Data Protection, Software Licenses and other Legal Issues in the Cloud

Dr. Hendrik Schöttle

Rechtsanwalt, Fachanwalt für IT-Recht

Overview

• Introduction

• Data Protection

– _Principles

– _{Special Requirements of Cloud Computing}

• Software Licenses

• Other Issues

– _Liability

History

• Federal Data Protection Act outdated

– _{Intitially planned as protection against the state (1977)} – _{Way behind technical development}

– _{Federal Constitutional Court has to “fill the gaps”}

• Many unclear and open terms and clauses

4/46

osborneclarke.com

Roots

• European legal sources:

– _{Data Protection Directive}

– _{Directive concerning the processing of personal data and the protection of}

privacy in the telecommunications sector

– _{E-Commerce Directive}

• Introduction

• Data Protection

– _Principles

– _{Special Requirements of Cloud Computing}

• Software Licenses

• Other Issues

– _Liability

6/46

osborneclarke.com

Data Protection | Introduction

• Only “personal data” is being protected

– _{Section 3 Federal Data Protection Act (BDSG)}

(1) “Personal data” means any information concerning the personal or material circumstances of an identified or identifiable individual (the data subject).

…

– _{Examples: name, address, email address, account details, etc.}

– _{Very broad interpretation by courts/supervisory authorities (Google Street}

IP address as personal data

Static IP address:

• Personal data

Dynamic IP address:

• Data that can be related to individuals

– _{Link to a person easily possible → personal data (example: access provider,}

local administrator)

– _{Link not possible or only possible with difficulties → no personal data}

8/46

osborneclarke.com

Processing

• The processing of personal data is not allowed, unless it is explicitly permitted

• i.e. each processing of personal data requires a justification

• Processing is also defined very broadly:

– _{Includes e.g. storage, modification, transfer and deletion of data}

Justification

• Possible justifications

– _{Consent of the data subject (in the future only restrictedly allowed regarding}

employees)

→ must be on an informed and voluntary basis → revocable at any time

– _{Processing covered by the purpose of a contract}

(Sec. 28 Para. 1 no. 1 BDSG)

– _{Overriding interests (Sec. 28 Para. 1 no. 2 BDSG)}

Overview

• Introduction

• Data Protection

– _Principles

– _{Special Requirements of Cloud Computing}

• Classification

• Applicability of German Data Protection Law

• Demands of the German Data Protection Supervisory Authorities

• Transfer of Data

• Software Licenses

Special Requirements of Cloud Computing

Data protection and privacy concerns primarily the relationship between the cloud user and the cloud provider

Cloud Provider Cloud User Customer/Employee Service contract/ADV Customer-/Employment contract

12/46

osborneclarke.com

Special Requirements of Cloud Computing

• Generally, the data protection supervisory authorities regard the user as the responsible entity

• Responsible entity is someone who:

– _{Collects personal data for himself, or processes or uses personal data (or has}

this done by subcontractors), and

– _{while acting alone, or jointly with others, has control over the purposes and}

Special Requirements of Cloud Computing

• Users should only take advantage of cloud services if:

– _{They are able to entirely perform their duties as a responsible entity, and} – _{They have checked and approved the requirements for data protection and}

Overview

• Introduction

• Data Protection

– _Principles

– _{Special Requirements of Cloud Computing}

• Classification

• Applicability of German Data Protection Law

• Demands of the German Data Protection Supervisory Authorities

• Transfer of Data

• Software Licenses

Applicability of German Data Protection Law

• According to § 1 para 5 BDSG, German data protection law applies when a non-European cloud provider collects, uses or processes data in Germany

• If an EU Member State based cloud provider collects, uses or processes data from Germany, then the law of that EU Member State applies (§ 1 para 5 BDSG)

Overview

• Introduction

• Data Protection

– _Principles

– _{Special Requirements of Cloud Computing}

• Classification

• Applicability of German Data Protection Law

• Demands of the German Data Protection Supervisory Authorities

• Transfer of Data

• Software Licenses

Guidance of the Data Protection Supervisory Authorities

• In 2011, the supervisory authorities adopted a “guidance” regarding cloud computing on how to comply with data protection law

• According to §§ 34, 35 BDSG, it is the cloud user who remains obliged to

correct, delete or block data, and to provide such information to those persons concerned

• But: the user has (if at all) only a very limited administrative, operating and controlling access to the infrastructure of the cloud provider

• Data protection authorities require:

– _{Agreement on contractual penalty against provider}

Overview

• Introduction

• Data Protection

– _Principles

– _{Special Requirements of Cloud Computing}

• Classification

• Applicability of German Data Protection Law

• Demands of the German Data Protection Supervisory Authorities

• Transfer of Data

• Software Licenses

Transfer of Data

Even according to the planned amendment of German law regarding protection of employees' data the following will still apply:

• Group members are not privileged (“kein Konzernprivileg”)! This means:

– _{Each transfer between group companies is to be treated as a transfer to a}

third party

– _{Transfer and processing by a group member is only permitted if justification is}

given

20/46

osborneclarke.com

Data Transfer Cloud User ↔ Cloud Provider

Data transfer between cloud user and cloud provider is either Customer/Employee

(„data subject“)

Cloud User(„controller“) Cloud Provider („processor“)

• _{Transfer pursuant to Section 28 BDSG OR} • _{Possible If:}

– _{Necessary for a contractual relationship}

between data subject and controller (generally not given) or

– _{Necessary for legitimate interests of the}

controller, if no reason given that legitimate interests of the data subject regarding the exclusion of the processing prevails (risky solution as the supervisory authority could evaluate interests differently)

• Commissioned data processing pursuant to

Section 11 BDSG

• Possible If:

– _{Agreement on commissioned data processing}

exists which was concluded in writing, meets the other requirements of Sec. 11 BDSG as well as is complied with.

– _{Company is then regarded as controller’s right}

Cloud User ↔ Cloud Provider

• Important requirement of commissioned data processing:

– _{Data processing must in fact be commissioned by cloud user}

• According to the Düsseldorf Working Group the following criteria indicate commissioned data processing:

– _{No decision-making power by the processor concerning the data}

– _{The controller is processing data under its own responsibility with respect to}

third parties

– _{Absence of an independent legal relationship by the processor to the data}

22/46

osborneclarke.com

Commissioned Data Processing

Cloud User ↔ Cloud Provider

• The following criteria argue against a commissioned data processing:

– _{Controller provides an independent right to use the data to processor} – _{Controller's lack of reasonable control to parts of the data processing}

– _{The responsibility for the legitimacy of the data processing and the accuracy}

of the data shifts to the processor

– _{Processing of data, which were collected only on the basis of an independent}

Requirements of § 11 Para. 2, sent. 2 BDSG

• The contract shall be in writing and has to specify in detail:

– _{Subject and duration of the contract}

– _{The extent, nature and purpose of the data processing} – _{Technical and organizational security measures}

– _{Process for the correction, deletion and blocking of data} – _Controls

24/46

osborneclarke.com

Cross-Border Data Transfer

• Data processing in the Cloud is not localized

• Generally, users will not know, where their data is currently being processed

• Therefore: the provider must inform the users of all possible processing sites before the conclusion of the contract!

Data Transfer to EU Countries

• Within the EU/EEA

– _{If the data processing is physically held within the EU/EEA, it is generally not}

subject to any special requirements

– _{Provider as a data processor is not a “third party”}

– _{Contractual obligation required, obliging the cloud provider to use only}

technical infrastructure within the EEA (also applying to possible sub-processors)

26/46

osborneclarke.com

Data transfer in countries outside the EU:

• EU Commission: in general no adequate level of data protection is given outside the EU

• Background: only few other countries in the world have data protection standards comparable to those in the EU

• Consequence:

each transfer of personal data from an EU member state to a non EU country requires additional measures

Customer/Employee Cloud Provider Group member

Data Transfer to non EU Countries

• Possible measures:

– _{Obtaining consent of the data subject (i.e. customers)}

– _{Safe Harbor certification (only USA) – maybe not sufficient any more in the}

near future

– _{Corporate binding rules}

– _{Best solution: Agreement based on the EU model contracts between service}

provider and group member

• The transfer of personal data into non EU countries is generally not permitted without one of these measures!

28/46

osborneclarke.com

Consequences of Data Protection Law Infringements

• Penalties

– _{Fines up to EUR 300,000.00 (+ skimming off excess profits)} – _{Possible compensation claims of those affected}

– _{Criminal relevance in the case of intent + intended profits/damages / secrecy}

of telecommunications

– _{Injunctive relief and and claims for damages concerning employment law} – _{Inadmissibility of (improperly obtained) evidence}

– _{Prohibition of specific processing of data}

• Damage of reputation / bad press

– _{Especially in the case of customer data} – _{Highest risk in the practice}

• Introduction

• Data Protection

– _Principles

– _{Special Requirements of Cloud Computing}

• Software Licenses

• Other Issues

– _Liability

30/46

osborneclarke.com

Software Licenses

the copy decides on license requirements

• Any reproduction of software requires the consent of the copyright holder, § 69c Nr. 1 Copyright Law (Urheberrechtsgesetz - UrhG).

• Already the execution of software requires consent for its reproduction

• In the case of Cloud Computing, the question of who reproduces the software is difficult to answer

Software Licenses - transferable decision?

Who makes the copy?

“The question of who is making the reproduction, has only to be regarded from a technical point of view. The reproduction as a physical definition of a work is a technical-mechanical process [...]. Therefore, manufacturer of reproductions is the one who technically takes care of this physical definition. It does not

matter whether he uses technical means, even if these are provided by third parties."

Federal Supreme Court, Judgment of 22. April 2009, I ZR 216/06 ("shift.tv")

32/46

osborneclarke.com

Software Licenses – Consequences of this Decision

If, from a legal perspective, the user makes the copy:

• Cloud Computing users need usage rights for the software.

• The Provider must have these rights himself.

• The Provider must also be legally capable to transfer these rights to its customers.

Open Source and Cloud Computing

Open Source Software under the GPL:

Under the GPL, whoever changes and distributes software, must make the changes, including the source code, available to all third parties also under the GPL (“viral effect” of the GPL).

Is the use of customized open source software as part of cloud computing considered as „distribution“?

Customizing services should be free and the source code should be available to third parties. Otherwise, according to the GPL, all usage rights terminate. Any such further use will constitute copyright infringement.

34/46

osborneclarke.com

Software Licenses - GPLv3

Regulation of GPLv3:

"Mere interaction with a user through a computer network with no transfer of a

copy, is not conveying", Number 0 ("Definitions") Para. 7 GPLv3.

• If there is no transmission of a binary code, then GPLv3 does not apply

• The interpretation is uncertain. So far, no court desicions.

• Google, etc. use the uncertainty in order to avoid publication of sources for software used in cloud services

Software Licenses - Best Practices

• As a supplier, be prepared that the traditional software license has become obsolete

• As a customer, get the provider to guarantee that he will give you the necessary rights to use the solution

• Agree on an indemnification for any claims from third parties with regard to license violations

Overview

• Introduction

• Data Protection

– _Principles

– _{Special Requirements of Cloud Computing}

• Software Licenses

• Other Issues

– _Liability

Standard of Liability

“A person acts negligently if he fails to exercise reasonable care.” (§ 276 Para. 2 German Civil Code)

38/46

osborneclarke.com

Liability of the Company

• From production delays: Compensation from the delay, contractual penalties

• Breach of confidentiality agreements: Damages for Breach of Contract under § 280 BGB

• If the recipient is not a contractual partner: Compensation for damages under § 823 BGB

– _{Data compromised = Property infrigement (functionality and internal order)} – _{Organizational negligence of the management}

Recommended Course of Action

• No security policy = Breach of care

• Insufficient IT security measures = Breach of care (i.e. Business-critical data in a public cloud)

• Cologne District Court 2003:

– _{In order for external service providers to develop an IT security policy: A written security}

policy is necessary for the implementation of security measures

• Clarification of legal issues in creating an IT security policy, or legal due diligence of the completed IT security policy before implementation

Overview

• Introduction

• Data Protection

– _Principles

– _{Special Requirements of Cloud Computing}

• Software Licenses

• Other Issues

– _Liability

Duties of the old Provider

• The private contract is fulfilled

• The old provider is not obliged to help, but …

– _{… must only execute his contract and stop provision of services at the}

effective date of termination

42/46

osborneclarke.com

Change of Provider and Exit

Responsibilities of third parties

• Relevant with respect to software publishers as copyright holders

• There is no obligation to transfer their licenses at the request of customers, provided there has been no exhaustion of the distribution right

Change of Provider and Exit

Conclusion

Customer has only limited possibilities to exert influence on the old provider

44/46

osborneclarke.com

Change of Provider and Exit - Problems

Support Services

The old provider fulfils the contract, and does not support the transition. He is not required to support the transition to a new provider.

Change of Provider and Exit – Best Practice

Temporary maintenance of service

• Oblige old provider to provide further services after termination of the agreement

• Agree on fixed rates for transition services from the beginning. These conditions should remain unchanged

Data Protection, Software Licenses and other Legal Issues in the Cloud

OSDC 2012, Nuremberg | 26. April 2012

Dr. Hendrik Schöttle

Rechtsanwalt | Fachanwalt für IT-Recht

T +49 (0) 89 5434 8078

M [email protected] www.osborneclarke.de