Privacy & Information Security Law Blog

On June 18, 2010, the data protection authority of the German federal state of Schleswig-Holstein published a press release and a comprehensive legal opinion on cloud computing.  The opinion provides an overview of cloud computing and discusses various practical and legal matters, including:

• Applicable law issues
• The legal basis for cloud computing and related processor and controller issues
• Problems associated with the possibility of third-party access
• The minimum requirements for data processor relationships and service provider contracts under the new German data protection law
• Technical and organizational security measures
• The legal landscape for clouds located outside the European Union

According to the DPA, clouds located outside the European Union are per se unlawful, even if the EU Commission has issued an adequacy decision in favor of the foreign country in question (for example, Switzerland, Canada or Argentina).  A Commission adequacy decision does not confer “agent” status, which normally would privilege such transfers, on entities located in the adequate jurisdiction.  The recipient entities remain “third parties” which means that a transfer in the legal sense takes place and therefore a legal basis is required.  The potential legal basis under German law (“fulfillment of contract” or “balancing of interests test”), however, requires that the transfer is also “necessary.”  The DPA is of the opinion that there are no arguments that the use of a cloud located outside the EU is compulsory.

This result may be avoided, however, if the German rules on commissioned data processing are applied by analogy and by using an EU-approved model contract for controller-processor data transfers, so long as the German requirements for data processor agreements are also followed.

The DPA’s opinion further states that self-certification to the U.S. Department of Commerce’s Safe Harbor framework alone does not provide an adequate level of protection in the cloud context.  Accordingly, reliance on certification to the Safe Harbor should not be used to circumvent the more strict EU legal requirements applicable to cloud computing.

In addition, the DPA indicates that, because SAS 70 Type II Certificates used by some cloud providers do not contemplate the material and procedural interests of data subjects, such certifications offer only partial compliance with German legal requirements for commissioned data processing.

The opinion concludes by suggesting that binding corporate rules are also an appropriate tool for companies seeking to implement a cloud solution.