Cloud Computing and Data Protection
Dr Ursula Widmer -
CLOUD COMPUTING - ICT AS A SERVICE
Cloud computing is one of the most important current trends in the field of information and communications technology, and ICT management. Elements of cloud computing are Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). The term cloud computing derives from the cloud symbol usually used to represent the internet and the complex infrastructure behind it in graphics.
Hardware and software are no longer procured and operated by users themselves but obtained as services. Cloud service providers enable users to access and use the necessary ICT resources via the internet. To provide these resources, providers often fall back upon other providers in the cloud, which, for example, make storage capacity available for customer data or computer capacity for data processing.
Cloud computing services are used both by consumers as well as by organisations and companies. Offers in cloud computing comprise, among other things, the provision of calculating and storage capacity; the provision and operation of development environments and of operating- and database-management systems; of web hosting; of web mail services; and of a growing number of different types of application software; for word processing and other office applications; customer relationship management; supply chain management; or for the storage and management of photos or personal health-related data (electronic health records), to name a few.
Well-known examples of cloud computing services are Amazon Simple Storage Services, Amazon Web Services, Google App Engine, Microsoft Azure Services Platform or Salesforce.com. Other examples of cloud computing include peer-to-peer networks based on BitTorrent or Skype. Numerous internet service providers also use cloud computing as a basis for search engines, blogs and social networks, among others.
Cloud computing offers users cost benefits and flexibility. Instead of purchasing, operating and maintaining a specific hardware and software environment and bearing the costs incurred themselves, users pay a fee based on actual requirement (utility billing model) or a recurrent fixed fee (subscription billing model) for the use of the ICT resources they require and which are made available by the service provider. Users can save on fixed costs. Providers who make their resources available to as many users as possible can optimise utilisation of their systems and thus reduce their costs. Cloud computing offers the additional advantage that the use of ICT resources can be easily adjusted to changes in requirements. In the current economic turmoil cloud computing is therefore an option that is being given serious consideration by many companies and organisations.
OPEN ISSUES ON DATA PROTECTION
No borders within the cloud
The concept of cloud computing is globalised, and within the cloud there are no borders. Computers that are used for processing and storage of user data and ICT network infrastructure can be located anywhere on the globe, just depending on where the requisite capacities are available for execution of the ICT tasks in accordance with optimisation-oriented resource management in the global computer networks used for cloud computing. Some cloud service providers such as, for example, Amazon, offer their customers the option of choosing between certain availability zones. The customer's data then remains within the selected zone.
Regarding data protection, cloud computing raises a number of interesting issues. Data protection law is based on the premise that it is always clear where personal data is located, by whom it is processed and who is responsible for data processing. Cloud computing appears to fundamentally conflict with this evidence. For example, if a customer uses an e-mail service based on cloud computing, the customer's data can be stored anywhere in the world, depending on where the servers on which the necessary storage capacity is available are located. Different services supplied by a wide range of providers are regularly bundled to produce an end-user proposal, for example, if the mail service provider obtains the storage capacity required to store its customers' data from other providers. Therefore, with cloud computing it is no longer possible to say where the data is at a certain moment and by whom and how it is being processed. This means that it is doubtful whether those responsible for data processing, in accordance with data-protection regulations, are in a position to effectively assume their responsibility at all.
If the data circulates freely around the globe via the internet, it is also no longer clear which data-protection authorities at which location are responsible for ensuring the observance of the principles of data protection. If a provider in country "A" stores large volumes of personal data that relate to customers of companies that use the CRM solution of a provider with its headquarters in country "B", it is therefore not immediately certain which authorities in which country (country "A", country "B" or the countries where the companies using the CRM solution or their customers are domiciled, or both) are responsible or should appropriately be responsible for observance of data protection involving the storage of data.
DEMAND FOR AMMENDING DATA PROTECTION LAW
Therefore, in part, there is a demand that the applicable statutory provisions regarding data protection be adjusted in order to find an appropriate arrangement for cloud computing. Whether statutory adjustments are necessary was the subject of a hearing conducted by the US Federal Trade Commission (FTC) in March 2009, although whether new data protection provisions should be drawn up is questionable, in particular because the market for cloud computing services is still very young and in its early stages of development. At such an early phase it is difficult to ascertain the right legal framework for effective and appropriate data protection.
Issues involving data protection are eclipsed by aspects of competition law on account of the market power of providers such as Google or Amazon, which cannot be challenged by an individual customer, who does not have adequate negotiating power at its disposal to negotiate contract terms and conditions effectively.
CURRENT SITUATION: THE DATA CONTROLLER'S RESPONSIBILITY
Regardless of whether cloud computing is to be the subject of specific statutory regulations in the future, current data protection provisions apply to cloud computing. In accordance with Swiss data protection law, the basic principles of which are in line with EU law, three issues are of importance: the conditions under which the transfer of personal data processing to third parties is permissible; the conditions under which personal data may be sent abroad; and data security.
Data processing by third parties
In systems of law with extended data protection, as this is the case for the EU and for Switzerland, it is permissible to enlist the support of third parties for data processing. However, the data controller remains responsible for the processing of data, even if this is performed by one or more third parties on his instructions. According to Swiss data protection law, the data controller must therefore ensure that an appointed third party (data processor) only processes data in such a way as the data controller himself would be permitted to. Furthermore, the data controller has to make sure that the data processor meets the same requirements for data security that apply to the data collector.
Depending on the sector (e-health, utilities, retail, etc) to which the data controller belongs, specific additional requirements may apply. For example, banks and stock traders have to conclude a written agreement with the data processor (an electronic, online closed contract is not sufficient), in which they oblige the data processor to observe Swiss banking confidentiality. In addition, the data processor must be incorporated into the internal monitoring system and it is to be ensured that the internal and external audit and the bank supervisory authority can conduct audits on the data processor at any time. In the contract with the data processor, the bank has to therefore agree on corresponding rights to inspection, rights of command and rights of control.
Transferring personal data abroad
Under Swiss law, as under EU law, special rules apply when sending personal data abroad. According to these, exporting data abroad is permissible if legislation that ensures adequate data protection in accordance with Swiss standards exists in the country in which the recipient of the data is located. The EU and EFTA states in particular have such legislation. A list published by the Swiss Federal Data Protection Commissioner contains more details of whether adequate data protection legislation exists in a particular country. Special mention is to be made of the fact that the US does not have any adequate data protection legislation.
However, if the data recipient is covered by the Safe Harbor Regime, which in addition to the EU is also applied to the relationship between Switzerland and US since the beginning of 2009, this guarantees the adequacy of the data protection and data transmission is therefore permissible.
Nevertheless, if no adequate data protection legislation exists in the recipient country, the transmission of data from Switzerland is only permissible in special circumstances. In connection with the processing of personal data for business purposes, mention must be made of the following cases, in particular: conclusion of a contract with the data recipient in which they are obliged to observe adequate data protection; consent by the person(s) concerned; and transmission of data that concerns the contracting party in connection with the conclusion or implementation of a contract.
Swiss data protection law requires - as do EU national laws - that data security is safeguarded when processing personal data. Confidentiality, availability and integrity of data must be ensured by means of appropriate organisational and technical measures.
These also include the protection of systems and data from the risks of unauthorised or arbitrary destruction, arbitrary loss, technical faults, forgery, theft and unlawful use, as well as from unauthorised modification, copying,
access or other unauthorised processing. The data collector remains legally responsible for the observance of data security, even if he assigns data processing to a third party.
In cloud computing the legal responsibility for data processing is borne by the user, who enlists the services of a cloud service provider. The user is the data collector. As in all other cases in which a third party is given the task of processing personal data, the user or data controller is responsible for ensuring that data protection requirements are met. This applies to consumers (for example, if they use a web mail service or manage their photos over the internet), and to companies and organisations (using, for example, the solution of a cloud service provider for the CRM).
The data collector in Switzerland who wants to enlist the services of a cloud computing provider has to ensure that the data protection requirements are considered binding in its contract with the provider. This can be either by means of individually negotiated clauses or through the security and data protection policy of the provider being declared part of the contract, insofar as these fulfil statutory requirements.
Particular attention must be paid to the following points in a contract with a cloud service provider:
Scope of processing
The type of data processing permissible by the provider is to be clearly specified, and the purpose for which the data may be processed.
The conditions under which the provider may for his part pass on the data to subcontractors have to be defined, for example, to a provider of storage capacity. It must be ensured that the user is informed to which subcontractor data is forwarded and that the regulations regarding data protection in the contract between the user and the provider are also binding on subcontractors.
Deletion of data
An essential point is that data that has to be deleted by the user because he or she no longer needs it or may no longer process it for another reason is also deleted by the provider and no more copies of data are available. This can lead to problems, in particular in connection with backups that are created by the provider if these contain data belonging to a number of his customers and targeted deletion of individual data items proves financially unreasonable or technically inappropriate in terms of feasibility. Data deletion is also of prime importance when terminating the contract with the provider.
Data security measures
The organisational and technical data security measures that are to be taken by the provider are to be stipulated in the contract, such as the access rights of the provider's employees to data and the systems used to process them, or the encryption of data during transmission or storage, or both.
Localisation of data
To enable fulfilment of the requirements in connection with the export of data, the customer must know in which countries the servers are deployed on which the data is processed and stored and the provider is to be under an obligation not to transfer the data to any other countries without prior consultation with the user.
Service level agreements
According to the purpose for which the data is processed it is important to agree on binding service levels for availability and data recovery and if necessary, safeguarded by supporting fixed penalties in the event of non-compliance with the agreed service levels.
Restitution of data
Upon termination of the contract, the orderly return of data to the user has to be ensured. This requires sufficiently long periods of notice for the user to be able to take the necessary measures to ensure the availability and constant further processing of data after termination of the contract. The form in which the data is to be delivered to the user by the provider must also be ascertained.
By agreeing on information and audit rights, the user establishes the opportunity to verify that the obligations entered into by the provider are being fulfilled. Depending on the sector to which the user belongs, such rights also have to be provided for auditing companies and regulatory authorities to whose control the user is subject.
One must definitely ask the question if, in connection with the globalised environment in which cloud computing operates, the current legal position that assigns responsibility for the safeguarding of data protection to the individual user is a sensible and practical approach. However, as long as no special data protection provisions apply in relation to cloud computing, users have no other choice but to safeguard their legal responsibility to protect data by means of detailed agreements with cloud computing service providers.