gridscale: Legal dangers lurk in the cloud

vom 27.04.2020

Anyone who wants to get into the cloud can choose from a host of international providers. A whitepaper from gridscale directs the attention to legal issues.

With its newly published compendium "Legal risks when using international cloud providers", gridscale wants to help companies to identify pitfalls in the cloud jungle. In addition to top performers such as Amazon Web Services (AWS), Microsoft and Google, the cloud market is home to countless competitors scattered around the globe. While in Asia companies like Alibaba are growing into real alternatives, the corona pandemic is pushing companies more than ever into the cloud, where they have to face weighty legal issues.

Internationally, the interpretation and implementation of data protection sometimes diverge widely. Especially in Germany the bar is set very high, they say. The Federal Data Protection Act (BDSG) largely coincides with the EU-wide DSGVO. gridscale has summarised some points that companies should pay attention to when moving to the cloud.

When it comes to personal data, encryption alone is not enough. This category includes not only information such as names or e-mail addresses, but also technical data such as time stamps or log files. When it comes to transparency, the DSGVO requires companies to inform their customers and their own employees about what happens to their data. This includes who is processing it, for what purpose and for how long. This may become more difficult if this takes place in a cloud: "In some cases, cloud providers collect metadata that they need for administration and to maintain security, to improve products. Unfortunately, non-European providers often do not see the point of providing sufficiently detailed information on this," the compendium says.

Who is responsible?

In principle, the companies themselves are responsible for data processing operations. Cloud providers tend to take the position of service providers. However, there are areas in which they assume responsibility. This occurs, for example, when it comes to metadata that they process for their own purposes. In a third case, there is the possibility of joint responsibility. It applies when both parties determine the purposes and means of data processing, explains gridscale. Accordingly, the experts recommend, especially in the case of international cloud providers, that the question of responsibility be clarified and, above all, contractually stipulated.

Cloud service providers often beckon with a flood of promises. At this point, trust is good, but control is better. Here, the DSGVO stipulates that customers must be able to check whether and how the provider uses certain technical and organisational security measures, for example. So-called order processing contracts (AV contracts) regulate this aspect.

As regards data transfers to a third country, the EU clearly stipulates that the country concerned must have an adequate level of data protection. The USA and China mark a special case. Although they are primarily among the insecure third countries, data flow can be legally compliant through standard contractual clauses or, in the case of the USA, by registering the data recipient under the EU-US Privacy Shield. However, the EU-US Privacy Shield is controversial and questionable from a data protection perspective. Contrary legislation (Patriot Act, Cloud Act) is counterbalancing it and allows the American authorities access to European data.

Works councils talk to

On the way to the cloud, the works council is also an unavoidable station. According to the Works Constitution Act, every measure that leads to the monitoring of employees, whether actual or potential, must pass through the works council successfully. gridscale explains: "A cloud environment with its login processes, log data and all the information that an intrusion detection system stores and evaluates could also be used to monitor employees (even if this is not intended)."

In the DSGVO the deletion of data plays an important role. For many data records, the period for their retention expires after ten years. However, companies must then not only destroy them, but must also be able to prove that they have been destroyed. This can be realized with the help of deletion protocols or the continuous documentation of deletion processes. But beware: The right to data deletion of the DSGVO partly collides with the legal retention periods. In addition, technical obstacles sometimes prevent deletion, for example when a data record is archived and provided with a digital signature. Unfortunately, the whitepaper leaves some questions on this topic unanswered.

In addition to the aforementioned stumbling blocks that can cause companies to stumble on the way to the cloud, the gridscale compendium lists further points that need to be considered. Interested parties can find the complete study by submitting data.

The original article in german can be found here.

    Back to overview