Access to data: Who, when and where?
Companies that are thinking about using cloud technologies or are planning to do so are often looking for a partner in the direction of international cloud providers. However, this internationality, against the background of the strict regulations of the DSGVO (German Data Protection Act), entails a number of risks that must be taken into account.
In many countries, such as the USA, China or Russia, there are not only different laws and regulations, but also the different views and opinions in the respective country as to which measures, for example, for access protection and transparency are supposedly “usual” and “appropriate” differ internationally, sometimes very considerably.
Incidentally, this not only applies to the topic of data protection, but in the B2B sector also, among other things, to the regulations contained in the general terms and conditions of the respective cloud providers. The differences in the respective national legal interpretation are even reflected in tax law.
Data transfer to a third country
One of the most critical aspects regarding data protection and geography for international cloud providers is certainly the transfer of data to a third country. According to the DSGVO, this must be placed on a particularly sound legal basis; always taking into account the respective applicable level of data protection. For example, the level in Canada, Switzerland or even Uruguay is considered appropriate by the EU Commission, whereas the USA or China are considered “unsafe third countries” due to their regulations.
This does not mean, of course, that cooperation with companies in unsafe third countries is not possible. Standard contractual clauses on data transfer from the EU or, as in the case of the USA, the “EU-US Privacy Shield” can also be used to achieve legally compliant cooperation in this area.
However, experience shows that precisely these additional standard contractual clauses are not necessarily popular with cloud providers from the third countries mentioned above due to extended liability clauses.
In addition, a decision by the European Court of Justice on both the standard contractual clauses and the validity of the EU-US Privacy Shield is currently still pending. A detailed review of the respective contracts is therefore recommended for international cloud providers, as is the ongoing monitoring of the European ECJ’s case law.
In addition, there is the question of whether personal and sensitive data or business secrets should actually be transferred to a foreign cloud. Under the German data protection regime, the concept of personal data is very broadly defined, the handling of such data is precisely regulated and, in the event of an infringement, sanctions are imposed with heavy fines.
Internationally, however, the rules are less strict. Furthermore, the trusting handling of trade secrets is at the very latest with the Patriot and Cloud Act or the potential data access of American intelligence services to data in a US cloud at least very questionable.
In view of the problems mentioned and the associated uncertainty, experts recommend not to outsource critical company information in particular to an international cloud. Even if the data is processed in a European data center, US-based companies are obliged under the Cloud Act to transfer this data to the US intelligence services in case of doubt.
German and international GTC law
Also in the law on general terms and conditions there are often great differences between the German or European legal interpretation and, for example, US-American conditions. Cloud contracts are usually based on pre-formulated contractual terms which are not negotiable in the case of international cloud providers and must be viewed critically for several reasons. For example, German law is usually not applicable, nor are the company headquarters and place of jurisdiction located in Germany.
At the same time, central contractual objects such as liability are often waived or formulated in such a way that there is little chance of recourse in the event of damage. Users are well advised to check the general terms and conditions of business in great detail and not to allow a liability delta to arise, especially in connection with their own performance commitments. In the end, a case-related examination of the contracts and potential renegotiation must be carried out or included.
According to the German tax code, companies that are taxable in Germany must also store their data in Germany. In the case of a transfer to a third country, however, numerous additional obligations must be fulfilled and an exemption from the responsible tax office is necessary.
In addition, audit-proof storage must be guaranteed, which is a very complex procedure in terms of organisation and technology. This includes in particular the traceability, verifiability and immutability of the data. Especially the verifiability up to an on-site inspection of the data center can turn out to be difficult or impossible with international cloud providers and foreign storage locations.
The above-mentioned data center inspections and visits are another aspect that can cause problems, but not only abroad but also domestically, because the at least cloud providers and data center operators are particularly keen to channel “public traffic” through their high security areas.
Nevertheless, the contractual agreements must be verifiable at any time without restrictions. Whether a cloud provider with headquarters and data center in China, for example, will allow an on-site inspection is more than questionable.
Deletion obligations for old data
The Internet does not forget! Often underestimated and initially overlooked – the obligation to delete old data according to DSGVO. According to this, companies are responsible for actually and finally deleting data after the expiration of the commercial and tax law storage obligation and to provide legally binding proof of this by means of a detailed deletion protocol.
Particularly in the case of international cloud providers with globally distributed data centers, workload deployments and backup procedures, it is important to take a very close look in this regard in order to avoid potential data protection risks in advance. And the danger is real: A large German real estate company has already been sentenced to a high million-dollar fine for corresponding breaches of the obligation to delete data.
Risks and side effects
Data transfer to international cloud providers and to third countries can lead to considerable risks and uncertainties for German companies. Particular focus is placed on data protection in compliance with the German Data Protection Act (DSGVO), general terms and conditions and tax law, as well as all technical and organisational requirements relating to IT operations derived from these.
On the part of cloud user companies, this leads to complex examination and evaluation processes with regard to contractual terms and conditions as well as the current legal situation and jurisdiction. This applies in a very special way to the orchestration of complex hybrid and multi-cloud scenarios and thus to a multitude of different cloud partners.
Legally compliant cloud solutions from German providers, on the other hand, are often underestimated, although they can be a very straightforward alternative in terms of technology, service offerings and customer understanding.
Nicolas Tuschen | Senior Online Marketing Manager
Nico is Online Marketing Manager with focus on SEO and is responsible for (organic) online marketing at gridscale. At the same time, he is a good example of the fact that by studying literature one can not just become a taxi driver. He discovered his passion for SEO by chance, but since then has consistently expanded it: from startup, agency to publisher, from B2B to B2C, from offpage to onpage.