The GDPR*, which will come into force on 25 May 2018, represents a major evolution in EU data protection law. Data subjects' rights are strengthened across the board, with a concomitant toughening of obligations for data controllers and data processors.
In this post, I look in detail at three problems for cloud services providers arising out of Article 28 of the GDPR, which is concerned with data processors. Article 28 sets out in considerable detail how the contractual relationships between data controllers and data processors should be framed. In amongst that detail, there are some severe problems.
The problems I look at here (there are others) relate to:
- customer influence over sub-processor appointments;
- conflicts with non-EU laws; and
- back-to-back processing contracts.
I look at these issues from the perspective of an imaginary cloud service provider called MadeUpCo.
MadeUpCo is a typical small UK-based cloud services provider.
It has some clever software, which it hosts and makes available to a range of customers, large and small. Those customers are situated around the world. The software processes personal data of customers' customers.
Some of MadeUpCo's customers are on annual rolling contracts, while others are can terminate on short notice. A few are tied in for several years, reflecting historical investments in customer-specific functionality.
The software is a multi-tenanted system installed on virtual servers hosted by a large US-based infrastructure services provider. The software interfaces with various third party cloud services, again situated both within and without the EU, passing personal data back and forth. Some of those third parties are under contract to MadeUpCo, and count as sub-processors.
MadeUpCo clearly falls within the ambit of the GDPR, as it is established in the EU and it processes the personal data of EU citizens.
So, how does MadeUpCo's business fare under Article 28?
Customer influence over sub-processor appointments
Article 28(2) provides that:
"The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes."
Clearly MadeUpCo is going to need the consent of each of its customers to the continuing use of its hosting services provider and the other sub-processors. It will also need a consent for future changes (or to the extent that it has general consents, non-objections).
The first place to look will be MadeUpCo's existing contracts: to what extent have its customers previously consented to the appointment of the sub-processors? Do the consents amount to "general written authorisation" or merely a "specific written authorisation"? What do those phrases mean? At what point does a consent covering more than one identifiable sub-processors become a general consent?
Quite possibly, different customers will have consented to different things. For example, larger customers with in-house legal teams may have insisted on oversight or control over sub-processors. But very likely, additional consents are going to be required before May 2018.
So far, so much administrative inconvenience. But what happens if MadeUpCo wants to change from one hosting services provider to another? All customers will have, at least, the opportunity to object to the change. Article 28 is not specific about this, but that would seem to imply that they have the right not to have relevant personal data processed by a non-approved sub-processor.
If that is correct, MadeUpCo could be left with the choice of: (i) remaining with an unsatisfactory incumbent service provider; (ii) splitting its customer base between installations / services providers, negating some of the advantages of running a multi-tenanted system; or (iii) terminating the contracts of uncooperative customers.
The varying rights of termination under MadeUpCo's existing contracts throw a further spanner into the works, making it very difficult to implement option (iii) without first implementing option (ii) on an interim basis.
Conflicts with non-EU laws
All controller-processor contracts must be "governed by a contract or other legal act under Union or Member State law".† Moreover, Article 28(3) provides:
"That contract or other legal act shall stipulate, in particular, that the processor: (a) processes the personal data only on documented instructions from the controller … unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest … (g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data … "
The references here to "Union or Member State law" create particular problems for processors situated outside the EU. For example, a US-based processor under a contract complying with Article 28(3) could be left to choose between: (i) complying with that contract; and (ii) complying with US law. I've seen one supposedly GDPR-compliant data processing agreement from a major US service provider that refers to "applicable law" rather than "Union or Member State law" for just this reason.
MadeUpCo isn't yet outside the EU, and may hope that the Brexit negotiators will recognise and deal with this issue vis-à-vis the UK; but, right now, that hope looks very much like a thing with feathers.‡
In fact, MadeUpCo has a pre-Brexit problem: in combination with Article 28(4), Article 28(3) creates a trap for those within the EU using service providers outside the EU.
Back-to-back processing contracts
Article 28(4) provides that:
"Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law ... Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations."
There's an obvious issue here for MadeUpCo. On the one hand, some of its customers are going to impose their own data processing terms on MadeUpCo. On the other hand, MadeUpCo doesn't have the bargaining power to impose those terms on its hosting services provider or many of its other sub-processors.
Even if MadeUpCo could persuade its customers to sign up to its own standard data processing agreement, there is another problem: the hosting services provider and the various other sub-processors will each have different standard terms. Is MadeUpCo going to present its customers with a data processing agreement annexing a range of different sub-processing agreements, with different rules for different data depending upon the sub-processor in question?
And remember, because of Article 28(3)'s emphasis on "Union or Member State law", those sub-processors who are outside the EU are likely to have standard terms that are clearly not compliant with Article 28, and so may in any case be unacceptable to well-informed customers.
MadeUpCo will have to face some difficult questions to face; I don't see any easy answers here.
Many businesses will fall into non-compliance through ignorance. Even those businesses that are aware of the issues may deliberately choose non-compliance over less palatable alternatives, notwithstanding the 20 million Euro plus fines that can be imposed by the enforcement authorities.
†If the Brexit negotiations proceed as quickly and smoothly as they have so far, UK technology lawyers may be left advising their clients to seek EU counsel for relevant contracts.