Although 25th May 2018 is currently still ahead, it is already necessary to make arrangements for a big event on that very date: on this day, the EU General Data Protection Regulation (“GDPR”) will be in effect. In the meantime, the GDPR became a buzzword but its consequences for the business remain somewhat unclear.
Since the GDPR affects Cloud Computing and our users, we forwarded the most important questions from a cloud user's point of view to Mr. Suchomski, attorney at law for IT law and data protection (http://www.suchomski.eu/) and received the following responses:
Stackfield: Hello Mr. Suchomski! Could you please introduce yourself?
Bernd Suchomski:Sure. My name is Bernd Suchomski and I am a corporate legal counsel, attorney at law and certified data protection officer. I am advising on IT law and data protection for several years and publishing in legal magazines and books. The focus of my work is on open source software and data protection in the financial services sector. I have studied law at the University of Augsburg and the University of North Carolina at Chapel Hill, USA. I received the graduate award by the German Foundation for Law and Computer Science (DSRI).
Stackfield: From the perspective of a user of cloud platforms, which are the most significant differences between the German Federal Data Protection Act (“BDSG”) and the GDPR?
Bernd Suchomski: I would put the differences into three categories:
First, what every IT lawyer and data protection officer will tell you: the fines – second: the general requirements for the processing of personal data, and third: the new legal instruments for processing personal data.
The GDPR increases the cap for fines significantly, i.e. up to EUR 20 million or 4% of the annual turnover of a company, whichever is higher. A Berlin colleague said that data protection is the new antitrust law. As far as the cap for fines is concerned, there is certainly something to it. The result for data processing companies is: There is more at stake.
The GDPR sets the general requirements for data processing in more abstract way, essentially in Articles 5 and 6 of the GDPR. However, these requirements also apply to business areas which were previously regulated in more detail in German data protection law, e.g. for credit bureaus or scoring providers. We have to monitor closely how the authorities and courts apply these requirements in the future.
Finally, there are also some new instruments of data protection, e.g. increased documentation and checking requirements – new catchword: “Privacy Impact Assessment”1 - and other rights of data subjects - Keyword: right to data portability2 - or joint responsibility of different entities in data processing - the so-called Joint Controllership3. The GDRP also brings new certification measures for data protection compliance.
Stackfield: What additional rights will individuals have due to the new regulations?
Bernd Suchomski: New and important is the right to “data portability" in Article 20 GDPR. The data subject – i.e. the individual affected by someone else processing his or her data – has the right to receive his / her data in a standard, machine-readable file format from the data processing entity in order to transfer it to another entity.
This right is likely to have some economic impact, which should allow for an easier transition between providers of data-processing tools and services. The providers have two challenges: first - creating interesting services - to keep customers, and second - developing interfaces for importing all popular data formats to onboard customers who bring their data from the old provider.
Furthermore, there are, of course, the rights to information, deletion, correction of data and the blocking of data processing - which already exist under the current German data protection law.
Stackfield: Do new responsibilities also apply to the data controller who processes the data?
Bernd Suchomski: Data processing entities will most likely experiences challenges in the field of internal legal checks and documenting of their data processing processes. Such entities must in particular carry out and document the above-mentioned Privacy Impact Assessment. This includes assessing certain legal risks and detriments of data processing for the data subjects - e.g. employees or consumers – and weighing this against the legitimate interests of the data processing entity. The processing entity has to change it processes where the purpose of the data processing could fail the civil rights of the data subject. The processing entity should conduct any data processing only by means of software solutions and processes that sufficiently take into account the interests of the data subjects for privacy, e.g. by privacy oriented design and presetting of such software. In this respect, access and authorization concepts deserve high attention as well as privacy by default and privacy by design of the software according to Article 25 GDPR.
Stackfield: Let's assume that I am already using a cloud tool for my company - what do I have to take care of so I can continue to use it?
Bernd Suchomski: I say, look well before you leap.
In principle, the introduction of the GDPR - especially with the new fines - provides an incentive for data processing entities to validate their data protection concepts. If you already meet the BDSG data protection law standards in Germany, it should be easier to adapt to the GDPR. In this case, main issues are still the Privacy Impact Assessments and, depending on their results, follow-up measures to close gaps indicated by such Assessments.
Anyone who needs to catch up with data protection but does not know how and where to start, could start with a gap analysis, i.e. the technical and legal examination to what extent the actual state of the company differs from the target state of GDPR compliance. The starting point for such an analysis should be the registries of all data processing processes, already required today by § 4e BDSG. These processes should first be prioritized and then analyzed according to the importance (for the company and the stakeholders).
Stackfield: How should I respond if my tool does not meet the data protection requirements?
Bernd Suchomski: I would recommend two things to clients who already recognize that their software does not meet the requirements of the GDPR:
First - if there is still enough time, analyze the process behind the software in-house from a data protection perspective. It is possible that the process or parts thereof are no longer needed or no longer in the current form.
Second, the software should be set to "phase-out", i.e. one should look for a new software that meets GDPR standards as a replacement by the procurement department. I recommend to include the GDPR compliance as a requirement in the RfP4. One advantage of this is to also attract best practice consulting by providers as to how minimize or even circumvent the effects of the GDPR on the company. through strong encryption concepts and anonymization of data. In this case you can possibly make up the first step or even refine.
Stackfield: Is the use of providers outside the EU now prohibited under the new GDPR?
Bernd Suchomski: In principle, one can still onboard IT service providers from Non-EU countries for the processing of personal data pursuant to Articles 44 et seq. GDPR. However, there are higher requirements to be met if the provider is processing or accessing the data outside the EEC and outside safe third countries, e.g. Newf Zealand. In this case, further contracts are to be concluded with the service provider, e.g. EC Model Clauses or Binding Corporate Rules. This results in a higher administrative burden.
Stackfield: What legal consequences can the non-compliance with the new privacy law have for a user?
Bernd Suchomski: That depends on which GDPR statutes would be violated - and how they were violated. Consequences of a violation may include in particular information requests, cease and desist orders and fines by data protection authorities as well as claims for damages by data subject that were affected by a violation.
In principle, fines are to be imposed by the authorities in an adequate correspondence to the privacy impact of a violation. Thus, the authorities do not have to reach the cap for fines of EUR 20 mn. for minor infringements. However, the cap for fine is significantly higher than under the German Federal Data Protection Act (“BSDG”) with EUR 300,000. To the privacy impact would take into account e.g. the duration of the violation and the sensitivity of the data concerned. In the end, we have to wait and see how fines are imposed throughout the EU in future.
Stackfield: Can you terminate a cloud service contract for cause before the end of the agreed term if the data protection requirements are not met by that service?
Bernd Suchomski: Here, the contract with the cloud provider is decisive, in particular its governing law. If the contract is a long-term contract, sometimes referred to as "cloud rental" or "subscription", and if the contract is governed by German law, termination may be considered for cause if the continuation of the contract or modification of the contract is unacceptable to the user is. Whether the continuation or change is unacceptable by depend on result from the earlier mentioned gap analysis or the privacy impact assessment and serve as an argument towards the provider. The argument could be used initially in negotiations with the provider - and, if necessary, as a trial brief’s legal assessment in a lawsuit.
Stackfield: What should I look for for when I'm looking for a new cloud software and when I want to work with it in the future in compliance with the legal data protection requirements?
Bernd Suchomski: I pay close attention to a detailed and transparent process description of the tool in the contract or its statement of work (SOW). The complexity of data protection law often leads to linguistic ambiguity in the process descriptions.
Click here to read our cloud tool check list!
Good providers can convince by viewing and fulfilling the data protection requirements with their customers’ eyes. Today it should just normal to offer the customer the legally required additional agreements on the commissioned data processing. Tomorrow, a service provider could lead into the market by preemptively fulfilling the customer's data protection requirements, e.g. through information on privacy-by-design and privacy-by-default – maybe together with a data protection compliance certificate pursuant to the GDPR. Data protection compliance becomes an EU-wide purchasing criterion for software - and thus also a quality gate, which makes it a quality standard for software providers.
1 Article 35 GDPR - Data Protection Impact Assessment
2 Article 20 GDPR - Data Transferability
3 Article 26 GDPR - Jointly responsible persons for processing
4 RfP = Request for Proposal