Re-thinking the allocation of roles under the GDPR in the context of cloud computing

Fischer, Cyril

doi:10.1093/idpl/ipad023

Request a copy

Article (Scientific journals)

Re-thinking the allocation of roles under the GDPR in the context of cloud computing

Fischer, Cyril

2024 • In International Data Privacy Law

Peer Reviewed verified by ORBi

Permalink
https://hdl.handle.net/2268/309580

DOI
10.1093/idpl/ipad023

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

Fischer C_Re-thinking the allocation of roles_author file.pdf

Embargo Until 09/Nov/2024 - Author preprint (346.75 kB)

Request a copy

All documents in ORBi are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

Law; Cloud; GDPR; Data; Consent; Controller; Data protection

Abstract :

[en] • Cloud computing is a well-established and flourishing phenomenon, whose key activity on personal data is the storage thereof. This study analyses the allocation of the controller–processor roles under the General Data Protection Regulation (GDPR) to the cloud computing actors in the context of the storage of personal data. It examines the current controller–processor model and suggests a joint controllership interpretation to the EU regulators, as a more appropriate allocation of roles in the context of cloud computing. • We argue that the prevailing controller–processor interpretation stems from the current primacy of the purpose criterion, as well as the recognition of consent as a criterion to allocate controllership. This article suggests that cloud providers control some of the essential means of the storage of personal data, thereby shifting part of the control from cloud customers to cloud providers. • If the joint controllership approach was to be followed by the EU regulators, this article argues that it would better reflect the economic and technical reality, and provide a more appropriate responsibility and liability framework for cloud providers and customers, which in turn would enhance the level of protection that data subjects should benefit from under the GDPR.

Research center :

LCII - Liège Competition and Innovation Institute - ULiège

Disciplines :

European & international law

Author, co-author :

Fischer, Cyril ; Université de Liège - ULiège > Département de droit > Droit romain et droit privé comparé

Language :

English

Title :

Re-thinking the allocation of roles under the GDPR in the context of cloud computing

Publication date :

2024

Journal title :

International Data Privacy Law

ISSN :

2044-3994

eISSN :

2044-4001

Publisher :

Oxford University Press (OUP)

Peer reviewed :

Peer Reviewed verified by ORBi

Additional URL :

https://academic.oup.com/idpl/advance-article-pdf/doi/10.1093/idpl/ipad023/53063709/ipad023.pdf

Available on ORBi :

since 07 December 2023

Statistics

Number of views

30 (3 by ULiège)

Number of downloads

2 (2 by ULiège)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

Bibliography

Commission, 'Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Region: A European strategy for data' (Communication) COM(2020) 66 final.
Joris van Hoboken and others, 'Hosting Intermediary Services and Illegal Content Online: An Analysis of the Scope of Article 14 ECD in Light of Developments in the Online Service Landscape' (European Commission, 2019) 10 accessed 2 December 2022.
Commission, 'Commission Staff Working Document: Impact Assessment Report Accompanying the document Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act)' SWD(2022) 34 final.
Sandeep Bhowmik, Cloud Computing (India, CUP 2017) 2.
See also Peter Mell and Tim Grance, 'The NIST Definition of Cloud Computing' (Special Publication 800-145, National Institute of Standards and Technology, US Department of Commerce 2011) accessed 19 October 2022 where the National Institute of Standards and Technology (NIST) proposed a definition that is still widely accepted and recognised today: 'Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
This cloud model is composed of five essential characteristics, three service models, and four deployment models.'
See also the definition enshrined in art 4(19) of the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union [2016], OJ L194/1 (NIS Directive): 'cloud computing service means a digital service that enables access to a scalable and elastic pool of shareable computing resources'. Recital 17 of the NIS Directive further explains the definition of art 4(19). Finally, in Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 [2022], OJ L333/80 (NIS 2 Directive), we can find a slightly different definition, focusing on the on-demand and distributed features of cloud computing. Thus, art 6(30) of the NIS 2 Directive defines a cloud computing service as 'a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations'.
Dan C Marinescu, Cloud Computing: Theory and Practice (United States, 3rd edn, Morgan Kaufmann 2022) 2.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016], OJ L119/1.
'EDPB' stands for European Data Protection Board. 9 'EDPS' stands for European Data Protection Supervisor. 10 Bhowmik (n 4) 6.
Marinescu (n 5) 34.
'ERP' stands for Enterprise Resource Planning.
'CRM' stands for Customer Relationship Management.
Bhowmik (n 4) 80; Marinescu (n 5) 15.
Marinescu (n 5) 34.
Mell and Grance (n 4) 3; Fang Liu and others, 'NIST Cloud Computing Reference Architecture' (Special Publication 500-292, National Institute of Standards and Technology, US Department of Commerce 2011) 10-12 accessed 7 December 2022.
Flexera, 'State of the Cloud Report 2020' (2020) accessed 7 December 2022.
Marinescu (n 5) 265. See also Ronald Leenes, 'Who Controls the Cloud?' (2010) 11 IDP: revista de internet, derecho y política 1, 3.
European Data Protection Board, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR' (7 July 2021, Version 2.1) para 81.
For a detailed description of the concepts of controller and processor, please see European Data Protection Board, 'Guidelines 07/2020' (n 22).
The GDPR adopts a functional definition of controllers and processors. See European Data Protection Board, 'Guidelines 07/2020' (n 22) para 12.
In its guidelines, the EDPB clarifies that the test must be performed at the level of each processing activity. See European Data Protection Board, 'Guidelines 07/2020' (n 22) para 26.
European Data Protection Board, 'Guidelines 07/2020' (n 22) 15-16.
Case C-210/16 Wirtschaftsakademie Schleswig-Holstein [2018] ECLI:EU:C:2018:388, para 43. This has been confirmed in Case C-25/17 Jehovan todistajat [2018] ECLI:EU:C:2018:551, para 66 and Case C-40/17 Fashion ID [2019] ECLI:EU:C:2019:629, para 70. See also European Data Protection Board, 'Guidelines 07/2020' (n 22) paras 58 and 63.
Case C-131/12 Google Spain and Google [2014] ECLI:EU:C:2014:317, para 28.
Michèle Finck, 'Cobwebs of Control: the Two Imaginations of the Data Controller in EU Law' (2021) 11 International Data Privacy Law 333, 335.
Google Spain (n 32) para 34.
Wirtschaftsakademie (n 31) para 38. This has been confirmed in Jehovan (n 31) para 69 and in Fashion ID (n 31) para 69.
Article 29 Working Party, 'Opinion 05/2012 on Cloud Computing' (WP 196, 1 July 2012) 7-8.
European Data Protection Board, 'Guidelines 07/2020' (n 22) para 30.
In that regard, the CJEU of Justice has explicitly rejected the (absence of) knowledge about the type of data (personal or not) as a criterion in the Google Spain case.
See Google Spain (n 32) para 28. See also in that respect Brendan Van Alsenoy, Data Protection Law in the EU: Roles, Responsibilities and Liability (Intersentia 2019) para 1206.
European Data Protection Board, '2022 Coordinated Enforcement Action: Use of cloud-based services by the public sector' (17 January 2023) footnotes 21 and 30.
Dimitra Kamarinou, Christopher Millard and Felicity Turton, 'Responsibilities of Controllers and Processors of Personal Data in Clouds' in Christopher Millard (ed), Cloud Computing Law (United Kingdom, 2nd edn, OUP 2021) 300;
W Kuan Hon, Christopher Millard and Jatinder Singh, 'Control, Security, and Risk in the Cloud' in Christopher Millard (ed.), Cloud Computing Law (United Kingdom, 2nd edn, OUP 2021) 31-33.
Kamarinou, Millard and Turton (n 42) 300.
Van Alsenoy (n 40) 479.
See also Finck (n 33) 335 and 346.
Van Alsenoy (n 40) para 694; Finck (n 33) 334.
Van Alsenoy (n 40) para 695.
European Data Protection Board, 'Guidelines 07/2020' (n 22) para 110.
Thierry Léonard and Anthony Mention, 'Transferts transfrontaliers de données: quelques considérations théorique et pratiques', in Benjamin Docquir and Andrée Puttemans (eds), Actualités du droit de la vie privée (Bruylant 2008) 105. See also (n 43) and (n 44) for scholars considering that cloud customers qualify as controllers because they select the cloud provider and/or service. In our view, these scholars indirectly allude to the legal concept of 'consent' without naming it, overlooking thereby the requirements of a legally valid consent. In this respect, we refer in particular to the section below on power asymmetry.
Jehovan (n 31) para 71.
Fashion ID (n 31) para 77.
See mainly the section on power asymmetry.
Liu and others (n 19) 7; Article 29 Working Party, 'Opinion 05/2012' (n 36) 5; Bhowmik (n 4) 47-48, 68, 78, 330.
Liu and others (n 19) 7, 87, 98; Bhowmik (n 4) 47; Marinescu (n 5) 8.
Liu and others (n 19) 13.
Bhowmik (n 4) 275.
Knud Brandis, Srdan Dzombeta and Knut Haufe, 'Towards a Framework for Governance Architecture Management in Cloud Environments: A Semantic Perspective' (2014) 32 Future Generation Computer Systems 274, 278;
W Kuan Hon, Christopher Millard and Jatinder Singh, 'Cloud Technologies and Services' in Christopher Millard (ed), Cloud Computing Law (United Kingdom, 2nd edn, OUP 2021) 6-7;
Marinescu (n 5) 34;
The type of deployment, ie private, community, public or hybrid also entails different degrees of control. Public clouds generally tend to offer less control to users, whereas private clouds offer more control. As our contribution is limited to public clouds, for more information, please see Bhowmik (n 4) 66-69;
Hon, Millard and Singh, 'Cloud Technologies and Services', ibid 25.
Marinescu (n 5) 1, 265. See also Francoise Gilbert, 'Cloud Service Providers as Joint-Data Controllers' (2011) 15 Journal of Internet Law 3, 3.
Bhowmik (n 4) 48.
SWD (2022) 34 (n 3) 27.
Article 29 Working Party, 'Opinion 05/2012' (n 36) 5.
Amazon, 'AWS Customer Agreement' accessed 15 October 2022.
See also Dropbox Terms of Services (Dropbox, 'Dropbox Terms of Service' accessed 19 October 2022) and Acceptable Use Policy (Dropbox, 'Dropbox Acceptable Use Policy' accessed 19 October 2022), clearly stipulating that Dropbox may review the content of its users to ensure that its users comply with the applicable legislation.
Wirtschaftsakademie (n 31) para 38;
Jehovan (n 31) para 69;
Fashion ID (n 31) para 69.
See also Google Spain (n 32) para 34. See also European Data Protection Board, 'Guidelines 07/2020' (n 22) para 45.
Mell and Grance (n 4); Marinescu (n 5) 1. See also Commission, 'European Commission Cloud Strategy: Cloud as an enabler for the European Commission Digital Strategy' (16 May 2019) 5 accessed 25 November 2022.
Bhowmik (n 4) 57.
European Data Protection Board, 'Guidelines 07/2020' (n 22) 35.
European Data Protection Board, 'Guidelines 07/2020' (n 22)36-37.
European Data Protection Board, 'Guidelines 07/2020' (n 22)37.
European Data Protection Board, 'Guidelines 07/2020' (n 22) 143.
European Data Protection Board, 'Guidelines 07/2020' (n 22)12.
Liu and others (n 19) 5;
Gilbert (n 64) 3;
Commission Nationale de l'Informatique et des Libertés, 'Recommandations pour les entreprises qui envisagent de souscrire à des services de Cloud computing' 5-6
Bhowmik (n 4) 47; Van Alsenoy (n 40) 480;
Christopher Millard and others, 'At this Rate, Everyone Will Be a [Joint] Controller of Personal Data!' (2019) 9 International Data Privacy Law 217, 218;
Kamarinou, Millard and Turton (n 42) 312, 337;
SWD(2022) 34 (n 3).
Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 [2022], OJ L265/1 (Digital Markets Act); The above-mentioned criticisms, and in particular the lack of control (or ownership) on the customer's data as well as the consequences of the power asymmetry have been spotted, sometimes in order to propose alternative technological or business solutions. In that respect, see mainly the Gaix-X project.
Kamarinou, Millard and Turton (n 42) 312.
Hon, Millard and Singh, 'Cloud Technologies and Services' (n 61) 24.
Hon, Millard and Singh, 'Cloud Technologies and Services' (n 61) 12-13; Bhowmik (n 4) 47, 49, 98, 296;
Marinescu (n 5) 9, 265, 271.
See also Benjamin Docquir, 'Le “Cloud Computing” ou l'Informatique Dématérialisée: la Protection des Données au Coeur de la Relation Contractuelle' (2011) 10 RDC 1000, 1010.
Article 29 Working Party, 'Opinion 05/2012' (n 36) 6
Hon, Millard and Singh, 'Cloud Technologies and Services' (n 61) 18.
Bhowmik (n 4) 98, 296.
Commission Nationale de l'Informatique et des Libertés (n 80) 6;
Van Alsenoy (n 40) para 1049;
Marinescu (n 5) 5. See also Docquir (n 84) para 37.
Bhowmik (n 4) 296; Hon, Millard and Singh, 'Cloud Technologies and Services' (n 61) 12;
Marinescu (n 5) 258, 265. See also Docquir (n 84) para 1010.
European Data Protection Board, 'Guidelines 07/2020' (n 22) para 30.
European Data Protection Supervisor, 'EDPS Public Paper on outcome of own-initiative investigation into EU institutions' use of Microsoft products and services' (2 July 2020) 9 accessed 26 October 2022.
European Data Protection Board, 'Guidelines 07/2020' (n 22) para 27.
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union [2016], OJ L194/1 (NIS Directive).
See art 4(5) in combination with Annex III, read in conjunction with art 16 of the NIS Directive (n 93).
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 [2022], OJ L333/80 (NIS 2 Directive).
Commission, 'Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act)' COM(2022) 68 final (Data Act Proposal).
See art 2(12) in combination with Recitals 69, 76 and 79 read in conjunction with Chapters VI (Switching between data processing services) and VIII (Interoperability) of the Data Act Proposal.
Although Recitals offer interpretations of the legal provisions enshrined in the main body of the Data Act Proposal, it should be noted that they are not binding.
Digital Markets Act (n 80).
The Digital Markets Act defines gatekeepers in its art 2(1), which refers to art 3 to specify the criteria that would qualify an undertaking as gatekeeper.
See art 2(2)(i) read in conjunction with art 6.9 of the Digital Markets Act.
Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union [2018], OJ L303/59.
See Recital 7 and art 1.3 explicitly stating that the Data Act complements the GDPR.
See art 2(25) which defines personal data and Recital 59, which explicitly states that, with regard to the portability obligation, the Digital Markets Act complements the right to data portability as provided in the GDPR.
European Data Protection Board, 'Guidelines 07/2020' (n 22) para 24.
Van Alsenoy (n 40) para 95.
We address the allocation of responsibilities for the security measures in more detail under the Section below entitled 'Allocation of responsibilities between the joint controllers'. At this stage, it is sufficient to note that, while the security of personal data is a shared responsibility between the cloud provider and the cloud customer, the cloud provider often defines the basic security measures. In addition, the cloud provider's level of control increases with the type of cloud model: from IaaS (with the least control over the security measures by the cloud provider) to SaaS (with the highest level of control by the cloud provider).
Yordanka Ivanova, 'Data Controller, Processor or a Joint Controller: Towards Reaching GDPR Compliance in the Data and Technology Driven World' in Maria Tzanou (ed.), Personal Data Protection and Legal Developments in the European Union (United States, IGI Global 2020) 15;
Benjamin Wong, 'Problems with Controller-Based Responsibility in EU Data Protection Law' (2021) 11 International Data Privacy Law 375, 380.
European Data Protection Board, 'Guidelines 07/2020' (n 22) para 163.
Van Alsenoy (n 40) paras 1238-1239.
See in that respect Google Spain (n 32) para 34; Wirtschaftsakademie (n 31) paras 26, 28; Jehovan (n 31) para 35; Fashion ID (n 31) paras 65, 66.
Kamarinou, Millard and Turton (n 42) 298.
European Data Protection Board, 'Guidelines 07/2020' (n 22) paras 80, 83.
Bhowmik (n 4) 47. Bhowmik refers to the term 'cloud consumer organizations', whereas we deliberately use the concept of 'cloud customers' in this article. We prefer the latter, since 'consumers' generally imply natural persons, while cloud customers can be either natural or legal persons.
European Data Protection Board, 'Guidelines 07/2020' (n 22) para 82. The taxi service example given by the EDPB concerns an online platform allowing business customers to book a taxi. The EDPB clarifies that the provider of the online platform qualifies as data controller because it has designed its platform as part of developing its business activity, and without any instructions from its customers. It is also the taxi service provider, which determines the categories of personal data it collects, as well as the data retention periods. Thus, despite the fact that the personal data processing activity takes place following a request from its customers, the EDPB states that the provider of the taxi service platform still qualifies as controller. While cloud providers and the provider of such an online platform differ in many respects, the key criterion identified by the EDPB to qualify the provider of the platform as controller-the design of the service without any instruction from the customer-also applies to public clouds.
Fashion ID (n 31).
Fashion ID (n 31) para 80. See also Charlotte Ducuing and Jessica Schroers, 'The recent case law of the CJEU on (joint) controllership: have we lost the purpose of “purpose”?' (2020) 6 Computerrecht Tijdschrift voor Informatica, Telecommunicatie en Recht 424.
European Data Protection Board, 'Guidelines 07/2020' (n 22) para 68.
René Mahieu, Joris van Hoboken and Hadi Asghari, 'Responsibility for Data Protection in a Networked World: On the Question of the Controller, “Effective and Complete Protection” and Its Application to Data Access Rights in Europe' (2019) 10 Journal of Intellectual Property, Information Technology and Electronic Commerce Law 39, para 18.
As Mahieu puts it, even though the definition of controller requires a determination of both the purpose and means, 'Effectively, the question of determining the purposes and means is transformed into determining the purposes or the essential means'. See also European Data Protection Board, 'Guidelines 07/2020' (n 22) para 40.
Mahieu, van Hoboken and Asghari (n 121), para 18; Van Alsenoy (n 40) para 1190.
Liu and others (n 19) 3.
European Data Protection Board, 'Guidelines 07/2020' (n 22) paras 54, 63.
Informacijski Pooblaščenec (0612-23/2019/19, 1 June 2022) < https://gdprhub.eu/images/8/89/IP_%28Slovenia%29_-_0612-23-2019-19.pdf> accessed 27 October 2022.
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC [2018], OJ L295/39.
This Regulation applies specifically to the EU institutions and bodies, such as the European Commission, the European Central Bank, the European Parliament, etc. It also uses the criteria of the determination of the purposes and the means for the controller (Art 3(8) and, as regards the processor, of the processing of personal data on behalf of the controller (art 3(12).
Wirtschaftsakademie (n 31) para 43. This has been confirmed in Jehovan (n 31) para 66 and in Fashion ID (n 31) para 70.
See also European Data Protection Board, 'Guidelines 07/2020' (n 22) para 169.
European Data Protection Board, 'Guidelines 07/2020' (n 22) para 168.
Bhowmik (n 4) 46.
Van Alsenoy (n 40) paras 181, 184, 193, 195, 196, 200.
Ivanova (n 108) 15; Wong (n 107) 380.
European Data Protection Board, 'Guidelines 07/2020' (n 22) para 168. See also Van Alsenoy (n 40) paras 1238-39.
Wirtschaftsakademie (n 31) para 28. This has been confirmed in Jehovan (n 31) para 35 and in Fashion ID (n 31) para 65.