The process of reforming European data protection law has been protracted, to say the least. However, the target for a final text of the EU General Data Protection Regulation (GDPR) is now firmly set for the end of 2015, and it is expected to come into force some time in 2017.
For datacentre and cloud service operators, this means big legislative changes are probably just over a year away and the time to start work on compliance with those changes is now.
Under the current data protection regime, the law draws a sharp distinction between “controllers” and “processors”, with the controller having all the legal liability. In the datacentre and cloud context, the controller is almost always the customer.
This means datacentre and cloud operators’ direct legal obligations in respect of personal data have been rather limited outside the terms of their contracts with customers, and the adequacy or otherwise of the terms of those contracts have firmly been the customers’ problem.
All that will change when the GDPR comes into force. For the first time, data processors will have direct legal obligations in respect of the personal data they process, and data subjects will be able to claim compensation for unlawful processing of their personal data direct from the processor – that is, the datacentre or cloud service operator.
By far the most important of those direct obligations for datacentre and cloud operators is that processors will, for the first time, be directly liable both to the regulators and to data subjects for security breaches. This is a significant risk for datacentre operators previously accustomed to being liable only to their customers for security problems, and having the protection of (hopefully) robust contractual exclusions and liability caps.
If all this sounds like yet another administrative and compliance headache you could do without, you would be right, at least on one level, but it’s not all doom and gloom. There are some real silver linings in the impending GDPR cloud (no pun intended).
A peripheral benefit is that it greatly reduces the complexities in working out which laws apply to any given data. One of the problems in the current regime is that multiple countries’ laws can end up applying to the same data.
For example, if your customer is in Germany and you process personal data for them in a datacentre in the UK, the data protection laws of both the UK and Germany may have to be taken into account in your contract with the customer and in how you then handle their data.
The GDPR does away with all that, and applies a largely uniform regime throughout all the member states of the European Union (EU). In the long term, that has to be helpful.
More important, though, is the extra-territorial effect of the GDPR. The big US cloud services that have European datacentres will be in exactly the same boat as their EU-based competitors. Now that Safe Harbour has gone away, many of the US providers – even if they don’t have an EU datacentre already – will be looking at opening one.
But there’s more. The latest “official” text provides for the GDPR to apply to controllers not established in the EU, but which are offering goods or services to people in the EU or monitoring the behaviour of people in the EU.
While this provision is clearly aimed at the Facebooks and Googles of this world, and is less likely to affect datacentre and cloud operators outside the EU as drafted, a leaked document from the continuing discussions in the EU suggests the EU legislators agree in principle that the same should also apply to processors.
If that agreement makes it into the final text, any datacentre or cloud service outside the EU – including in the US – which is used by a customer (who can also be outside the EU) to offer goods and services to people in the EU, or to monitor people in the EU, will be subject to the exact same set of obligations as a datacentre based in the EU.
The GDPR does not define what constitutes “offering” goods and services to people in the EU; quite likely, simply putting up a generally accessible website could be enough.
All that, plus the demise of Safe Harbour, could well mean that European operators suddenly start to look a whole lot more competitive.
There is administrative work to be done and there are processes and procedures to put in place. But, for all that, GDPR is as much an opportunity as a burden, and European datacentre operators should embrace it.
Daniel Hedley is an associate at law firm Thomas Eggar.
This was first published in October 2015