The cloud is reality – but still legally controversial in the details. So what do we need to consider for the future with regard to liability, especially as there are few practical alternatives for data management in the cloud and many already see the cloud as unmatched in value from an economic viewpoint?
Over and over again, references are made to the cloud’s problems with multiple national and international data protection laws. Among other things "sensitive data" - for example, health data - internationalization presents huge legal problems with data management in the cloud. The problem, though, is not seen this way by all supervisory authorities responsible for data protection.
Often underestimated, however, is the fundamental legal point of criticism regarding the lack of data sovereignty of the cloud user and the lack of control options for the cloud provider. Questions abound, such as:
- Where does the data reside?
- Are technically necessary copies deleted as required by law?
- Can the cloud user see, understand and control the data security with his/her provider?
- Who can currently access the data?
- As regards third party data, can I learn these points from the cloud provider when my own customer wants to know this from me?
- In short: am I still master of the data?
- Can I even still accept responsibility for the data entrusted to me or do I fail on the factual power of the cloud provider and the technically functional method of the cloud?
Occasionally legislators and bureaucrats represent that one must simply reinterpret the current data protection legislation: A technical interpretation of the data protection law would solve the problem. Analogously, a meaningful technical solution does not have to stand in the way of unfashionable, non-IT oriented law. That sounds compelling. A revision of the data protection law would thus not be necessary at all. Caution is called for once again: As opposed to the copyright law, data protection law is not commercial law. Data protection is a personal right. Hence, the interests of the citizens in data protection principally ranks behind a technical and thus economy-friendly interpretation of the law. As a result, the issue of control and data sovereignty in the cloud remains unresolved to date.
This is the reason why it is occasionally claimed that the cloud is "illegal," or even “extra-legal”. This is certainly not the case. Yet the obligations with regard to liability law are not to be underestimated with regard to data sovereignty and the cloud customer. As such, you may be liable, under certain circumstances, for possible shortcomings of the cloud provider although you only purchased the cloud service. This always involves the chain: Cloud provider – Cloud customer – Customer of the cloud customer. As a cloud customer, you are in the middle and must ensure a proper level of data protection to your own customers which is simply not offered as depicted, and with regard to control, is also not realisable, because the data in the cloud is ubiquitous and, for example, no specific information can be given as to the whereabouts of the data.
Even if one accepts this problematic liability and takes the risk of data protection non-compliance further aspects of the cloud are also problematic in terms of data protection legislation. This concerns, for example, data quality. Especially as regards the already mentioned sensitive data which may, if at all, only be brought into the cloud if a detailed examination of this individual case appears to be admissible. This depends on the technical framework conditions, but also on the Terms and Conditions of the provider.
Further discussions concerning the legality of the cloud could involve:
- Data access through third parties, especially legal authorities (not only data protection, but also knowledge/trade secret protection)
- Technical-organisational measures (not only available, but rather also documented and manageable)
- Subproviders (missing transparency regarding their linking, technical-organisational measures implemented)
- Terms and Conditions
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
The EU GDPR (General Data Protection Regulation), becoming effective May 25, 2018, will have a global impact not only on data privacy, but on the interaction between businesses and their customers and consumers. Organizations must not restrict their GDPR initiatives to technical changes in consent management or PII protection, but need to review how they onboard customers and consumers and how to convince these of giving consent, but also review the amount and purposes of PII they collect. The impact of GDPR on businesses will be far bigger than most currently expect. [...]