Necessity for location-determined data processing

In global clouds (cf. Remark2.5), hardware resources are located in multiple countries, and therefore, data transmissions within the cloud possibly constitute cross-boarder transmissions (see also Section3.2.3). Cross-boarder transmissions can have a severe impact on whether data processing is legally compliant. For example, data processing within certain countries may re- quire additional security precautions and/or specific prerequisites, e.g., if processing personal data in third countries not having anadequate level of protection(cf. Section3.2.3), and can even be inadmissible, e.g., if processing German tax data abroad without permission of the competent revenue authority (cf. Section3.4.2). There exist multiple legal norms in Europe and Germany addressing requirements for admissible locations for data transfer, data process- ing and outsourcing. This section investigates specifically location-related requirements in leg- islation and their technical implications for cloud computing using the example of European and particularly German data protection law as well as the example of German tax law.

3.5.3.1 Location constraints in European and German data protection law

In European data protection law, data transfer to third countries generally requires anadequate level of protectionto be ensured at the recipient’s location (Art. 25 para. 1 Data Protection Directive). Whether or not the ensured level of protection is adequate “shall be assessed in the light of all the circumstances surrounding a data transfer operation” including “the nature of the data, the purpose and duration of the proposed processing operation [...], the country of origin and country of final destination, the rules of law [...] in force [...] and the professional

rules and security measures which are complied with in that country” (Art. 25 para. 2 Data Protection Directive). If “a third country does not ensure an adequate level of protection”, “measures necessary to prevent any transfer of data of the same type to the third country in question” shall be taken (Art. 25 para. 4 Data Protection Directive). Further, there exist derogations when transfer of data to third countries not ensuring anadequate level of protection

are admissible (Art. 26 Data Protection Directive) including the data subject’s consent (para. 1 lit. a idid.), necessity for a contractual relationship with the data subjects (para. 1 lit. b, c idid.) or protecting their vital interests (para. 1 lit. e idid.), necessity and legal obligation in the context of important public interest and legal claims (para. 1 lit. d idid.), explicit authorisation by the member state if “the controller adduces adequate safeguards” (para. 2 idid.).

In Germany, Art. 25 and 26 of the Data Protection Directive are implemented by §§4b and 4cBDSG, respectively. The necessity for anadequate level of protectionis implied by the requirement to protect the data subject’s legitimate interests to object to a data processing in countries that does not have anadequate level of protection(§4b para. 2 cl. 2). Derogations in terms of Art. 26 Data Protection Directive are implemented identically by §4cBDSG. In particular, §4c para. 2 cl. 1 specifies that explicit authorisation can given by a competent supervisory authority provided that adequate safeguards are ensured.

Consequently, it is of particular importance for the admissibility of data transfer in Euro- pean and German legislation whether anadequate level of protectionis ensured at the recip- ient’s location or adequate safeguards are ensured by the recipient. Here, the question arises as to which countries have anadequate level of protectionand what are adequate safeguards if not.

The EU commission has approvedadequate levels of protectionfor “Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US Department of Commerce’s Safe Harbour Privacy Principles” [65].1 For all other countries there are additional precautions necessary to ensure the implementation of adequate safeguards. The European commission provides two sets of standard contractual clauses that are recommended to be included within the contract between sender and recipient (Decision 2001/497/EC and Decision 2004/915/EC). The first set of stan- dard contract clauses “for the transfer of personal data to third countries which do not ensure an adequate level of protection” in the annex of Decision 2001/497/EC particularly covers obligations of the data importer, i.e., recipient (Clause 5 idid.) including:

• to enure that there is no reason to believe that legislation applicable to the data importer prevents the fulfilment of the contract (Clause 5 lit. a idid.);

• “to process the personal data in accordance with the mandatory data protection princi- ples” (Clause 5 lit. b idid.);2

1_{It is of particular interest that there are doubts on the effectiveness of Safe Harbor Privacy Principles in practice} [102, part 4 recital 238] and the use of standard contractual clauses have been suspended in Germany [102, part 4 recital 242]. Even if agreements on ensuring adequate safeguards exist, the transmission may be prohibited by competent supervisory authorities [102, part 4 recital 241].

2_{There are two options on mandatory data protection principles: that of appendix 2 and that of appendix 3 of the} Decision 2001/497/EC. Both are investigated subsequently to the standard contract clauses (along with those of Annex A Directive 2004/915/EC).

• “to deal promptly and properly with all reasonable inquiries from the data exporter or the data subject [...] and cooperate with the competent supervisory authority” (Clause 5 lit. c idid.); and

• “to submit its data processing facilities for audit” (Clause 5 lit. d idid.).

The governing law is the law of the member state in which the data exporter is established (Clause 10 idid.). The second set of standard contract clauses “for the transfer of personal data from the Community to third countries (controller to controller transfer)” provided in the annex of Decision 2004/915/EC specifies additional obligations of the data importer (II. idid.) including:

• “appropriate technical and organisational measures to protect the personal data [...], and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected” (II. lit. a idid.) including that the access to the personal data “respect[s] and maintain[s] the confidentiality and security of the personal data” (II. lit. b idid.);

• personal data will be processed for specified purposes (II. lit. d idid.)

• personal data is not provided “to a third party data controller located outside theEuro- pean Economic Area (EEA)unless it notifies the data exporter about the transfer” and adequate protection is provided by the third country, the third party data controller signs an approved data transfer agreement, data subjects have the opportunity to object, and, if applicable, data subjects have given unambiguous consent for onward transfers of sensi- tive data (II lit. i idid.).

Again, the governing law is the law of the member state in which the data exporter is estab- lished (IV. idid.) with optional exceptions (II. lit. h idid.). Along with the standard contract clauses, mandatory data protection principles apply covering (i)purpose limitation, (ii) rights of access, rectification, erasure and blocking of data, and (iii) restrictions on onward transfers.1 Additionally, appendix 3 Decision 2001/497/EC and annex A Decision 2004/915/EC address (1) data quality and proportionality, (2) transparency,2(3) security and confidentiality, (4) spe- cial categories of data/sensitive data, (5) direct marketing/data used for marketing purposes, and (6) automated decisions. In summary, the mandatory data protection principles cover ba- sically all data protection principles of European data protection law, which is the purpose of the standard contract clauses.

In conclusion, the corporate customer and the cloud provider have to be aware of data trans- fers to third countries, which are regularly implied by cross-boarder transmission to recipients established outside of theEU/EEA. In such a case, the country at the recipient’s location has 1_{These requirements are covered by all versions of mandatory data protection principles, i.e., those of appendix 2}

and appendix 3 Decision 2001/497/EC and of annex A Decision 2004/915/EC.

2_{Transparency is particularly regulated by the upcomingGDPRwhere “transparent and easily accessible policies} with regard to the processing of personal data and for the exercise of data subjects’ rights” become necessary (Art. 11 para. 1 idid.) and requires the differentiation of involved parties’ obligations as well as the protection of the legitimate interests of cloud providers [104, ch. 3.c].

to ensure anadequate level of protectionor the recipient has to provide adequate safeguards.1 In the context of data transmission within the cloud, this implies the necessity of transmis- sion control based on the location of subcontracted cloud and hardware providers as well as on the origin of corporate customers (due to being controllers for outsourcing data process- ing to the cloud). Moreover, adequate safeguards particularly include restrictions on onward transfers which generally are implemented by technical and organisational measures on trans- mission control. Therefore, transmission control ensures location-determined data processing is paramount for the processing of personal data in global clouds.

3.5.3.2 Location constraints in German tax law

In Germany, account books (according to §238 HGB) generally have to be kept and stored within Germany (§146 para. 2 cl. 1AO). As an exception, the keeping and storage of electronic accounts outside of Germany may be authorised by the competent revenue authority2 upon written application (§146 para. 2a cl. 1AO) and under restriction of explicit permission and the following preconditions (§146 para. 2a cl. 2AO):

• the location of the data-processing system, as well as name and address of the recipient(s) (i.e., cloud provider plus involved subcontractors) is known;

• the taxpayer (i.e., corporate customer) complies with her or his duties according to §§90, 93, 97, 140–147, and 200 para. 1 and 2AO;

• access to data for the purpose of external audits/inspections by the competent revenue authority is granted; and

• taxation is not impeded.

Moreover, the retransfer of the data to German territory must be possible at any time (§146 para. 2a cl. 3AO) as well as access, including that data “can be rendered readable without undue delay and can be processed automatically” (§147 para. 2 cl. 1 no. 2AO).

This implies that the cloud provider has to be able to inform the corporate customer on all possible locations of data processing and all involved recipients beforehand of outsourcing tax data to the cloud. Further, the cloud provider has to ensure that during the outsourcing tax data is processed only at communicated locations and by communicated recipients. It is possible that communicated locations and recipients do not necessarily cover all possible locations and recipients, which then implies the necessity of implementing transmission controls by location and recipient within the cloud. This is particularly the case if the cloud provider subcontracts cloud/hardware providers after establishing the outsourcing. Additionally, the cloud provider has to ensure the availability of tax data for the purposes of external inspections and retransfer 1_{Exceptions may apply, for instance, to the data subject’s consent, but are not necessarily applicable for all data} transmission of a single corporate customer. Therefore, case-by-case specifications by the corporate customer and case-by-case decisions by the cloud provider would be necessary for every data transmission, which is not regularly practical for automated data processing. Instead, a basis for decision-making is required, which is universally valid. Such a basis can be the presence of anadequate level of protectionor adequate safeguards

to German territory. In particular, access has to be granted without undue delay. Consequently, high availability constraints apply when processing tax data within the cloud. This further limits possible recipients for transfering tax data to since cloud/hardware providers do not necessarily provide the same level of availability due to location and hardware inhomogeneity (cf. Def.2.2and Remark2.7, respectively). Moreover, applicable requirements on legitimate recipients regularly vary with the corporate customer, since approval is given on an individual basis. Consequently, it is necessary for the cloud provider to decide carefully (in advance and during processing) and for every single corporate customer, which cloud and hardware providers are involved in the processing of outsourced tax data.

3.5.3.3 Conclusions on location constraints on cloud computing

Regulations on admissible locations for data processing are addressed by multiple European and German legal norms. Besides data protection law and tax law – which both exemplify requirements on location-determined data processing – there also exist other examples. For instance, there exist export controls on military related technology, which regulates admissible recipients and recipients’ countries (cf. Section3.4.3). But also outside of the European Union there exist regulations on admissible locations for data processing. TheNIST identifies the issue of “data location” and takes theNational Archives and Records Administration (NARA)

regulations on storing federal documents in theUnited States of America (USA)as an example. Consequently, the recipients of data transmissions and their location are highly relevant for the admissibility of data transmissions. It is necessary to implement transmission control.

In the context of cloud computing, the recipients of data transmissions are regularly sub- contracted cloud and hardware providers since they operate the IT systems where the data are processed. Generally, cloud providers have to be aware of data transmissions’ recipients, target locations and if data transmissions are cross-boarder. However, it is usually in the knowledge of the corporate customer whether restrictions on data transmission apply or not. Consequently, it is necessary for the corporate customer to communicate applicable restrictions to the cloud provider. Further, the cloud provider has to be able to consider these restrictions when as- signing cloud resources for processing data and transmitting data within the cloud, particularly when involving subcontracted cloud and hardware providers. This includes the selection of subcontractors byadequate level of protectionand ensured safeguards.

In conclusion, when implementing transmission control in the cloud, the cloud provider has to consider (1) the legal framework conditions (including anadequate level of protection) at the recipient’s location, (2) the safeguards ensured by the recipient (including implemented security measures), (3) the nature of the data transmitted, and (4) the origin of the data and the corporate customer.