The cloud is reality – but still legally controversial in the details. So what do we need to consider for the future with regard to liability, especially as there are few practical alternatives for data management in the cloud and many already see the cloud as unmatched in value from an economic viewpoint?

Over and over again, references are made to the cloud’s problems with multiple national and international data protection laws. Among other things "sensitive data" - for example, health data - internationalization presents huge legal problems with data management in the cloud. The problem, though, is not seen this way by all supervisory authorities responsible for data protection.

Often underestimated, however, is the fundamental legal point of criticism regarding the lack of data sovereignty of the cloud user and the lack of control options for the cloud provider. Questions abound, such as:

  • Where does the data reside?
  • Are technically necessary copies deleted as required by law?
  • Can the cloud user see, understand and control the data security with his/her provider?
This problem field is clear but it appears less helpful if it’s stated as: "classic data protection does not function in the cloud". You can, however, get closer to the truth if you note that the cloud's own manner of functioning has not yet been recognised by law as regards the aforementioned control options - at least not in Europe. The legislators now demand, for example, control over the service providers to whom one entrusts his/her own data or that from third parties. This control only functions with the help of transparency in regard to important questions:
  • Who can currently access the data?
  • As regards third party data, can I learn these points from the cloud provider when my own customer wants to know this from me?
  • In short: am I still master of the data?
  • Can I even still accept responsibility for the data entrusted to me or do I fail on the factual power of the cloud provider and the technically functional method of the cloud?
As to the question of control options, you should put your cards on the table and demand that the European legislators revise their own regulations for the cloud that acknowledge the missing control possibilities as collateral damage to the cloud. It seems feasible to subject cloud providers, in return, to specific obligations so the basic concepts of data protection pursued by the control rights can be achieved by an alternative route. Should an established legal conception – the necessity of the control principle – be abandoned in order to help a modern type of data management out of the juridical problem area? Or will data protection do its job of protecting the citizen only if complete visibility and control continues to be codified?

Occasionally legislators and bureaucrats represent that one must simply reinterpret the current data protection legislation: A technical interpretation of the data protection law would solve the problem. Analogously, a meaningful technical solution does not have to stand in the way of unfashionable, non-IT oriented law. That sounds compelling. A revision of the data protection law would thus not be necessary at all. Caution is called for once again: As opposed to the copyright law, data protection law is not commercial law. Data protection is a personal right. Hence, the interests of the citizens in data protection principally ranks behind a technical and thus economy-friendly interpretation of the law. As a result, the issue of control and data sovereignty in the cloud remains unresolved to date.

This is the reason why it is occasionally claimed that the cloud is "illegal," or even “extra-legal”. This is certainly not the case. Yet the obligations with regard to liability law are not to be underestimated with regard to data sovereignty and the cloud customer. As such, you may be liable, under certain circumstances, for possible shortcomings of the cloud provider although you only purchased the cloud service. This always involves the chain: Cloud provider – Cloud customer – Customer of the cloud customer. As a cloud customer, you are in the middle and must ensure a proper level of data protection to your own customers which is simply not offered as depicted, and with regard to control, is also not realisable, because the data in the cloud is ubiquitous and, for example, no specific information can be given as to the whereabouts of the data.

Even if one accepts this problematic liability and takes the risk of data protection non-compliance further aspects of the cloud are also problematic in terms of data protection legislation. This concerns, for example, data quality. Especially as regards the already mentioned sensitive data which may, if at all, only be brought into the cloud if a detailed examination of this individual case appears to be admissible. This depends on the technical framework conditions, but also on the Terms and Conditions of the provider.

Further discussions concerning the legality of the cloud could involve:

  • Data access through third parties, especially legal authorities (not only data protection, but also knowledge/trade secret protection)
  • Technical-organisational measures (not only available, but rather also documented and manageable)
  • Subproviders (missing transparency regarding their linking, technical-organisational measures implemented)
  • Terms and Conditions
The following always applies (as already mentioned): If I myself "purchase" the cloud and use it to provide services to third parties, I cannot, generally, disclaim responsibility; I must be liable, if need be, for the above mentioned "purchased" deficiencies to my contractor, my employees etc.