• +49 (30) 804 03 588 | +49 (0)157 322 38619 | +33 (0) 6 79183704
  • sybille.boese-tarsia@sbt-rechtsanwaeltin.eu
  • Nickisch-Rosenegkstrasse 9, 14129 Berlin
  • +49 (30) 804 03 588 | +49 (0)157 322 38619 | +33 (0) 6 79183704
  • sybille.boese-tarsia@sbt-rechtsanwaeltin.eu
  • Nickisch-Rosenegkstrasse 9, 14129 Berlin
0
POSTED IN: Uncategorized

Cloud services agreements & EU General Data Protection Regulation (GDPR) : troubles ahead?

According to recent research reports, the average European enterprise could well be using up to 600 cloud applications. Despite increased awareness on the part of IT industry , organisations/ companies underestimate this figure by about 90 percent. This worries IT industries, and of course, raises the question of how cloud-consuming organisations can ever hope to comply with the GDPR if they don’t know 90 percent of the applications people/ customers are using ( and may not know so easily)….

The push to replace the EEA’s patchwork of 28 data protection rules by the GDPR has been broadly welcomed by the cloud service provider community, albeit with caution. While it stands to make it easier for native and US-based cloud providers and hosting firms to win business across Europe, the GDPR will also – for the first time – put them on an equal footing with data controllers when it comes to liability for data breaches and rule violations.

Today there is still ( ie until May 2018) a sharp distinction between the data controller (the enterprise that owns the data) and the data processor (cloud, or other digital services provider), as all the legal obligations are on the data controller, but this is going to change with the GDPR. The joint liability requirements as laid down by the GDPR are likely to prove a big source of concern for cloud services providers. As the liability thresholds increase considerably: 2% of worldwide turnover , ie up to EUR 10 mio, wherever the amount is reached; OR up to 4% of worldwide turnover, or up to EUR 20 mio for serious infringements.

Cloud firms have to take a keener interest in what exactly users are planning to store on their infrastructure, which is only guaranteed if and when enterprises really know what actually they have in use.

Joint liability requirements also mean cloud providers will be obliged to alert the authorities to data breaches within 72 hours.

US cloud providers who host personal data of EU residents will, in many cases, be subject to EU law – even if the cloud provider’s clients are not themselves established in the EU.

Under the terms of the 1995 Data Protection Directive – the legislation the GDPR will replace in May 2018– an individual can ask for personal data held about them by an EU-based data controller to be deleted, once it is no longer needed, and/ or also transferred. Instead according to the GDPR ( art.17) has explicitly introduced the right to be forgotten; to ensure compliance, cloud services providers may need to collect more metadata around the information they hold about individuals, to make it easy to find where it is stored and delete ( and /or also to transfer0 it.

Though controllers are used to be liable, and sought measures to limit the exposure ( introducing BCR’s, eg) this is sort of new to processors. Cloud services providers will have an interest to establish for their structure, codify best practices, such as BCR’s to make sure to be able to control exposure.

And controllers should have a strong interest to contract only with cloud services providers proving to have fully working BCR’s (eg) in place.

Auditing current datasets and managing the big data that sits around will prove to be indispensable.