It's still not clear what data protection requirements apply to cloud services. Why is that? Are the laws especially unclear for German organizations using foreign-based cloud services?
The problem arises when you transfer personal data to foreign servers. Data transfers within the European Union (EU) or the European Economic Area (EEA) are generally uncomplicated since § 4b of the German Data Protection Act (Bundesdatenschutzgesetz, BDSG) grants preferential treatment to countries in these regions. Once the data leaves the EU/EEA, though, the law requires data to be adequately protected in the data recipient's country. The US doesn't offer this level of data protection, so German enterprises cannot store personal data on servers based in the US.
... but there are exceptions?
Right. One exception had been carved out by the Safe Harbor Privacy Principles jointly adopted by the European Commission and the US Department of Commerce. It permitted data to be transferred to a US server if the US server operator was "Safe Harbor certified", which meant that it had raised its data protection to an adequate level.
In October 2015, however, the European Court of Justice overturned the Safe Harbor Principles on the grounds that adequate data protection could not be assured amid the wide-ranging data surveillance by US intelligence services that Edward Snowden had brought to light. All of a sudden, all data transfers to US servers became illegal – unless, of course, they were covered by other exemptions such as EU standard contract clauses or binding corporate rules. German companies had to respond quickly since data protection authorities threatened to issue a decision on sanctions at the end of January 2016. Any companies that failed to act by that deadline – e.g. by adopting standard contract clauses – would face fines of up to EUR 50,000. Fines have already been imposed, too – most recently on three companies that continued to store data on US servers without meeting the necessary legal requirements.
And then new principles were announced this summer?
Yes. A new framework was announced in July 2016, known as the EU-US Privacy Shield. While it sets out higher standards for US companies, the US Government's concessions have been quite modest, especially in transparency and supervision. So critics are confident that the new Privacy Shield will not withstand legal scrutiny, either. France and Ireland have already challenged its adoption in court.
The two other alternatives – EU standard contract clauses and binding corporate rules – are on shaky legal ground, too, since US agencies continue to intercept data communications and the Irish data protection authority has already announced its desire for the ECJ to review the EU standard contract clauses, too.
So where does that leave German companies? Safe Harbor is dead, the future of the EU-US Privacy Shield and EU standard contract clauses looks precarious. Clearly, using US servers still entails considerable risks.
Do you think public cloud services pose other typical legal risks?
Unlike private cloud services, users of public cloud services don't always know where their data is stored. International cloud service providers also host sensitive personal data outside the EU, which entails the risks I was talking about earlier.
In addition, public cloud servers are accessible to a broad user base, which renders their interfaces more vulnerable to attack. This makes it harder to comply with the legal cyber security requirements (particularly BDSG § 9 and § 11), especially since some providers scrimp on security to make accessing their public cloud services more user-friendly.
How can organizations ensure their cloud services comply with data protection laws?
The uncertainties I've mentioned mainly affect cloud providers based in other EU countries. Since major providers are based in the US and maintain most of their servers on American soil, there is a risk that personal data from German organizations will end up on these US servers.
Therefore, organizations should make sure that data identifying specific employees or specific customer or supplier contacts is only stored on servers located in the EU/EEA, preferably in Germany, since these regions have some of the strictest security standards.
Many foreign cloud providers now build data centers in Germany. Apart from their physical location, though, what do these providers have to do to minimize the potential legal liability for organizations that use their services?
US providers that build data centers in Germany are certainly taking a huge step in the right direction. An organization that has its provider certify that its personal data will only be stored on German servers and also verifies that the provider upholds its end of the bargain will have to endure much less scrutiny from data protection authorities since at least the location of the data is clearly defined. But even this arrangement has two weak points that cannot be remedied entirely.
And those are?
German data centers run by US providers are often accessed by US employees for (remote) maintenance, especially outside of German business hours. When US technicians log into the German servers and do their troubleshooting, they can, theoretically, also access other data on the server that may be transferred to the US employee's server. Organizations should therefore include language in their contracts prohibiting remote maintenance from the US.
Then, you have the issue of data surveillance by US government agencies, particularly the NSA. Even with the Privacy Shield, the US's national security laws allow access to any US company's data if it may be relevant for detecting and combating terrorism. This authorization also extends to foreign subsidiaries of US companies, which means that US providers could be court-ordered to release their German subsidiary's data. Admittedly, the most recent ruling handed down in July 2016 by the United States Court of Appeals in New York stated that Microsoft did not have to turn over data stored on an EU server. However, since this was not a Supreme Court ruling, German subsidiaries may still end up complying with a US request for data under pressure from their US parent company – and that would constitute an illegal transmission of data.
And what consequences will this have?
From a data protection viewpoint, some risks remain when you use US providers, even if they operate their servers on German territory. The safest option is to use providers that are headquartered in an EU country, ideally Germany, and only operate their servers here. A viable alternative, in my opinion, is the "data trustee" model in which US providers host and operate their systems in German data centers, but cannot access them.
Even mid-market enterprises such as communications provider Schwaiger or software licensing specialist Octopus are turning to public cloud services. But they’re choosy when it comes to legal certainty and data protection.