pogonici - Fotolia

What does the new EU data protection regime mean for datacentres and cloud service operators?

Changes to European data protection law will put new responsibilities on datacentre and cloud providers

The process of reforming European data protection law has been protracted, to say the least. However, the target for a final text of the EU General Data Protection Regulation (GDPR) is now firmly set for the end of 2015, and it is expected to come into force some time in 2017.

For datacentre and cloud service operators, this means big legislative changes are probably just over a year away and the time to start work on compliance with those changes is now.

Under the current data protection regime, the law draws a sharp distinction between “controllers” and “processors”, with the controller having all the legal liability. In the datacentre and cloud context, the controller is almost always the customer.

This means datacentre and cloud operators’ direct legal obligations in respect of personal data have been rather limited outside the terms of their contracts with customers, and the adequacy or otherwise of the terms of those contracts have firmly been the customers’ problem.

All that will change when the GDPR comes into force. For the first time, data processors will have direct legal obligations in respect of the personal data they process, and data subjects will be able to claim compensation for unlawful processing of their personal data direct from the processor – that is, the datacentre or cloud service operator.

Important obligations

By far the most important of those direct obligations for datacentre and cloud operators is that processors will, for the first time, be directly liable both to the regulators and to data subjects for security breaches. This is a significant risk for datacentre operators previously accustomed to being liable only to their customers for security problems, and having the protection of (hopefully) robust contractual exclusions and liability caps.

Read more about European data protection law

If all this sounds like yet another administrative and compliance headache you could do without, you would be right, at least on one level, but it’s not all doom and gloom. There are some real silver linings in the impending GDPR cloud (no pun intended).

A peripheral benefit is that it greatly reduces the complexities in working out which laws apply to any given data. One of the problems in the current regime is that multiple countries’ laws can end up applying to the same data.

For example, if your customer is in Germany and you process personal data for them in a datacentre in the UK, the data protection laws of both the UK and Germany may have to be taken into account in your contract with the customer and in how you then handle their data.

The GDPR does away with all that, and applies a largely uniform regime throughout all the member states of the European Union (EU). In the long term, that has to be helpful.

Extra-territorial effects

More important, though, is the extra-territorial effect of the GDPR. The big US cloud services that have European datacentres will be in exactly the same boat as their EU-based competitors. Now that Safe Harbour has gone away, many of the US providers – even if they don’t have an EU datacentre already – will be looking at opening one. 

But there’s more. The latest “official” text provides for the GDPR to apply to controllers not established in the EU, but which are offering goods or services to people in the EU or monitoring the behaviour of people in the EU.

While this provision is clearly aimed at the Facebooks and Googles of this world, and is less likely to affect datacentre and cloud operators outside the EU as drafted, a leaked document from the continuing discussions in the EU suggests the EU legislators agree in principle that the same should also apply to processors.

If that agreement makes it into the final text, any datacentre or cloud service outside the EU – including in the US – which is used by a customer (who can also be outside the EU) to offer goods and services to people in the EU, or to monitor people in the EU, will be subject to the exact same set of obligations as a datacentre based in the EU.

The GDPR does not define what constitutes “offering” goods and services to people in the EU; quite likely, simply putting up a generally accessible website could be enough.

All that, plus the demise of Safe Harbour, could well mean that European operators suddenly start to look a whole lot more competitive.

There is administrative work to be done and there are processes and procedures to put in place. But, for all that, GDPR is as much an opportunity as a burden, and European datacentre operators should embrace it.

Daniel Hedley, of Thomas Eggar

Daniel Hedley is an associate at law firm Thomas Eggar.

This was last published in October 2015

Read more on Privacy and data protection

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

The regulation goes well beyond the current rules.
For example, the contract between the cloud service client and cloud service provider must prohibit the provider from retaining the services of a third party without the permission of the client (Art. 26(2)(d)).
Article 30(1) would require both data controllers and data processors to use security measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be processed. The equivalent provision in Article 17 of Directive 95/46/EC merely requires the use of “appropriate security measures.” Under the new regulation, the security measures would have to be adapted to the specific risks represented by the processing and the nature of the personal data to be protected, and would have to take into account the state of the data and cost of implementation. Further, Article 30(2) would require both the data controller and the data processor to conduct a risk assessment. Article 30(2) does pose the question – who is responsible for the risk assessment, if the client is purchasing their cloud storage from a reseller/OEM reseller? The client is responsible for his/her side of the risk assessment, but what happens if their “cloud provider” purchases their storage from someone else? Many cloud providers purchase their storage space from the likes of Rackspace (for example) – but do Rackspace perform the risk assessment or the reseller? If it is the reseller, would there be a legal requirement for the reseller to perform a risk assessment with the [ultimate] storage provider? That would mean the reseller would have to perform a risk assessment twice – once between the client and reseller and a second between the reseller and storage provider. Even if the reseller only had to perform one risk assessment, Article 26 (2)(d) may still apply, and expose an OEM reseller as just that – a reseller for another companies services. This could encourage the client to “cut out the middle man” (the OEM reseller) and go straight to the storage provider.
I find it interesting that "direct obligations for datacentre and cloud operators is that processors will, for the first time, be directly liable both to the regulators and to data subjects for security breaches," and "datacentre operators previously accustomed to being liable only to their customers for security problems, and having the protection of (hopefully) robust contractual exclusions and liability caps."

We know that the cloud architecture is based on sharing infrastructure resources and I find it concerning that researchers again are finding similar issues that six years ago where demonstrated by Ristenpart about concrete evidence for sensitive information leakage on a commercial cloud. A 2015 research paper presents a full-fledged attack that exploits leakages of decryption keys and concluded that the cross-VM leakage is present in public clouds and can become a practical attack vector for both co-location detection and data theft.

When will the next cloud vulnerability in this area be discovered?

I agree with Gartner when recommending to "understand when data appears in clear text, where keys are made available and stored, and who has access to the keys," and recommending to "apply encryption or tokenization." I think that encryption keys for sensitive data should not be exposed in the cloud environment.

Ulf Mattsson, CTO Protegrity