Basic requirements for data processing in clouds

Lawful cloud computing must comply with applicable legal norms. As a precondition, the cloud customers who are outsourcing data to the cloud must be admissible to collect and pro- cess the data.

For personal data, collection and processing is forbidden where the prohibition can be lifted (Art. 7 Data Protection Directive). Generally, the lawfulness of collecting and process- ing personal data of both the corporate customer’s private clients and employees is given by their contractual relationship with the corporate customer (Art. 7 lit. b Data Protection Di- rective). Alternatively, the data subjects may give their explicit consent (Art. 7 lit. a Data Protection Directive). That can be necessary in the particular case of collecting and processing special categories of personal data, e.g., medical and health data, when the contractual rela- tionship is not sufficient (Art. 8 para. 1 Data Protection Directive). Here, the explicit consent of the data subject is regularly necessary (Art. 8 para. 2 lit. a Data Protection Directive). In order to process personal data without explicit consent, (special) legal permission have to apply.1 In particular, legal permissions can apply if the necessity of data processing is explic- itly given by law (Art. 7 lit. c–f Art. 8 lit. b,c and e second part Data Protection Directive). Further, collection and processing of personal data are only allowed for “specified, explicit and legitimate purposes”, i.e.,purpose limitation(Art. 6 para. 1 lit. b Data Protection Directive),

1_{In general according to Art. 7 lit. c–f Data Protection Directive and for special categories of personal data} according to Art. 8 para. 2 lit. b–e Data Protection Directive.

and the processing of personal data must be “adequate, relevant and not excessive in relation to the purposes” (Art. 6 para. 1 lit. c Data Protection Directive). The latter is particularly addressed in German legislation by the principle of data avoidance (§3aBDSG). This implies that the nature, scope, and quality of the processing personal data is additionally restricted by the purpose of processing. Generally, the outsourcing contract states whetherpurpose limita- tion applies and for what purposes the given data are to be processed (Art. 17 para. 3 Data Protection Directive and, in Germany, §11 para. 2 no. 2BDSG). Therefore, the cloud provider and the corporate customers have to consider applicable purpose limitations when designing the contract. In particular, they have to define adequate measures that have to be implemented in the cloud ensuring the compliance of data processing withpurpose limitation. Further, “the controller must implement appropriate technical and organizational [sic!] measures to protect personal data” (Art. 17 para. 1 Data Protection Directive).1 In particular, the “measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected” (Art 17 para. 1 cl. 2 Data Protection Directive). Which measures apply for cloud computing and the necessary safeguards at the cloud provider are investigated in Section 3.3). Another important aspect is that transfer of personal data to third countries generally requires an adequate level of protectionthat is ensured by the third country (Art. 25 para. 1 Data Protection Directive and, in Germany, §4b para. 2 cl. 2 in conj. with §4b para. 3BDSG). This implies the necessity of transfer control for personal data, in particular for recipients located in third countries. Transfer control is investigated in more detail for data transmissions in the context of carrying out data processing in Section3.2.3, and against the background of the necessity for location-determined data processing in Section3.5.3.

For business data, collection and processing is generally admissible if it is not prohibited specifically. The nature, scope, and quality of data processing are usually addressed within the context of service descriptions (which are part of the outsourcing contracts) [102, part 2 recital 196 seq.]. Basically, the lawfulness of processing business data within the cloud depends on the lawfulness of outsourcing the related IT processes to the cloud and, further, is clarified by the outsourcing contract between the corporate customer and the cloud provider. The lawfulness of outsourcing an IT process might be regulated by corresponding sectoral legislation. For example, in the German financial sector, the delegation of accountability is banned (§25b para. 2KWG) [26, part 9 recital 18] and, by German tax law, the accounting generally has to take place inland(§146 para. 2 AO) [26, part 8 recital 9]. More details on sectoral requirements can be found in Section3.4, which investigates these requirements specifically, including the requirements for and constraints on admissible outsourcing to the cloud. If the outsourcing of the IT process is admissible (or not further regulated) then the lawfulness of data processing in the cloud is regulated by the outsourcing contract.

For outsourcing in general, the contract addresses applicable legal norms and how to deal with multiple jurisdictions [102, part 2 recital 132 seqq.] including place of jurisdiction and applicable legislation [102, part 2 recital 169 seqq.]. Further, an IT-outsourcing contract is

generally a mixed-type contract in respect to the services delivered1. For that reason, the nature, scale, and quality of the outsourced data processing depends on the service description in the contract [102, part 2 recital 196 seq.]. Additionally, rights of use are clarified by the outsourcing contract [26, part 13 ch. B.V.], which are not necessarily limited to property right protected data transferred to the cloud and can also cover rights to the shared results of collaboration [26, part 13 recital 112 seq.] and rights of access to databases stored in the cloud [26, part 13 recital 116]. In conclusion, the cloud provider is obliged to process data in compliance with the outsourcing contract which defines the nature, scale, and quality of data processing.