The option and liability of cloud service – how to land risks
In case of processing personal data, meaning performing operations on personal data, , e.g. collecting, storing, using, etc., the person conducting it, may be a natural person or a legal person, if the person processes personal data or it is done on behalf of the person. Persons processing personal data are divided into a controller and a processor. When it comes to cloud services, the cloud service provider is usually a processor, who processes personal data on behalf of the controller
The new General Data Protection Regulation (hereinafter: GDPR) obliges the controller to conclude a rather specific agreement with the processor, in order to ensure the clarity of processing of personal data. However, the agreement in question, is not only important in following the requirements of the regulation, but is rather in the interests of the controller and the processor, so that the liability of the parties would be determined.
The new GPRD states that in certain situations the processor may be liable, but since the controller is still responsible for the infringement in the eyes of the data subject, the controller should before concluding the agreement for using the cloud services, even before choosing the cloud service provider, very thoroughly assess the risks. The relevancy is also pointed out in the IT baseline security system ISKE, although it is mainly meant for public sector. On 30th January 2017, the Ministry of Economic Affairs and Communications confirmed the new version 8.0 of ISKE, which as an update deals with cloud services as well. Regarding cloud services, ISKE brings out various risks that must be taken into consideration. Since the government sees a great number of risks in clouds, private sector should not treat this subject lightly either, as theprivate sector should also protect the data and ensure the safety of the data.
The assessment of risks expects to find an answer to the question, if it is possible to completely be confident that a service provider processes personal data in compliance with all the rulesand the agreement. The assessment comprises a thorough analysis of the terms of the service, as well as a valuation of the technical and organisational security measures. There is a possibility that the terms of service are in compliance with the requirements, but in reality, some technical risk regarding the servers of the cloud service might occur, that alters the service unfit..
Deficiencies might also occur in the terms of service, which is why it is essential to be extra attentive, when reading through and analysing the terms of service. Quite often the terms of services are rather long, but considering, what kind of consequences infringements of data protection requirements might bring, it is highly recommended to take the time and thoroughly work through the terms or acquire professional help to do that.
Special attention should be payed on cloud services, which service providers are from countries outside of the European Union and the European Economic Area – their servers are often located outside aforementioned areas and in that case it is necessary to analyse, whether the data protection requirements stated in the EU are fulfilled. For example, Dropbox states in its termss that it keeps its data in servers all over the world. As a controller in a member state of the EU, one should pay attention to that kind of a terms, because might happen data are not stored in an EU member state. It is possible that these terms can be negotiated, but in case the negotiations are not successful, it should be evaluated, if the controller is up for taking that kind of risks.
Processing of personal data in clouds involves various risks, but through thorough and exhaustive risk assessment and concluding of suitable and required agreements, it ensures the security of personal data and its legitimate processing.
The article is initially published in IT-uudised in Estonian.
(Author: Siiri Vello)