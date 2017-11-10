Most cloud contracts include shared liability clauses, and with the fines under the impending General Data Protection Regulation (GDPR) set at up to four per cent of annual global turnover, the risks to a cloud vendor if it leaks data from a large customer could be ruinous.

Could that mean that cloud providers start to dump their largest customers in an effort to reduce their risk, as May 2018, the date when the GDPR will come into force, nears?

Computing spoke to Kuan Hon, Director, Privacy, Security & Information, at privacy law experts Fieldfisher to find out.

Kuan Hon:

The short answer to the question is, "It's unlikely - but watch this space". The longer answer is, "It's complicated!"

Let's start with a hosting provider's position under the GDPR. If it hosts personal data, it's treated at least as what's called a "processor". In some cases it might even be a "controller" of the personal data - the boundary can be blurry sometimes.

Why does the difference matter? Legal risk, and therefore financial and reputational risk.

Generally, controllers - who control the "purposes and means" of processing the personal data - have more legal obligations and liabilities than processors, they're on the legal hook for more things. Controllers (e.g. customers of hosting providers), can use processors (e.g hosting providers) to process, e.g. host, store, or analyse, personal data for the controller. But the buck, or should I say euro, stops with the controller - it can't outsource its legal responsibilities or liabilities to the processor. If there's a problem with the processor, ultimately the controller could still get fined or sued.

Processors are supposed to process the personal data only as the controller instructs, and not for the processor's own purposes. They have legal obligations to the controller (the provider's customer) under their contract with the controller. But, with hosting providers, the contract is almost always on the provider's standard terms. The hosting customer has to click to accept the provider's terms before it can use the hosting service, and it's rare that customers can negotiate the provider's standard terms.

How does the GDPR change all this? In three ways.

And these are relevant to all service providers who host, analyse or otherwise handle any personal data - not just hosting providers.

Providers directly on the legal hook - fines

First, post-GDPR processors will, for the first time, automatically have some direct obligations and liabilities. As well as the risk of being sued by controller customers under their contracts with them, processors could get fined by data protection regulators for breaching their direct obligations. These include obligations on security, and on international transfers (if they host personal data outside the European Economic Area or allow remote access by staff or contractors from outside the EEA, without using a mechanism recognised by the GDPR like the EU-US Privacy Shield - see my book on transfers and cloud, limited time discount available!).

More contractual risks for providers

Second, contracts between controllers and processors - including hosting providers' standard terms - will, from 25 May 2018 (when the GDPR applies), have to include certain minimum terms that commit the processor to a long list of requirements, for breach of which they can get sued by their customers. In my personal view, and I know many others agree, both sides (not just the controller) could face a 2 per cent turnover/€10m fine if they don't put in place a compliant contract by that date.

Pre-GDPR, the only requirement was for the provider to commit in its contract with the customer to take appropriate security measures.

The new GDPR requirements were designed to better protect individuals whose personal data will be held by providers. But they're hard to apply in cloud, because they don't take into account the commoditised, hyperscale nature of most cloud services, where the provider won't actually know what type of data (personal data, non-personal data) their customers choose to store on the hosting service, e.g. on audit rights - see my article.

I did point out the potential problems while the GDPR was going through, as lead author of a paper for an EU cloud project, but the GDPR's wording never got adapted to accommodate cloud. The UK data protection regulator, the Information Commissioner, recently consulted on its guidance about controller/processor contracts and liability, but the guidance doesn't really deal with the uncertainties or tricky practical issues - on which see my IAPP and (longer) SCL articles.

Many big cloud providers have now come out with new standard terms that try to be GDPR-compliant while being practicable for cloud. However, because the new requirements increase providers' contractual commitments, for which the provider could get sued by customers, pricing may go up generally, or extra fees will be charged by providers if called on to meet some of the new requirements - or both. But I should point out that the GDPR doesn't say that shared liability clauses must be included in provider contracts. I'll say more about that in a minute.

