< Back

Global Cloud Providers vs. EU Regulation

Wed, 27 Feb 2013

cloud hosting, legal compliance

The EU is drafting the EU Data Protection Regulation, a proposal to change laws to govern the protection of personal data online, whilst facilitating the ‘free’ movement of data between all member states. The new regulations will restrict how organisations can use data they record about individuals - whether this is personal in nature (names and addresses) or largely anonymous (cookies and browsing history). Organisations who fail to follow the rules are liable for large fines, whilst others (such as online advertisers and marketeers) may lose revenue streams from indiscriminately harvesting and processing such data.

Arguments for enhanced protection and management of personal data are summarised in the Brussels Privacy Declaration, a petition promoted and signed by a number of well known civil liberties groups and digital rights associations. The petition points out that:

We are outraged because… over 1,200 companies specialise in trading our personal data; every time we browse the internet over 50 companies now monitor every click; we are constantly being categorised and judged by algorithms and then treated according to the ‘perceived value’ we may or may not bring to business; all without our knowledge and consent.

These comments are aligned with the European Commission’s own view, as promoted in the following short video, that protecting personal data is a fundamental right:

However, as with most legislation, complications are apparent in many areas. To understand these it is necessary to first define two roles:

  • Controller: The organisation or person ultimately responsible for ensuring the use and storage of personal data complies with the Regulations
  • Processor: Any organisation(s) or person(s) performing operations on personal data, including collection, storage and retrieval, dissemination, alteration and destruction.

In the context of outsourced IT it is therefore critical to clarify who fits into the roles of Controller and of Processor. In some cases this will be clear-cut: a colocation data centre provider has no ownership or control over client systems, so will be neither a Controller nor a Processor, whereas a fully-outsourced data agency will be both. By far the most debated category is that of cloud computing providers. Article 29, Opinion 05/2012 on Cloud Computing suggests:

The cloud client determines the ultimate purpose of the processing and decides on the outsourcing of this processing… The cloud client therefore acts as a data Controller. The cloud provider is the entity that provides the cloud computing services… When the cloud provider supplies the means and the platform, acting on behalf of the cloud client, the cloud provider is considered as a data Processor.

Whilst it is ultimately the Controller’s (cloud client’s) responsibility to protect the data they store, this Opinion note explicitly places a responsibility on the Controller to ensure their cloud provider can meet all the requirements of the legislation:

a precondition for relying on cloud computing arrangements is for the Controller to perform an adequate risk assessment exercise, including the locations of the servers where the data are processed and the consideration of risks and benefits from a data protection perspective

The complications now start with the EU suggesting in a General Data Protection Regulation draft that the rules apply to data of an EU citizen regardless of the worldwide location of the Processor:

Any processing of personal data [by] a Controller or a Processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union or not.

and further, that organisations based entirely outside the EU must also be fully compliant (despite being outside the EU jurisdiction):

The processing of personal data not carried out [by] a Controller in the Union should be subject to the Regulation where the processing activities are directed to data subjects residing in the Union

Unsurprisingly, large cloud operators and offshore data processing organisations have come out strongly in an attempt to water down the proposals. Amazon have proposed the notion that a cloud provider, as with any dedicated server provider, would not normally have access or visibility into the data on their physical systems - whilst it is the cloud provider’s physical CPUs doing the processing, there is no way to ‘reasonably identify’ any individual personal data.

As if to make life even harder for proponents of “cloud”, the Working Party report lists risks associated with cloud operators, such as use of shared resources and the impact on confidentiality, and lack of visibility and full control over data.

Knowing where the lines of regulation will finally be drawn is impossible at this stage, however Controllers of all sizes, who target EU markets, need to be aware of these ongoing developments. IT managers need to be able to work with their outsourced IT providers to ensure they will be compliant with the Regulations when they come into force.

In some cases, it may simply be that cloud is not a viable option, with dedicated servers, storage resources and colocation options being preferable. Knowing the data centre, rack and servers where your data is stored may require more effort, but this pales in comparison with a hefty EU fine and the resulting damage to reputation.