CONTROLLERS
2.10
Data processing in the cloud
Cloud solutions are a special case of outsourcing data processing. They come with some particular challenges.
When we use cloud solutions, it is a form of outsourced data processing by a public institution. It involves transferring the data processing to an external system, which causes us to lose some of the control over the data, because we don’t know exactly what server it is located on, who is responsible for it, and what happens to it. These are the challenges and risks of outsourcing in general, but they are somewhat amplified when outsourcing to the cloud.
Risks
There are also additional cloud-specific risks that we must respond to with cloud-specific measures. Because even with this form of outsourcing the public institution remains responsible for the personal data, even if it is no longer under full control. But let’s take it one step at a time. First, we must use the usual rules for contract data processing to check whether it is even permissible for the data processing to be outsourced. If it is permissible and we want to use cloud technologies, we must then check what specific data protection risks will be involved as a result. There are risks in a variety of areas when it comes to third-party cloud solutions.
- We often don’t know where the data processing will occur, and it’s difficult to find out.
- There are fewer opportunities for monitoring, because it can be difficult to clearly delineate data processing operations in cloud infrastructure.
- The leeway is often very limited in the standard offerings, and it can hardly be negotiated.
- It is more difficult to enforce claims under data protection law. This applies to the rights to erasure and correction, for example, and depends on the relevant applicable law and where the servers with the data are located.
- The confidentiality of the data can be compromised if third parties have access to the data from within cloud applications.
- Access by foreign authorities can sometimes be a problem. If the data is located in a foreign country, it can be accessed by the authorities there more easily than if it were located in Switzerland. This risk applies especially to US cloud service providers because they are required by the US CLOUD Act to allow US authorities access to the data regardless of whether the servers are located in the US or in a different country.
Solutions
How can we deal with these risks? The public institution remains responsible for the data, so it must first examine these risks and consider comprehensively whether they are acceptable. When considering this, the applicable laws and jurisdiction, the location of data processing and protection of secrecy are especially important.
With regard to the applicable laws and place of jurisdiction, we must sometimes make a fundamental decision. Let’s assume that we sign a contract under foreign law. We are still responsible for the personal data and must therefore account for any breaches of contract. This could mean, for example, that we might have to file a suit in accordance with Irish or US law, and thus might not be able to fulfill our responsibility well or at all. So there are some very compelling reasons, when we weigh the risks, for deciding against signing a contract.
In the case of cloud solutions, the location of data processing is the location of the servers on which the data is stored. We must ask ourselves: where are the servers, and thus our data, located? Are they located in a country with appropriate data protection or with data protection law that is equivalent to ours here in Switzerland, or not? When weighing decisions about cloud services, providers from countries with equivalent laws would be preferable to providers in countries without any equivalent level of data protection.
Protection of secrecy has to do with protection of confidentiality. In principle, third parties should not be able to access the data of our citizens or our patients. We protect data from this by encrypting it. Secure encryption is only assured when the public institution encrypts the data itself and also only possesses the key for decrypting the data and making it readable again. Data that is on its way to the cloud (data in transit) or data that is saved somewhere (data addressed) is relatively easy to encrypt. Most cloud services don’t just offer storage solutions, but also allow data to be processed within the cloud. That is only possible if the cloud provider has the key.
Risk analysis
A comprehensive risk assessment requires us to take all these points into consideration for each specific case and to decide on this basis whether or not we can outsource data processing to the cloud. We must conduct a comprehensive risk analysis for this purpose in advance. This risk analysis must include the cloud-specific risks for the individual instances of data processing and demonstrate corresponding protective measures for eliminating these risks or reducing them to an acceptable level. If that is not possible, we should avoid the cloud solution. Otherwise, the public institution will bear the residual risk, which could have financial and other implications.
The Data Protection Officer for the Canton of Basel-Stadt provides a Cloud Fact Sheet created by the Conference of Swiss Data Protection Officers on their website. There you can find further information on this topic.
Lizenz
University of Basel