Analysis: Data Protection Authority: Use of Non-EU Cloud might violate German Data Protection Law

The Data Protection Authority for the German federal state of Schleswig-Holstein ("Unabhängiges Landeszentrum für Datenschutz - ULD", the "DPA") has published in June 2010 a paper about cloud computing under German data protection law. The most doubtful statement is that the usage of clouds outside the EU might be in violation of German data protection law.   In this analysis I give an overview over some statements of the paper, explain the legal background and analyze the DPA's position.

Controller Processor Relationship

According to the DPA, the relationship between a cloud provider and a cloud user is, from a technical point of view, usually a controller-processor relationship. From this understanding the DPA draws the following conclusions:   The cloud user is responsible to ensure the integrity and confidentiality of personal data stored in the cloud (e.g. employee or customer data). The DPA holds the view that in order to fulfill this obligation the cloud provider has to make transparent how and where data is processed in the cloud and describe the security measures that have been implemented. The provider of a public cloud must accordingly inform the cloud user about the legal entities operating the cloud and the locations of the data processing facilities.   As a data controller, the cloud user must be able to audit the security measures and give instructions to the cloud user in relation to the data processing. The DPA understands that these requirements are hardly feasible in a cloud scenario and seems to accept this under certain conditions: 

1. The cloud provider must give a comprehensive self-obligation to comply with specific data security measures.
2. The audit obligation of the cloud user must be fulfilled by an independent and competent third party. The cloud provider must contractually accept audits by third parties or provide sufficient certifications. According to the DPA, the cloud provider must make available the protocol data of the data processing to the extent required for the audits.
3. As compensation for the cloud user not being able to give detailed instructions to the cloud provider, the cloud provider must offer different options to the cloud user, e.g. with regard to the use of resources or locations of data protection facilities (EU clouds) or with regard to security levels.

Non EU/EEA-Clouds 

The DPA paper also deals with cloud providers established in countries outside the European Union and European Economic Area (EEA). In this context, it is important to keep in mind that in such a scenario - from a data protection viewpoint - a two-step test is conducted. First, the transfer of personal data into the cloud and the processing in the cloud must have a legal basis. Secondly, an adequate level of data protection must be ensured at the cloud location outside the EU/EEA. Safe Harbor, Binding Corporate Rules and the EU standard contractual clauses are mainly relevant on the second step of this test. In fact, the use of standard contractual clauses or a Safe Harbor certification as such does not suffice to make the use of cloud services lawful. Unfortunately, many authors and the DPA in its paper do not always clearly distinguish these two basic steps.

According to the definitions in section 3 para. 8 of the German Federal Data Protection Act (FDPA) [Bundesdatenschutzgesetz - BDSG] the making available of personal data by a controller to a processor is not considered as a "data transfer" if certain requirements have been met, among others, the controller and processor have entered into a written agreement that fulfills certain requirements listed in section 11 FDPA. The consequence of this controller-processor privilege is that no legal basis for passing personal data to a processor is needed. However, the DPA has made clear that this privilege does not apply if the cloud provider is located in a country outside the EU/EEA.

The DPA argues that the transfer of personal data to and the processing of such data in a non-EU/EEA cloud can not be justified. The only provision that might be able to create a legal basis for the data transfer into the cloud is - in the view of the DPA - the balance of interest clause in section 28 para. 1 no. 2 FDPA. The DPA argues that the cloud user has no legitimate interest to transfer personal data to a non-EU/EEA cloud provider because the cloud user could make use of EU/EEA based clouds.

Later, the DPA explains, that a solution to justify the use of non-EU/EEA clouds would be to apply the privilege of section 11 FDPA analogously (mutatis mutandis) to data processors outside the EU/EEA. As a precondition for such analogy, the cloud provider and cloud user had to enter into an agreement with the EU standard clauses for controller-processor transfers. In addition, the cloud computing agreement had to comply with the requirements of section 11 FDPA. The DPA stresses that the mere self-certification of a cloud provider under the Safe Harbor regime or SAS-70-Type II Certification do not suffice.

Analysis and Critics

The statements of the DPA on audits and data security are helpful and give guidance. However, the statements on the legitimacy of non-EU/EEA Clouds are extremely doubtful and general.

The view that the privilege of section 11 FDPA is not applicable to data processors outside the EU/EEA is in line with the wording of the FDPA. However, it should be mentioned that there are at least some authors who support the opinion mentioned by the DPA that the privilege can be applied mutatis mutandis to processors outside the EU/EEA if the contract includes the EU standard contractual causes and - in addition - satisfies the requirements of section 11 FDPA. From the paper, however, it remains unclear if the DPA is willing to follow this approach.

Further, it can not be argued that there is in general no legal basis for data transfers to non-EU/EEA clouds. In particular, the argument that the cloud user has no legitimate interest in using such clouds is not valid. If one accepted this argument any offshore outsourcing of personal data - a common practice since many years - would be unlawful in most cases. This is in clear contradiction to the EU decision on standard contractual clauses for controller-processor transfers, since there would be de facto no room for the application of these clauses. Also, it can not be said that cloud users always have the choice to opt for a EU-based service, since many major cloud service providers are based in the US.

The paper is also in other parts very general and vague. For example, although it describes the different types of clouds (public/private) and services (Software as a Service, Platform as a Service, Infrastructure as a Service) in the introduction, in the following paper, the DPA does not distinguish between these different scenarios. In my opinion, the paper in many respect creates more uncertainty than providing clarification.

Recommendation

One can draw some recommendations from the paper: German users of non-EU/EEA clouds should make sure that their cloud agreements include both the EU standard contractual clauses and comply with section 11 of the FDPA. In addition, the parties should give specific attention to the description of the locations of data processing facilities and parties operating the cloud and they should agree on data security certifications or independent third party audits. Cloud providers should offer different options for security levels and data processing locations.   Finally, one should keep in mind that the paper is a statement of the data protection authority of one of the 16 Federal States [Bundesländer] in Germany. It has supervision only over cloud users established in the territory of Schleswig-Holstein. However, in the past, the authority has already taken a leading role in the joint meetings of all German data protection authorities, so that other authorities might follow the view of the DPA.