller" under the GDPR in relation to that data in which case, the processing will have to comply with the relevant legal requirements imposed by the GDPR on data controllers. Initiating such personal data processing may lead to additional complications and risks and, potentially, to infringement of the GDPR due to a lack of proper grounds for the processing of the personal data.

  • Make sure that all GDPR legal requirements concerning the controller-processor relationship have been taken into consideration if offering 'standard terms of use' to your customers. Under the GDPR, the controller (i.e. the cloud customer) must have an agreement with the processor (i.e. the cloud service provider) for the processing of personal data. The GDPR envisages various legal requirements that must be stipulated in this agreement (see our article for more information), and the cloud customer will want to ensure compliance with such requirements prior to engaging the cloud provider to carry out data processing.

    Currently, many cloud providers have standard terms of use which either may not be negotiated or allow only minor changes. You must take into consideration the changing legal environment and adapt accordingly by providing reasonable terms of use foreseeing the legal risks and concerns of their customers. Note that there will also be consumer protection requirements when contracting with consumers in addition to data protection obligations.

  • Provide sufficient guarantees to your customers in terms of expert knowledge, reliability and resources to implement appropriate technical and organisational security measures in order to meet the requirements of the GDPR and protect the rights of the data subjects.

    The GDPR allows the cloud customer to conduct inspections and audits to ensure compliance. However, it also provides an alternative for the controller to mandate an external auditor. This is a more appropriate option for a cloud provider, particularly one with a large customer base. Further, it must be noted that under the GDPR, the adherence of the processor to an approved certification mechanism may be used to help demonstrate compliance. Therefore, it is worth considering the cloud certification schemes developed by the European Union Agency for Network and Information Security (ENISA) in cooperation with the European Commission and the private sector.

    We are waiting for proper guidance in terms of these legal requirements. However, the use of external auditors and proper certification schemes should be on the radar of the cloud service providers. These alternatives may not entirely replace cloud customer due-diligence but will certainly facilitate the process and help both the cloud customers and the cloud service providers.

  • Ensure efficient procedures for the deletion of personal data; make sure that the data is not copied and located in multiple places; create mechanisms in order to evaluate where the data is and to ensure that the data has been deleted when required.

    Under the GDPR the processor must, at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of the services relating to the processing and delete all existing copies (unless the EU or the Member State law requires storage of the personal data). Your customers are entitled to request an inspection to review compliance with this requirement.

  • Engage sub-processors only with the prior written authorisation of your customer. You can get specific or general written authorisation but if you are contracting on your standard terms of use, general written authorisation for engaging sub-processors may be a more practical solution.

    Even if you have a general consent to sub-contract, you must inform your relevant customer before adding or replacing sub-processors, in order to give them the opportunity to object to such changes. This is particularly important for cloud customers because they need to know where their data is located.

  • Make sure you conclude appropriate agreements with your sub-processors that impose the same obligations on them as those you have signed up to in your customer agreement.
  • Make sure you control where the personal data is located and who has access to it; use appropriate transfer mechanisms (e.g. model clauses) if personal data is transferred to a country outside the EEA.

The transfer of personal data outside the EEA is particularly sensitive at the moment, especially when the transfer is to the USA, and this trend is likely to continue. The Snowden revelations, the invalidation of Safe Harbor and the controversy surrounding the proposed EU-US Privacy Shield, have had a major impact on cloud service providers given that US companies are the market leaders in this sector. This is, in part, responsible for the increasing popularity of data localisation, as is evident from recent developments in Russia and France (e.g. French Digital Bill), both being in favour of measures to keep the data of their citizens within 'safe borders'. Cloud customers have been forced to pay more attention to where their data is going and you will need to provide sufficient guarantees that their personal data is being transferred outside the EEA in a lawful manner.

Perhaps the most important factor in ensuring that the legal requirements for keeping personal data in the cloud do not create a barrier to what is technically possible, is ensuring cooperation between cloud customers and cloud providers. Both need to understand their respective roles and obligations under the GDPR, remembering that the responsibility for compliance and the associated risks of non-compliance will now be a two-way street.