by Dr. Thomas Helbing
 
The Data Protection Authority for the German federal state of Schleswig-Holstein ("Unabhängiges Landeszentrum für Datenschutz - ULD", the "DPA") has published in June 2010 a paper about cloud computing under German data protection law. The most doubtful statement is that the usage of clouds outside the EU might be in violation of German data protection law.
 
In this analysis I give an overview over some statements of the paper, explain the legal background and analyze the DPA's position.

by Dr. Thomas Helbing

On 5 February 2010 the Commission of the European Union (EU) has updated the set of standard contractual clauses for the transfer of personal data to processors in non-EU countries. The old clauses are repealed with effect from 15 May 2010.

Standard contractual clauses are an important instrument for companies in the EU to comply with national data protection laws if information on individuals is transferred to or accessed by organizations outside the EU.

The EU Commission decision is relevant for all organization receiving personal data - for example customer or employee data - from subsidiaries, customers or vendors in the EU.

In addition, the new standard contractual clauses will also affect companies who indirectly receive personal data that originally comes from the EU, e.g. by providing services to companies which process EU data. This is because the new standard contractual clauses require from companies importing personal data from the EU to contractually impose the terms of the clauses on any subcontractor to which they transfer personal data or grant access.

In particular, agreements on outsourcing, cloud computing, software as a service (SaaS) or application service providing (ASP) and software like Human Resources Information Systems (HRIS) Customer Relationship Management (CRM) tools and Enterprise Resource Planning (ERP) software are affected.

UPDATE: In July 2010, the Article 29 Working Party has published a FAQ-Document clarifying certain questions in relation to the use of the new clauses.

This post contains suplementary information to Thomas Helbing's presentation "Data Protection Law Requirements to Cloud Computing Agreements in the European Union" of 24 March 2010 at the CloudSlam 2010 Conference.

You can download the slides here (PDF - 1,26 MB)

To get access to the full video of the presentation please contact me.

The amended German data protection law obliges parties to data processing agreements to include into their contracts clauses on breach notifications, audit rights, subcontracting and a couple of other aspects.

Nonconforming contracts can trigger administrative fines of up to € 50,000. Agreements already in place should be reviewed and policies implemented to ensure the compliance of future contracts.