GDPR - How does it apply to the cloud?
The cloud. It’s all the rage with technology companies nowadays, and for good reason.
‘Cloud computing’ refers to the provision of information technology services over the Internet.
These services may be provided by a company for its users in a ‘private cloud’ or by third-party suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems). Cloud computing has numerous applications, from personal webmail to corporate data storage.
All these types of cloud service commonly have the following features:
- The service’s infrastructure is shared amongst the supplier’s customers and can be located in a number of countries.
- Customer data is transferred around the infrastructure according to capacity.
- The supplier determines the location, security measures and service standards applicable to the processing.
Cloud service providers must consider whether either of these GDPR tests apply to them:
- Does the data processing relate to the activities of an EU establishment of the data controller using their services; or
- Does the data processing relate to offering goods or services to individuals in the EU, or to monitoring their behaviour, even when the data controller or processor is not established in the EU.
If either of them do, they MUST bring part or all of their processing operations under the remit of European data protection law. Even where these processing operations are not directly subject to the GDPR, if their customers are subject to the Regulation, those cloud customers (the data controllers) will be obliged to impose strict data processing contracts on the cloud service provider which contain many of the same controls on how personal data may be used.
Moreover, the GDPR imposes certain conditions on the transfer of personal data outside the European Economic Area (EEA). Cloud computing will almost certainly involve international data transfers. The customer, as a controller, is responsible for compliance with the Regulation regarding transfers of its personal data. That means imposing extra controls to ensure “adequacy” of data protection.
Basically, just because personal data in the cloud, it doesn’t mean it can escape the reach of the law.