Liability in cloud computing: the European Union Data Protection Directive Maarten Fonville, Robert Lijklema [email protected], [email protected]

Abstract. In current European privacy legislation, a distinction is made between data controllers and data processors. Data controllers are responsible for personal data, whereas data processors are actually processing them. This requires some kind of audit in which the data processor proves to the data controller that it meets the requirements of the law. In cloud scenarios, this distinction becomes increasingly problematic; as such audits are often impossible. In this paper, we propose a format for new European privacy legislation that can better cope with cloud computing and the changing roles of parties involved in data processing.

Introduction

Cloud Computing & Privacy legislation In the European Union the privacy of citizens is being regulated by the EU Data Privacy Directive. This directive is translated into national legislation by all EU member states and guarantees European citizens that their data is handled properly and enables them to keep ownership of data about them. The directive and legislation are from the 90’s and are lagging behind new technological innovations like cloud computing [6]. Cloud computing is a descriptive term for crossing the traditional boundaries of physical computing, where location, instance, owner etcetera are all known, to computing ‘in the cloud’. When storing and processing information in the cloud the physical location is, for example, not visible to the owner of the information. Since the European privacy legislation did not foresee the processing of privacy sensitive data in a way as now happens with cloud computing. Definitions in the legislation, which relied on physical attributes, start to fail and must probably be updated to keep privacy legislation in check. Problem statement Since the introduction of cloud computing legal issues did pop up where current privacy laws could not successfully encompass the concept of cloud computing and its new playing field [6]. Also for the EU Data Privacy Directive this is an issue. Since roles of data controller and data processor, as defined within the directive, are becoming less clear and thus also the responsibilities and obligations of each party involved. This could harm the rights of EU citizens when it comes to privacy protection. In this paper we will research the effects of cloud computing on the EU directive and will suggest, if necessary and possible, changes to be made to the EU directive to make legislation around cloud computing comply while maintaining adequate privacy protection for EU citizens.

2

Maarten Fonville, Robert Lijklema

Our research question will be: “How do the roles of data controller and data processor change in cloud scenarios, and what should accordingly be changed in privacy legislation?”

Background

Origin and implementation of the European Union Data Protection Directive In the European Union and its member states the current privacy legislation is arranged by the European Data Protection Directive. The European Union was the first region in the world to adapt Privacy Legislation [5]. With the creation of the single market within the European Union, the unequal regulatory playing field between different member states became an issue. Since companies had to adhere to different national privacy laws, the companies in the early adopter countries of data privacy rules were disadvantaged by strict privacy laws compared to companies from other countries without those laws. When a subset of European countries did fail to pass proper data privacy rules, the fear was that underregulated nations could potentially become data havens. Then organizations would locate their central data banks in these countries and circumvent in that manner the national rules of the other European Union member states. The European Commission did realize that the exchange of personal information implicated not only business activity but also a pan-European public administration, like the migration information of the Schengen area. Because of this they decided that privacy regulations should fall under the Community’s purview. Thus the EU Data Protection Directive was created. The EU Data Privacy Directive is not a selfimplementing law. Each EU member state has to pass its own implementing legislation to let the directive become a law in a EU member country. Member countries are free to pass even more strict legislation that the directive enforces for within their own country, but should at least guarantee the privacy levels of the directive [4]. As this paper is focused on a Dutch public it is to be noted that the Netherlands has chosen to directly translate the directive into Dutch law and not to add any more restrictions to this. The only addition that is Dutch -specific, but other EU countries have also similar laws about, is the making the distinction between data exporters established within or outside the Netherlands. Data exporters established in the Netherlands are held to an "equivalent protection standard." While exporters established outside the jurisdiction of the Dutch Data Protection Law must provide "adequate safeguards for the protection of the privacy of the data subjects in relation to that file” [7]. Definitions and purpose within the legislation Within the directive there is defined that “personal data” means any information relating to an identified or identifiable individual (also called “data subject”); “automated data file” in the directive means any set of data undergoing automatic processing; and “automatic processing” includes the following operations if carried out in whole or in part by automated means: storage of data, carrying out of logical and/or arithmetical operations on those data, their alteration, erasure, retrieval or dissemination; the “controller of the file” means the natural or legal person, public authority, agency or any other body who is competent, according to the national law,

Liability in cloud computing: the European Union Data Protection Directive

3

to decide what should be the purpose of the automated data file, which categories of personal data should be stored and which operations should be applied to them [1]. The purpose of the legislation is to protect privacy sensitive information for EU citizens by giving them legal means to control the data controllers which have data over them. Meanwhile the data controllers are obligated to adhere to the EU directive privacy laws. And when the data controllers give the data to so-called ‘data processors’ they are required to audit these data processors to check whether they can provide at least the same level of privacy protection. When the data controller is selecting a data processor for storage of the data, it is only allowed to choose a data processor from countries with sufficient privacy regulations. Which countries these exactly are is decided by the EU country of the data controller’s origin. This division of rules and responsibilities should give adequate privacy protection to all EU citizens. An agreement exists between the European Commission and the US Department of Commerce, named US Safe Harbor: organizations can join the list to demonstrate they meet the EU requirements. However, two EU reviews (in 2002 and 2004) and a review by Galexia (a company offering consulting services in e.g. privacy) in 2008, all found serious concerns with Safe Harbor [3]. In particular, the Galexia investigation showed that only 348 organizations out of 1597 entries on the Safe Harbor List actually met the seventh principle (“Enforcement and Dispute Resolution”) – the other six principles were not tested. Thus apparently the Safe Harbor principle has quite some issues with guaranteeing the EU citizen’s privacy rights. Issues with cloud computing and the legislation With the introduction of cloud computing legal issues did arise in the use of privacy sensitive data within the cloud. Before cloud computing defining the roles of data controller and data processor were quite easy. The data controller was the owner of the data, defined the purpose of it and the means of it. The data controller was the party responsible for letting the data collection and processing comply with the law. The data processor did provide the storage and simple automatic processing and operations. The data processor had to prove to the data controller it did comply to the regulations the controller had set (to comply with the law). Since the introduction of cloud computing this clear division of roles has disappeared. With cloud computing it is possible that the original controller of the data still holds the purpose, but not all means anymore. When a cloud computing service provider is used by the data controller to enter the information, which can be privacy sensitive, then the cloud processes the data. But the “where” and “how” of this data processing are often unknown to the original data controller and is often actually quite difficult to answer at all. With cloud computing, the possibility arises for a situation where an entity which would before be classified as a processor, outsources part of the processing to a third party, which would create another controller-processor link The “where” has become difficult to answer because of the virtualization techniques being applied within cloud computing. The application offered by the cloud computing service (or the platform or infrastructure offered) can be first of all offered by multiple (virtual) machines. The location of these machines is not visible to the data controller using the service. In addition, these machines can be in fact virtual machines. These virtual machines could be run on different real machines, but also different machines on each time and maybe even running partially on multiple machines. Moreover, all of those machines could be anywhere on the world.

4

Maarten Fonville, Robert Lijklema

Often these machines are deployed by other service providers, offering applications, virtual machines, storage or computing power, when the data processor is using other parties for these facilities. Since these parties can also outsource and subcontract it can be difficult to find out where virtual services are physically located and who is doing what exactly in the process as a whole. Together with the apparent failing of Safe Harbor legislation this give quite some complications to guaranteeing EU citizen’s their privacy rights. The “how” has also become more complicated, because with cloud computing services are provided by for example the data processor to the data controller, but also the data processor can be using various services (from other parties) to perform its tasks. However, by using services from other parties you do not have any insight in the “how” and you cannot be sure that the party offering the service is not performing more actions than is absolutely necessary for the party requesting the services. Both difficulties, the “where” and the “how”, are having an impact on the EU directive. Because the EU directive restricts to which countries privacy sensitive data can be exported. The directive also limits the actions that are allowed to be performed on the data. In addition, the directive requests a certain guarantee from the data processor to the data controller, which is known not to be fulfilled in current cloud computing situations [6].

Updating the directive The Directive states that the privacy protection “must not in effect depend on the techniques used, otherwise this would create a serious risk of circumvention”; therefore, it seeks to be technology neutral. However, the position of cloud computing is ambiguous in the current Directive: it is not certain whether a cloud service provider classifies as a controller, a processor, or something else; the Directive only speaks of controller-processor links, meaning chains are not possible; and cloud service providers might have hardware in many different countries. Therefore, we seek to alter the Directive so that the position of cloud computing is clear, but without damaging the technology neutral status of the Directive. Furthermore, we believe the current workings should remain intact, so that current controllers or processors would not need to revise existing contracts to adapt to new legislation. Changing the roles One possible solution for the dilemma would be to create a new role which cloud service providers would fall under, here referred to as ‘providers’. In this case, the following changes would need to be made to the Directive: • A definition of providers would need to be added • One or more articles detailing the legislative framework for controller – provider interaction, and one or more articles detailing the legislative framework for provider – processor interaction, would need to be added. • One of more articles detailing the legislative framework for provider – provider interaction would need to be added, to account for chains. • One or more articles detailing other legal obligations of providers would need to be added. • Most likely unchanged would be the definitions of controllers and processors, the legal obligations of both, and the legislative framework for controller – processor interaction.

Liability in cloud computing: the European Union Data Protection Directive

5

However, we believe that there is an alternative which will require less comprehensive changes to the Directive, and that is to split controllers into ‘primary’ and ‘secondary’ controllers, with current controllers being classified as primary controllers, and cloud service providers who delegate to processors as secondary controllers. With this alternative, the following changes would need to be made: • The definition of controller is currently the following: “'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;” This would need to be changed to “purposes and/or means”. In addition, ‘secondary controllers’ would need to be defined as controllers which operate on behalf of another controller, with ‘primary controllers’ being controllers which are not secondary controllers. Alternatively, secondary controllers could be defined as controllers which determine means of data processing, while primary controllers would be defined as controllers which determine purposes, but this would mean that current controllers would classify as both primary controllers and secondary controllers, creating an overlap of roles which could lead to legal complications. • One or more articles regarding the legislative framework for (not necessarily primary) controller – secondary controller would need to be added; in particular, we believe that if the new Directive allows secondary controllers to determine purposes of data processing, they should not be allowed do this without explicit authorization of the relevant primary controller, to prevent abuse of data. • The legal obligations of controllers would need to be modified, as some would not need to apply to secondary controllers: in particular, Articles 10 and 11 (notifying a data subject of the controller’s identity and the purpose of the data processing) and Article 18 (notifying the member state’s supervisory authority before data may be processed) would only need to apply to primary controllers, as applying these Articles to secondary controllers as well would lead to redundancy, as data subjects and authorities would receive the same information multiple times. • Unchanged would be the definition of processors, the legal obligations of processors and the legislative framework for controller – processor interaction (since at the core, the relation between cloud service providers and processors is basically the same as the relation between current ‘controllers’ and processors). Solving location issues Regarding the possibility of cloud service providers having hardware in several countries, we have come to the conclusion that Article 25 (principles of data transfer to third countries) covers the conditions under which data transfer to a third country may or may not take place. If a country is considered to not offer adequate protection, a data transfer may be forbidden. While this may be considered troublesome by cloud service provider (since this may force them to have data processed in a EU member state when they believe this could better be done in another country), Article 26 (derogations from Article 25) offers the possibility to receive authorization for a data transfer if enough safeguards are provided. As such, we see no reason to alter Articles 25 and 26 to account for cloud computing, since cloud service providers would

6

Maarten Fonville, Robert Lijklema

qualify as controllers under our proposed definition, and therefore the tools to solve location issues already exist.

Conclusion & Outlook Our findings within this paper are that with relatively little changes to the EU privacy directive we can solve the issues that did arise with the arrival of cloud computing. The updated directive will be able to guarantee to EU citizens that their privacy will be guaranteed, while giving clarity to cloud computing service providers. The cloud computing service providers will still have the possibility to export the data, within limits and with guarantees, to non EU member countries for storage and basic processing. However, their main activities will have to be European based. For large cloud computing service providers which often already have a representation within the European Union this shouldn’t be too big of an issue. In addition, there is a fair playing field, since these rules will be for every cloud computing business active within the European Union. The safe harbor principle does not seem to perform properly, but no country is forbidden to adapt legislation completely complying to the directive. If more countries implement the directive as precise as the EU member states maybe the European Commission can negotiate treaties with these countries to also be considered within the ‘EU member states’ group. This could simplify the handling of exporting data, while maintaining the privacy guarantees for citizens.

Acknowledgements We would like to thank dr. ir. Wolter Pieters, for proposing our research topic, guidance and feedback when writing this paper.

References 1. Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. Dutch government services website, http://wetten.overheid.nl/BWBV0002783/geldigheidsdatum_15-09-2010#AuthentiekEN 2. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal of the European Union, L281, p. 31-50 (1995) 3. Connolly, C.: The US Safe Harbor – Fact or Fiction?. Privacy Laws and Business International, p 96 (2008) 4. Fromholz, J.M.: The European Union Data Privacy Directive. Berkeley Technology Law Journal 15, issue 4, p. 461-484 (2000) 5. Newman, A.L.: Building Transnational Civil Liberties: Transgovernmental Entrepreneurs and the European Data Privacy Directive. International organization Vol. 62, No. 1, p. 103130 (2008) 6. Parrilli, D.M.: Legal Issues in Grid and Cloud Computing. In: Grid and Cloud Computing Part 2, Springer, p. 97-118 (2010) 7. Schwartz, P.M.: European Data Protection Law and Restrictions on International Data Flows. Iowa Law Review 80, p. 471-488 (1995)