Cloud Computing – violation of Data Privacy Law by increasing technical efficiencies?!

Cloud Computing or rather internet based computing is the new hot term in business technology, because companies can significantly cut costs while increasing technical efficiencies. But, companies that engage in cloud computing agreements with a cloud provider have to attend the legal risks. In the opinion of several German data protection authorities, almost all of the latest Cloud Computing-offers violate applicable German Privacy Law. Thus, the undersecretary of state in the Ministry of Economics Affairs, Dr. Bernd Pfaffenbach met scientists and representatives of IT-branch to the second panel on Cloud Computing in September 2010. Further, German secretary of state in the Ministry of Economics Affairs, Rainer Brüderle, will start an accordant initative in Oktober 2010.

According to the authority of the German federal state of Schleswig-Holstein, clouds located outside the European Union are per se unlawful, even if the EU Commission has issued an adequacy decision in favour of the foreign country in question (for example, Switzerland, Canada or Argentina). A Commission adequacy decision does not confer “agent” status, which normally would privilege such transfers, on entities located in the adequate jurisdiction. The recipient entities remain “third parties” which means that a transfer in the legal sense takes place and therefore a legal basis is required. The potential legal basis under German law (“fulfilment of contract” or “balancing of interests test”), however, requires that the transfer is also “necessary.” The DPA is of the opinion that there are no arguments that the use of a cloud located outside the EU is compulsory.

This result may be avoided, however, if the German rules on commissioned data processing are applied by analogy and by using an EU-approved model contract for controller-processor data transfers, so long as the German requirements for data processor agreements are also followed.

The DPA’s opinion further states that self-certification to the U.S. Department of Commerce’s Safe Harbour framework alone does not provide an adequate level of protection in the cloud context. Accordingly, reliance on certification to the Safe Harbour should not be used to circumvent the more strict EU legal requirements applicable to cloud computing.

In addition, the DPA indicates that, because SAS 70 Type II Certificates used by some cloud providers do not contemplate the material and procedural interests of data subjects, such certifications offer only partial compliance with German legal requirements for commissioned data processing.

The opinion concludes by suggesting that binding corporate rules are also an appropriate tool for companies seeking to implement a cloud solution.

Harald Nickel
Attorney

office-nickel@nickelonline.de