Some cloud service providers have been called into question by how they access or share their users’ information. Here are some criteria to consider before choosing one
The cloud services that Google offers were seriously called into question by a publication from Martin Shelton, a former employee of the company, who claimed that the company was not only able to access the information it hosts on its systems, but went further: it reads and analyses it.
Furthermore, the information would be available to US agencies that need it, confirming cases where Google has released information. This last statement is nothing new, the transfer of data to the US Government by cloud hosting companies such as Apple, Yahoo, Facebook and Google, having been reported on previous occasions. In fact, since 2013, Edward Snowden’s revelations indicated that the National Security Agency was exploiting the United States’ dominance of internet services to spy on the world’s citizens.
In the same vein, in recent months it has been confirmed that Google collects medical data from millions of Americans by accessing detailed patient information from one of the largest healthcare companies in the U.S.
The use of cloud service providers has been studied in depth by data protection authorities, where fortunately, they have drawn up guidelines and recommendations on using this type of service, both for providers of these services and for personal data controllers who contract them.
Some key aspects in contracting cloud services are:
- In the contract with the service provider, clearly establish the applicable law. This refers to whether the clients/people responsible for the processing of personal data are subject to Spanish and European law, the legal relationship with the service provider will be subject to the European Data Protection Regulation (GDPR) and the local regulation of each specific region. Determining the applicable law is also not up to the parties. The application of Spanish law cannot be changed contractually.
- Specify in the contract the geographical location of the data. It is recommended to be within the European space. The destination country offering a level of protection equivalent to that of the European Economic Space, and so agreed by the Spanish Data Protection Agency or by the European Commission’s decision, is considered an adequate guarantee.
- Request the service provider to clarify possible outsourcing of personal data hosting. Where appropriate, such subcontracting should ensure compliance with the main contract.
- Reflect in the contract the guarantees for portability, meaning, the effective possibility that the personal data can be returned to the client or that the client can indicate that they will be transferred to a new service provider that he/she has selected, at the time when the provision of this service finishes.
- The channel and procedure for communications of security breaches that may occur within the scope of the provider and that affect the data of the data controller must be established, as well as the necessary deadlines for communications, subject to the deadlines legally established for this purpose.
- The cloud service provider shall ensure mechanisms for the deletion of the data once the contractual relationship has ended.
- Require security measures through complying with standards for this purpose such as ISO 27017 and ISO 27018, the national security scheme – specified in Guide 823 Security in Cloud Environments – or also the Cloud Security Alliance Cloud Controls Matrix.
In specific cases such as the banking sector, the European Banking Authority has established a number of recommendations for contracting cloud services, which are mandatory as of 1 July 2018, and address five key areas: data and system security, data location and data processing, access and audit rights, outsourcing, contingency plans and exit strategies.
Not surprisingly, the EBA advises banks to take particular care when entering into and managing outsourcing arrangements outside the European area because of the potential data protection risks and the risks to effective supervision by the supervisory authority.
If in doubt, at Sothis we help our clients to determine and establish the security and contractual measurements required in the area of personal data protection and compliance with European regulations (GDPR) and Spanish, as well as applicable sectoral regulations.