Cloud computing. Legal aspects

Today the most significant change in computer science applied to enterprise activity is cloud computing. There have been a lot of papers, conferences, talks on the argument. Some consider cloud computing as the future for the management of computing resources and underline its low costs, positive effects in increasing security, higher standards and performances and opportunity to achieve the outsourcing process of (non-core) business activity related to hardware and software structures. However, others point out the loss of direct control over the computing resources, which has been substituted by a weaker indirect control based on contractual clauses (service level agreement, key performance indicators) or software instruments. They also underline the risk of lock-in situations due to the difficulty of coming back from a cloud environment and due to concentration of the market into a few big players. Huge amounts and concentrations of data are also more attractive for cyber attacks and give more power to fewer subjects that control these resources, with the risk of potential fraudulent behavior. 

There is some truth in both positions. Of course cloud computing is not suitable for everything, everyone and (working well) everywhere. 

Not all areas of the corporate structure are suitable to go into the cloud: critical applications, databases with reserved or strategical information, software with a high level of customization are less suitable as there is a partial loss of control over them. Nor is everyone a good partner for cloud computing. This technology needs high standard levels and a great amount of resources (assuring redundancy, business continuity, security), that is only possible for big players and not for small firms. Nor is every place suitable to send our data. There are geopolitical contexts that do not assure stability or the safety of non-intrusive practices. 

It is not possible to consider these different aspects in just a few pages (for further considerations, see here), but we could focus on one of the more important aspects, concerning data protection, which includes the current debate on this argument in the US and EU, with their different attitudes. 

Cloud computing necessarily implies data transfer and, in many cases, a trans-border data flow. From this perspective, in order to apply the principles coming from dir. 95/46/CE, the legal qualification of the subjects involved with the data flow and the definition of the consequent  responsibilities and obligations is fundamental. 

In general terms, the legislation on data protection has a data-centric structure, whereby the role assumed by the authors of the processing activity is determined on the basis of the relationship with the information, rather than by virtue of the nature of inter-subjective relations. The organization of data processing focuses on three major figures (“controller”, “processor” and “persons who, under the direct authority of the controller or the processor, are authorized to process the data” ). This is not necessarily consistent with the organization chart of the companies, nor does it reflect the autonomy of the parties involved in the process. The power of decision making about data processing is the criterion used to distinguish the roles (see Article 29 Data Protection Working Party, Opinion 1/2010), but not the nature of the contractual and economic relationship which link the different actors, nor the status of outsourcee or outsourcer. 

This distinction about the role assumed by each party is relevant not only with regard to the organization of data processing, but also from the perspective of related liability. 

In the specific context of cloud computing, considering the relationship that usually exists between the cloud provider and the user, we could further define a relationship between the processor and the controller. There are different indexes in this sense. First of all, even if service providers maintain a degree of autonomy and decision-making, tasks and specifications are (though often only formally, by reason of standard clauses) clearly and strictly defined by the user through the contract. Secondly, the user is the only one directly empowered by the data subject to process the data and the cloud provider only receives the information to be processed in the interest of the user. Finally, the typical arrangements of outsourcing and specifically of cloud computing services give broad significance to the service performances and service level agreement (SLA), binding the parties so that it is not possible to qualify them as two autonomous controllers (see P. Hustinx, European Data Protection Supervisor, Data protection and Cloud Computing under EU law). 

For these reasons we must conclude that the outsourcer assumes the role of controller and the service provider the role of processor. Confirmations also result from the fact that the activities carried out by cloud providers are only a part of the processing put in place by users. In addition cloud providers do not show the specific or exclusive competences necessary to play a dominant role in processing, which entails a high degree of autonomy. Usually cloud providers simply offer a higher  quality standard in the provision of services previously carried out by the company (see Opinion 1/2010 quoted before). 

Finally, we should remember that the EU has a great interest in the regulation of cross-border data flows, which has a fundamental role in maintaining the entire system of guarantees defined by the data protection directive. Consequently, the transfer to a third country of personal data can take place only if the third country ensures “an adequate level of protection” (Articles 25 and 26, dir. 95/46/EC). In the absence of an adequate data protection legislation, parties could assure the safeguards requested by the law by using the appropriate contractual clauses (art. 26, § § 2 and 4, dir. 95/46/EC), and by adopting the standard clauses approved by the European Commission (see here). 

Some difficulties arise instead when the cloud provider (processor), established in the EU, employs third parties established in third countries as sub-processors. There are no specific standard clauses for this purpose, and the parties could only adopt one of the flowing solution. Firstly, a direct contract between the EEA-based controller (cloud service user) and the non-EEA-based sub-processors. Secondly, a mandate from the EEA-based controller (cloud service user) to the EEA-based processor in order to use Model Clauses 2010/87/EU in his name and on his behalf. Thirdly ad-hoc contracts (see Article 29 Data Protection Working Party, FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive).