Cloud Providers enter the Fray
The Council of Ministers meets today and tomorrow (15th and 16th June) to finalise its position on the General Data Protection Regulation (GDPR), in advance of negotiations with the Parliament and Commission.
One of the more interesting areas which the Council is finalising on is liability with regards to third parties, namely data processors. The GDPR will re-define a new shared liability environment between data controllers and data processors which will bring a large tranche of third parties into the fray, including cloud providers. This subset of data processors is becoming a more strategic wing of many companies and processes an ever increasing volume of personal data.
These cloud providers, in particular the likes of SAP, IBM, Cisco and Amazon, have lobbied heavily to ensure that this new position is not put into law, primarily as they each can see the degree of reputational risk which they will take on, and in some cases that will be exponential.
But the current legislation, twenty years old this year, is not in line with modern forms of data processing, and certainly does not take into account the complicated relationship between controllers and processors that exists now.
"One key issue is who pays if rules (are) broken", said an EU diplomat. Indeed whilst this is a key concern, at a practical level there is a question around whom the data subject takes issue with. Say, for example, a bank uses a third party cloud provider and the latter is responsible for a data breach. The subject may not have any idea of the third party, and would rightly, be of the opinion that the controller is fully responsible. Under current law that is certainly the case.
With the new proposal, the data subject may be able to take proceedings against the data processor as well. How this will work in practice remains to be seen, but undoubtedly there is a sea change at hand, which will force third parties to actively engage in data protection compliance to a level unparalleled to date.
"It is important that consumers and businesses understand who ultimately is responsible for processing their data", said Liam Benham, VP of Government and Regulatory affairs at IBM. "Now the EU's draft Data Protection Regulation risks blurring these lines of responsibility, setting the stage for lengthy and costly legal disputes, which will be perplexing for consumers and businesses alike".
The Commission itself is concerned that large cloud providers would impose unfair terms and conditions on small businesses in the absence of this joint liability.
"If an SME finds it hard to find a processor that doesn't want to comply with European contract terms, there is plenty of choice", said Rene Summer, spokesman for the Coalition of European Organisations on Data Protection.