Legal Aspects of Cloud Computing
From a legal point of view, cloud computing is, at least in some areas, still a sensitive subject. Especially due to the transfrontier services there are uncertainties regarding the applicable law. There is also need for clarification in respect to copyright, license conditions, and especially about data protection. In the following, the data protection problem shall be described further.
In the terms of data protection, cloud-based services are problematic precisely because personal data is frequently affected and therefore several data protection provisions must be considered.
If one assumes the validity of German data protection law, the following aspects are especially to be considered:
The provisions regarding this can be found in the Federal Data Protection Law (Bundesdatenschutzgesetz). According to this law, the processing of personal data is only allowed, if it regards the so called ‘order data processing’. The user still ‘owns’ the data and is thus still responsible in respect to data protection, even though his data are operationally outsourced. He is required by law to carefully select the order data processor. This applies particularly in so far as the order data processor has to take technical and organizational measures in order to be able to ensure that sensible personal data cannot get into the hands of unauthorized persons. Furthermore, the client has to control and ensure the compliance with these rules time and again. Especially this could proof problematic for most businesses. It is often not traceable on which server the data currently is.
Regarding this, there are especially questions about the internationality of the data processing. Personal data may only exceptionally find its way to another European country. For this purpose, the protection level at destination must match the German protection level. This can for example be achieved by the EU Standard Contractual Clauses or, for the USA, by the „Safe Harbour “ registrations. Nevertheless, most states do not succeed in achieving this protection level. In order to store data within other European countries, which is quite common, data encryption can be performed, whereby the data will lose its personal character. Thus they can be stored in the cloud, whereat their processing requires a decryption.
It is also a fundamental question, which data protection law is generally applicable, if a business is based in another country. If data in Germany is processed or used by a business that has its seat in another member state of the European Union, the Germany law is, according to § 1 Abs. 5 S. 1 of the German Data Protection Law (Bundesdatenschutzgesetzes) not applicable. For non-European businesses, for example businesses from the USA, the principle of territoriality is applicable. This means that German law is applicable, if data is processed in Germany.
According to a current report from Brussels, the EU Commission is currently striving for a „holistic cloud-computing strategy in the EU“ by a „Made in Europe“-seal, in order to develop European standards for data protection and IT-security within the cloud and to newly define the „standard contractual clauses“ for the processing of personal data.
It should be noted that cloud computing will play an ever growing role in IT-businesses. There are no fundamental obstacles opposing cloud computing. Just like it could be observed in the past for other IT-services, there will be develop certain standards and approaches in respect to cloud computing, in order to fulfill the data protection law.