Cloud with a chance of regulation

The EU’s regulatory planning for cloud computing and data protection is an expanding domain worthy of everyone’s attention. Whether you are pro-EU regulation, or anti, the European Commission is addressing vital solutions to key issues so says Stephen Meachem, a barrister and solicitor with the Law Tribe and a member of the BCS Law Specialist Group.

Though the cloud supports business agility and market entry by having the potential to offer flexibility and scalability it is not without issues. The regulatory concerns around cloud computing and the data-related issues it raises for businesses arise in two areas:

(a) the relationship (contractual and operational) between cloud providers and their customers;

(b) the regulatory landscape, which includes data protection. A proposed new General Data Protection

Regulation is intended to regulate big data, the cloud and social networks. This may offer innovation opportunities in cloud software development.

Standardisation of cloud service terms and conditions

Currently, individual vendors have an incentive to fight for dominance by locking in their customers. The market needs service level agreements giving a contractual right to get data back in a usable form, which is easy to integrate in-house or to a different cloud provider.

If a service goes down users require to be up and running again as quickly as possible. Given the current capabilities of IT is this a big ask? Both Google’s Apps for Business and Microsoft’s cloud services are able to manage it. Whatever difficulties small providers may claim, whether justified or not, surely the EU is right to work towards such minimum standards.

Currently the market norm is complex contracts or service level agreements that are insufficiently specific and balanced and which contain extensive disclaimers. The use of take-it-or-leave-it standard contracts might be cost-saving for the cloud provider, but is often undesirable for the user, including the final consumer.

Standardised contractual terms would reduce the transaction cost of legal advice. Contractual litigation should be regarded as a sign of regulatory failure. Robust and transparent standard contractual terms must be the way forward. Usefully, therefore, the EU is working towards model contract terms and a code of conduct for cloud providers. See also ISO/IEC 27018 mentioned below.

Data protection in the cloud

The cloud is blurring the boundaries of the enterprise and creating security issues. People need to know where their data is and who has the right to see it. Issues arise in the cloud when cloud services are used to process personally identifiable information (PII).

It is hard to imagine an organisation that does not hold a certain amount of PII (related to employees for instance). However, in the cloud, whilst the data processing is outsourced and under cloud provider control, the legal obligations regarding PII protection remain with the client of the cloud services; under the Data Protection Directive 1995, as implemented in the UK by the Data Protection Act 1998.

The EU has developed an auditable voluntary standard known as ISO/IEC 27018. An auditor can verify whether a cloud provider meets the requirements of the standard and, if the level of compliance is adequate, it can issue a compliance certificate.

This certificate can be used both as a marketing tool for the cloud provider and as a warranty that the cloud provider meets its obligations regarding PII processing. To complete the regulatory system the compliance certificate can then be registered in the contract signed between the client and the cloud service provider. This is an admirable solution in my view.

The Data Protection Directive 1995 is relevant to the cloud and big data as it contains a purpose limitation principle that provides that personal information must only be processed for specified, explicit and legitimate purposes, and that it must not be further processed in a way incompatible with those purposes.

Derogations are only permitted where this is necessary to safeguard one of a list of public policy objectives, including, for example, public and national security, defence and the prevention of crime. The UK’s Information Commissioner’s Guide to Data Protection links the compatibility of two or more purposes to the question of whether or not any further processing can be considered fair.

Using or disclosing personal information in a way that is outside that which the individual concerned would reasonably expect, or which would have an unjustified adverse effect on them, would be considered unfair and thus incompatible with the original purpose.

Accordingly when assessing the compatibility of new purposes, data controllers must take into account, inter alia, the nature of the data, the legal grounds on which it was originally collected, and whether the data subject was in a weak bargaining position or whether it was mandatory for the data subject to provide the data in the first place.

However, Section 35 of the Data Protection Act 1995 permits disclosures ‘under any UK enactment’, even if those disclosures would otherwise violate the purpose limitation principle. The practical effect of this provision in its current form is that UK data controllers have no right (or obligation) to refuse a request for the disclosure of personal data to public bodies on the basis of their data protection obligations as long as that disclosure is mandated by any statutory or common law obligation.

It could, of course, be argued that such a lawful request from a UK government agency would itself be in breach of its obligations under the Data Protection Directive; which would be a potentially costly and lengthy litigation matter.

Article 6(4) of the proposed General Data Protection Regulation will dilute the purpose limitation principle somewhat in that it will provide a statutory basis in EU law for data processing activities for purposes that would otherwise prima facie have been judged as incompatible with the original purpose where inter alia

‘processing is necessary for compliance with a legal obligation to which the controller is subject’ (Article 6(1)(c)) or ‘processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data...’ (Article 6(1)(f).

Safeguards in respect of 6(1)(c) appear at Article 6(3): the ‘legal obligation’ must meet an objective of public interest or be ‘necessary to protect the rights and freedoms of others’ and ‘respect the essence of the right to the protection of personal data’ and ‘be proportionate to the aim pursued’.

Moreover, it must be consonant with the Charter of Fundamental Rights of the European Union. Stronger safeguards may be required. Data processors may disagree. Arguably to restore and maximise trust in the cloud more transparency is needed on government access to data, for example, for reasons of law enforcement and national security, including commitments on what constitutes legitimate government access to data and transparency about what access requests have been made.

Summary of the proposed EU General Data Protection Regulation.

A right to be forgotten. When a data subject no longer wants data to be processed and there are no legitimate grounds for retaining it, the data will be deleted. The rules are about empowering individuals, not about erasing past events or restricting the freedom of the press.
Data subjects will have easier access to their own data.
A right to transfer personal data from one service provider to another.
When a data subject’s consent is required, they must be asked explicitly.
More transparency about how your data is handled, with easy-to-understand information, especially for children.
Businesses and organisations will need to inform data subjects about data breaches that could adversely affect you without undue delay, within 24 hours. They will also have to notify the relevant data protection authority.
Improved administrative and judicial remedies in cases of violation of data protection rights.
Increased responsibility and accountability for those processing personal data, through requirements for data protection risk assessments, organisational data protection officers and the principles of ‘privacy by design’ and ‘privacy by default,’ which must be implemented within systems.

Proposed amendment by the Council of Europe of the 1981 Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data.

This treaty is the closest instrument to a universal declaration of data rights in existence. A key amendment is the explicit formulation of the principle of proportionality, which is to be respected at any stage of data processing.

New duties of data controllers and processors include a duty of active transparency and an obligation to establish internal mechanisms to demonstrate compliance, to carry out risk analyses, and to design processing in such a way as to minimise risks for data subjects.

The above principles and the principles of ‘privacy by design’ and ‘privacy by default’ to be enacted in the General Data Protection Regulation are certainly food for thought and a source of potential instructions for software engineers. Love or hate it, being in Europe can’t be all bad for business! Can it?