Data protection risks in the cloud
International cloud services in particular have plenty of legal ignition. A contact in the cloud or a Google calendar seems quite harmless at first glance. For German companies, however, the use of such services poses serious legal problems. Even private individuals can find it expensive if they park foreign (personal) data at an unsafe service and as a result they fall into unauthorized hands.
Companies in particular should look particularly carefully at who they entrust personal data to. According to Section 43 of the Federal Data Protection Act (BDSG), you are liable to a fine of up to 300 000 euros for any data protection violation in extreme cases. In addition, anyone can be confronted with civil injunctions and, if necessary, claims for damages if a loss or misuse of data is to be complained of by the use of an unsafe service.
Cloud service usage is regularly regulated by contract – of course, this also applies to the liability of the respective service provider. Especially with free services, such as.B those offered by Apple and Google, it is often not possible to negotiate individual contracts. Either you accept the general terms and conditions (GTC) of the provider or you do not use the services. A lot has happened in recent years on the subject of data protection. But especially when it comes to US cloud providers, despite an improved legal situation, a sword of Damocles still hovers over the user (see Privacy Shield article).
So if you stumble upon phrases such as .B: “Therefore, we may process your personal data on a server located outside the country in which you live”, then you should become audible, because data processing abroad is subject to special regulations in Germany and in the European Union.
For companies, the Federal Data Protection Act (BDSG) is already the critical hurdle in deciding on a cloud service. This Act covers personal (as well as “personal”) data of natural persons, unless this data is used exclusively for personal or family purposes. As is customary in the rest of the EU (with the exception of Austria), this statutory data protection does not refer to data of legal persons (e.g. companies and associations) in Germany.
The BDSG protects the fundamental right to informational self-determination, i.e. everyone decides for themselves which personal data is accessible, when, where and for whom. They may therefore only be collected if it is expressly permitted by law or if the person concerned has given his consent (Section 4 (1) BDSG). In addition, it is important to limit the data collection to the minimum necessary and to make use of data collected as much as possible.
Island of Privacy Bliss: The “green light” for an optimal data protection standard from a German point of view prevails only in a very small area of the world.
In Germany, Section 3 para. 1 BDSG personal data as “individual information about the personal or factual circumstances of a specific or identifiable natural person”. In addition to names and addresses, this also includes telephone numbers, e-mail or IP addresses. Particularly protected are in accordance with Section 3 para. 9 BDSG Information on racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health and sex life.
Cloud services that store data abroad complicate the data protection situation. Transfers of protected data to countries without an adequate level of data protection are in principle inadmissible under German law!
An adequate level of data protection is assumed for the EU Member States. However, the transfer to other countries is problematic. The European Commission may designate countries where the level of data protection is appropriate. According to the Commission, this currently applies only to Andorra, Argentina, Canada (restricted), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. The EU admits the same level to providers in the US, provided that they have submitted to the rules of the EU-US Privacy Shield.
An up-to-date list of such companies can be found here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm
The next hurdle for businesses concerns the central legal issue of cloud computing: How is the integrity and confidentiality of data stored or processed by users ensured? In addition to personal data, this question naturally also concerns trade secrets or research data.
If there are no mandatory international standards to guarantee, only binding agreements between users and providers remain. It then depends on how the contracts for cloud usage are designed. The legal character of a contract for the use of cloud services must be sorted as a possible mixture of a rental/rental contract as well as a service and/or work contract in a sufficiently complex way. In particular, however, it must regulate system maintenance and error-removal measures, as well as attack prevention and troubleshooting. In the event that there is no unauthorized access, details of liability should be agreed. The latter is often done through so-called Security Service Level Agreements (SSLA).
From a legal point of view, cloud contracts raise questions about warranty and compensation claims, among other things. The handling and protection of copyright should also be the subject of a contract of use. For example, anyone considering outsourcing financial accounting to a cloud service should keep an eye on tax regulations.
Critical laws of financial management
Tax-relevant data are to be used in accordance with Section 146 para. 2 p. 1 of the Tax Code (AO) is in principle to be kept and kept only in Germany. If e-mail traffic is also tax-relevant (for example, contract negotiations), it is not normally allowed to be handled through services such as Gmail.
Pursuant to Section 146 para. 2a AO may apply for an authorisation for a taxable person to keep his documents in the European Union or in the European Economic Area by means of an Administrative Assistance Agreement (EEA). Storage outside this room is only allowed when it comes to avoiding unreasonable hardening. However, the condition is that taxation is not hindered and that the tax authorities have unhindered access to data.
There are also special restrictions for merchants. For example.B their booking documents and commercial letters must be kept domestically.
Tax-relevant data do not have to be personal and therefore subject to the BDSG. However, the very difficulty of making an impending, unreasonable hardness plausible speaks against using iCloud and Google services for this data.
What to do?
Since the legal problem of cross-border data outsourcing is still relatively young, it is not surprising that there is still little case law on this. In particular, it is not clear which provisions in the terms and conditions of cloud service providers are certainly ineffective and which are not. It is only in contract negotiations with individual regulations that the risk can actually be distributed on the part of all partners involved in an interest-oriented manner. With large cloud providers such as Google or Apple, an individual contract agreement is often not possible. In addition, a brief look at the essential provisions of the data protection declarations reveals that the service provider has no interest in facilitating the situation of its users with regard to their data protection liability to third parties.
On the contrary, they are left alone and, in case of doubt, bear the sole risk to those who have entrusted them with data worthy of protection. In most cases, this is only based on the legal minimum.
Risk private matters…
In-house messages, birthday calendars, appointments – all this can be managed via cloud services without affecting data protection law. But beware: even purely private data processing can pose a civil liability risk. For example, if an application bursts because data entrusted to a third party has appeared without permission and undesirable, the data subject may be held responsible for the damage caused by the data leak.
The matter is even more complicated when service users weave professionally into the private cloud application: then a liability conflict arises between them and their employer. The latter must then be in line for a possible data breach.
Those who want to minimise legal risks rely on companies operating only nationally or within the EU. If there are problems with such cloud service providers, then at least it is guaranteed that they can be brought before them in court. It also make it easier to access the data stored by the provider.