The EU’s E-Commerce Directive should be updated to address an anomaly which exposes infrastructure cloud providers to potential liabilities for unlawful handling of personal data by their customers, even if they are not aware of their customers’ activities.
The anomaly will become more striking when the General Data Protection Regulation (GDPR) comes into effect, given the stiffer rules that will be introduced for data processors.
The rules could see infrastructure-as-a-service (IaaS) providers held responsible for data protection breaches by customers, even though such providers may only be acting as a neutral intermediary for the processing and have no knowledge of their customer’s activities. The same problem will affect platform-as-a-service (PaaS) providers. Similarly with software-as-a-service (SaaS) providers who offer pure storage facilities.
It is welcome that a new voluntary data protection code of conduct for cloud infrastructure service providers has been developed, setting out what measures IaaS providers should implement as data processors.
The code, and the subject of data protection compliance and cloud computing more generally, was discussed at a roundtable discussion in Brussels following the recent formal launch of the code, where I was invited to be a panellist. The session was hosted and moderated by MEP Eva Paunova, and the other panellists were Paul Nemitz, the director responsible for fundamental rights and Union citizenship in the justice unit within the European Commission, Alban Schmutz, senior vice-president of French cloud provider OVH and CISPE chairman, Stefano Cecconi, chief executive and founder of Italian cloud provider Aruba.it, and Benjamin André, chief executive and founder of French company Cozy Cloud.
However, the code is just a first step. Infrastructure cloud providers require unique consideration under EU law. The E-Commerce Directive should be updated to give greater protection to those cloud providers in situations where they lack knowledge of their customers’ processing.
The new CISPE code of practice
A new code of conduct on data protection (40-page / 412KB PDF) published by Cloud Infrastructure Services Providers in Europe (CISPE), a coalition of cloud infrastructure providers, serves to highlight the obligations and liabilities IaaS providers will face under the GDPR when it takes effect on 25 May 2018.
The voluntary code has been written with the new Regulation in mind, and it is envisaged that IaaS providers conforming to the code will be able to cite their compliance with the code as a means of demonstrating their adherence to obligations under the new EU rules.
A recital of the GDPR notes that codes of conduct should be encouraged to facilitate the effective application of the Regulation, and in particular that such codes could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons. The CISPE code aims to carry out such a calibration in the special context of IaaS services, setting out the respective responsibilities of IaaS providers and their customers, to better address several areas which might be within the control of a traditional outsourcing provider, but not an infrastructure cloud provider.
There are still some steps that should be taken before the CISPE code can be put forward for approval for GDPR purposes, but it is very helpful that CISPE has introduced a code which seeks to cater for the specific position of IaaS providers, who often have no knowledge of the nature of data being processed by their customers using their services or of the types of processing operations conducted.
There are many European IaaS providers, including in the UK. If this code is approved for GDPR purposes and adopted widely, that would be very positive for providers, their customers and individuals alike.
Infrastructure cloud providers should be treated differently
People often liken the use of IaaS to computer rental. If you rent a computer from a rental company, and use that computer to process personal data yourself, the rental company is not treated as a “data processor” under EU data protection laws.
However, if you use an IaaS service or other infrastructure cloud service to process personal data of which you are the data controller, the service provider is automatically considered to be your data processor, with obligations and liability under the GDPR,including exposure to regulatory fines and compensation claims, even though you are processing the data directly yourself, in a self-service way, and the service provider only provides computing infrastructure for your use. Individuals could choose to sue cloud providers even if the cloud customer who processed their personal data in the cloud was more at fault, because the cloud provider is perceived to have bigger pockets, or because the cloud customer who put their personal data in the cloud has gone bust.
Generally, IaaS providers and other infrastructure cloud service providers do not view customers’ data or monitor their processing, indeed if they did that they could be in breach of data protection laws if not their contracts with customers.
Some may argue that cloud is different from computer rental, because a cloud provider could access and misuse or disclose the data you process using its service. But equally, a computer rental company could plant spyware on the computers it rents out, and in fact a chain in the US did so, secretly taking webcam pictures of customer and using key-loggers to capture customers’ login credentials.
The fact that a computer rental company could spy on customers and access their data, and that one actually did so, doesn’t mean that all computer rental companies must automatically be treated as data processors. The same argument applies equally to infrastructure cloud.
Unfortunately, the GDPR inherits and perpetuates outdated concepts from the EU Data Protection Directive, which is in turn based on unspoken pre-internet assumptions regarding 1970s outsourcing, when data on magnetic tapes or punched cards were delivered to computer services bureaux for processing.
IAAS providers and EU law
I have consistently argued that the law needs to go further to recognise the role of infrastructure cloud providers, which generally only serve as neutral intermediaries. Defences available for mere hosting, caching and/or conduits under the E-Commerce Directive are currently not available to neutral intermediaries such as IaaS or PaaS cloud providers, or pure storage SaaS providers, when it comes to data protection issues.
This is because the E-Commerce Directive does not apply to « questions relating to information society services [online services involving data] covered by » the EU Data Protection Directive, and, in future, the GDPR. That means that, for example, if a cloud-hosted storage service contains copyright-infringing material, the hosting provider could have a defence from copyright liability on, effectively, a ‘notice and takedown’ basis; and yet it would have no such defence if it hosts personal data which is subject to data protection breaches under the GDPR.
The GDPR states that it is without prejudice to the application of the E-Commerce Directive, « in particular of the liability rules of intermediary service providers in … that Directive ». However, the qualification does not serve to provide defences to infrastructure cloud providers under the E-Commerce Directive, because the E-Commerce Directive itself explicitly excludes issues with online services covered by the Data Protection Directive.
IaaS/PaaS and other infrastructure cloud providers merely provide IT infrastructure for direct self-service use by their customers, including SaaS providers such as technology startups, but infrastructure cloud providers will be exposed to direct obligations and liability under the GDPR.
These obligations and liabilities will arise even if the cloud providers are unaware that their customers are using their services to process personal data, and indeed even if they ask their customers to confirm and undertake that they will not process personal data using their services but a customer breaks that promise. This approach seems inherently unfair.
There may be understandable policy reasons why lawmakers decided to impose liability on service providers in relation to data protection issues even if they have no knowledge of what their customers are using their services for or how, for example, to ensure that individuals can get full compensation no matter who in the supply chain is at fault. However, more clarity and detail would be helpful to legitimise this clear imbalance and enable practical implementation of the relevant obligations.
Dealing with the GDPR may raise prices and affect the availability of infrastructure cloud services to EU customers, which could impact on innovation. The GDPR is bound to boost the cyber insurance market in any event, as cloud providers will be looking to mitigate their new risks under the GDPR. However, many of the difficult liability problems that infrastructure cloud providers will encounter under the GDPR could be addressed by amending the E-Commerce Directive to extend its defences to data protection obligations, as long as such changes address data protection issues appropriately.
More work will be needed on what would be most appropriate in that context; for example, in some situations, ‘notice, secure return of personal data and deletion by the cloud provider from its service’ may be more appropriate than simply ‘notice and takedown’.