A Study on Cloud Computing and Data Protection in the Light of EU Law and Turkish Law
Sinem Birsin, Beril Çelebi Cem
Abstract: Cloud computing can be described as one of the most trending areas of information technology. It is an Internet-based practice which enables its users to extensively and remotely control and manage their system and reach their data from anywhere with an Internet connection without making major capital investments. This article first provides an overview on the infrastructure and service models in cloud computing; benefits and risks of procuring such services. Then it discusses one of the major concerns in cloud computing, data privacy and security, in the light of Turkey’s new enacted Law on Protection of Personal Data No. 6698. Lastly, the main agreements executed under cloud computing model are evaluated and the nature or possible effects of such terms are briefly analysed.
I. INTRODUCTION
The next major step for the Internet is the cloud computing technology that allows individuals, corporate companies and even governments to store and process information and data at data centers through remote access. Cloud computing is a service that is best described as the storing, processing and use of data on remotely located computers accessed over the internet.
Cloud computing is an appealing computing application providing affordable access to advanced technology and allowing end users to use and process their IT infrastructure, platforms and software on a host system over a communication network. Cloud computing also creates a new horizon especially for small and medium sized enterprises (‘SMEs’). It introduces new operating and business models that allow users to cut down IT expenditure and to pay for the resources they effectively use, instead of making major upfront investments.
In the upcoming section, the framework of cloud computing solutions and service models that frequently appear in business life are reviewed.
II. ANALYSIS OF INFRASTRUCTURE AND SERVICE MODELS IN CLOUD COMPUTING
a)Cloud Solution Types
Cloud Computing service is provided under four different categories. These four types of infrastructures are;
In Public Cloud infrastructure, storage and other sources are offered to the public/general users by a service provider. In this model, data processing applications are run over sources on an infrastructure set up by a service provider and leased by users. This solution is suitable especially for individual use/clients. It can be claimed that this type of cloud is a low security structure compared to other cloud infrastructures. Public Cloud infrastructure provides relatively low cost solutions and is usually priced on a pay-per-use basis. It can even be offered to individual users/customers free of charge.
Private Cloud infrastructure is set up and operated solely for a single institution/organization; public/third party access is not allowed. In this infrastructure architecture, the infrastructure is either stored internally in the organization or by a third party on behalf of the organization. Private Cloud infrastructure is mostly preferred by corporate/large companies and institutions that prioritize data security. Although it is costlier compared to public cloud infrastructure, it provides appealing advantages in terms of data processing investments and expenses.
Hybrid Cloud infrastructure is a composition of two or more of private, community or public clouds. Relatively sensitive, secret data and critical applications are stored in the private cloud within the Hybrid Cloud while applications that require less security are stored in the public cloud.
Community Cloud can be defined as sharing the cloud infrastructure between several organizations from a specific community with a common purpose and common security and compliance requirements. Community Cloud can be designed as a public or private cloud.
b) Cloud Service Models
In SaaS, multiple users are provided access to the application software hosted on the server by the service provider. Users can access and interact with the cloud applications via the Internet, using interfaces such as web browsers, without the need to install any applications on their own systems and the service is priced on a pay-per-use basis. In Saas model, users do not manage or monitor the infrastructure components such as network, platform, operating system and storage devices. Users are only authorized to change configuration/structure settings specific to the application provided as a service.
The service provider delivers users a computing platform where they can develop and run their own applications using programming languages, software databases, services and tools provided by the service provider. In PaaS model, users are not authorized to control or manage the servers, operating systems, storage spaces and other components that make up the platform infrastructure. Users’ authority is limited to adjustments related to the software transferred to the cloud and configuration settings of the platform the software runs on.
In IaaS model, users can configure processing, storage, networks and other fundamental computing resources required for running applications and install the operating system and applications required. Users are not fully authorized to manage and control the physical infrastructure. However, users can control the system at the level of storage and operating system and manage specific network components. IaaS model is referred to as Hardware as a service, HaaS in some sources.
Cloud computing infrastructure and business models are categorized based on (I) being shared or specific to a single organization, (ii) being stored internally or externally, clients’ authority to interact with the architectural infrastructure of the service and (iii) capacity of customization to clients’ needs. These business models are assessed by users in terms of characteristics such as cost, level of user control on the system and scalability. Cloud computing should certainly be considered as a revolutionary innovation in terms of Internet use, but as in all new systems, it contains challenges and disadvantages besides its advantages.
c)Benefits of Cloud Computing Technology
Cloud computing offers significant benefits both in IT expenditure and computing technology;
- Fast deployment and provision: Cloud services can be circulated at a rapid speed. In both public and private cloud models, software deployment or upgrade is done only once on the centralized cloud server.
- Pay-per-use: Public clouds usually operate under subscription models, avoiding the large fixed costs to set up and use computing equipment.
- Lower cost: Clouds eliminate the need for companies to maintain their own hosting infrastructure, such as expensive data centers. Centralized data storage requires less maintenance on an individual basis.
- Easy disaster recovery and storage solutions: In both public and private cloud models, data is stored generally at a centralized cloud server which makes it easier to create data backups and reduces the cost of disaster recovery. Users can easily control hardware usage and storage capacity.
- Optimized hardware: Hardware is owned by the cloud computing provider in general. Less costly IT equipment is required because most of data storage can be performed in the cloud.
- Easy and instant access: Users can access their content and use their software regardless of their location (they can use laptops, smart phones and etc.).
III. EVALUATION OF XCLOUD AGREEMENTS UNDER TURKISH LAW
a)Legal Characteristics of Cloud Agreements
This new computing model has led to discussions on its legal characteristics. There are different views with regards to legal framework of cloud agreements under Turkish Law. The tendency is to consider cloud computing as service procurement or a lease agreement (including usufruct lease) because of its non-perpetual character where the proprietary rights are not transferred to user.
On the other hand, we are of the opinion that licensing character of cloud computing agreements outweighs its service character because cloud computing is mainly based on software which is protected as an artistic work under Law on Intellectual and Artistic Works No. 5846. Therefore, under Turkish Law, cloud agreements should be characterized as a non-perpetual usage licenses with additional services and technical possibilities because what cloud provider mainly dedicates to cloud user, is the license to use its cloud based software infrastructure for a certain period of time. In some specific cases, this procurement (depending on functions of the cloud/software) may include certain characteristics of a lease relation but cannot solely be defined as a service provision or a lease agreement since main obligations of a lessor are not applicable for a cloud provider in many cases.
b)Digital Contracting and Standard Terms
Cloud providers’ contracts are often digital agreements as the nature of cloud services enables use of a click-through, customer based online sale/distribution model. Moreover, providers generally use one-sided, disadvantageous take-it-or-leave-it standard agreement and the customers/users often accept such click-through terms without any opportunity for negotiation. Depending on the nature of such agreements, one can comment that those terms can be interpreted as unfair terms in some cases.
c)Enforceability of Click-Through Agreements
Standard terms are part of everyday transactions, digital or physical, for both businesses and consumers. In some cases, such disproportionate clauses may be used to impose unfair terms on one of the parties of a cloud agreement.
In order to harmonise such measures in consumer agreements, the EU established the Unfair Terms Directive (‘UTD’) in 1993. The UTD is based on two notions; good faith and significant imbalance. The EU Commission's Proposal for a Common European Sales Law (‘CESL’) also addresses the unfair terms, not only in consumer agreements, but also in transactions between businesses. The CESL includes separate sets of rules for business- to-customer (‘B2C’), a higher level of protection, and business-to-business (‘B2B’) transactions, basic level. The definition of unfairness of both B2C and B2B terms applies to the notions of good faith and fair dealing, defined as ‘a standard of conduct characterised by honesty, openness and consideration for the interests of the other party to the transaction or relationship in question’. In the case of unfair B2B terms, the CESL requires that ‘a term, in order to be regarded as unfair, must deviate grossly from good commercial practice, contrary to good faith and fair dealing’ (Article 86 of the CESL).
Turkish Law has been following the principles of EU legislations regarding standard terms. In 1995, Consumer Protection Code No. 4077 came into force, regulating standard terms against consumers for the first time. Like the UTD, the related terms in the Consumer Protection Code were designed to protect consumers. Whereas, according to Turkish Code of Obligations No. 6098 (‘TCO’), which entered into force in 2012, the context of protection against the standard terms, includes both B2C and B2B transactions. Pursuant to Article 20 of the TCO, standard terms is defined as ‘the terms which are previously and unilaterally prepared by one party with a purpose of using them for several numbers of similar agreements and submitted to the other party during the signing of an agreement’.
The main factors considered under the said Article are; (i) re-usable in several numbers of agreements (ii) previously formulated and unilaterally prepared (iii) submission to the counter party.
Under Article 21 of the TCO, in order for the standard term to be valid under an agreement, it is necessary for the party who drafted the agreement to give explicit information to the counter party regarding the existence of such terms in order to provide the counter party with the opportunity to investigate the content of such terms and it is also necessary that the counter party accepts such terms. Otherwise, those standard terms will be deemed as not written but the other articles of the agreement shall still be valid. The standard terms in an agreement should not be regulated against good faith, against the interest of the counter party or as an aggravated article.
Turkey, like some EU Member States, enforces such provisions in relation to B2B transactions, increasing the level of protection for SMEs this way. Non-negotiated standard terms may be unenforceable in some circumstances, even in B2B transactions under specific situations described herein.
The use of standard agreements might be cost-saving on the side of the cloud service providers. This model may also seem preferable by many customers/users, since it enables them to start using the services quickly. However, in fact, such standard agreements do not sufficiently meet customer needs in various respects and users may be exposed to many risks while using cloud services.
IV. CLOUD COMPUTING AND DATA PROTECTION
Upon reviewing the infrastructure and service models briefly explained above, it can be claimed that the major problem in cloud computing is data security. It is a matter of concern for an organization or an individual to store information and data in a third party service provider’s system. Therefore, the security risks arising out of these sharing and remotely accessed systems should be considered cautiously. In this way, each organization/individual can determine the most appropriate cloud infrastructure and service model for them and reconfigure their computing system affordably to comply with technology
Turkey’s recently enacted Law on Protection of Personal Data No. 6698 (Data Protection Law),drafted based on EU Law, is now the primary source for data protection. Therefore the liabilities of cloud platform actors are analyzed hereby according to principles of Data Protection Law.
a)Actors of Cloud Platform
Data Protection Law defines personal data as any information relating to an identified or identifiable natural person. Information such as name, surname, birth date, ID number, social security number, phone number, photograph, license plate, CV of a natural person may be given as examples of what is deemed as personal data. According to Data Protection Law, Data Controller is the natural or legal person who determines the purposes and means of processing of personal data and Data Processor is the natural or legal person who processes personal data on behalf of Data Controller in accordance with its instructions. In order to clarify what these terms represent in practice, following examples may be useful: When a company renders pay-roll services from a third party vendor, the employee whose data is processed for pay-roll services is the Data Subject, the employer company which sets out the terms and limits of processing is the Data Controller and the pay-roll service vendor which processes the personal data within the limits of pay-roll services and Data Controller’s directions is the Data Processor.
Although the scope and technical aspects of data processing are not easily determinable in cloud service environments, it is a well discussed subject in EU Law in terms of the actors and their liabilities. According to Article 29 Data Protection Working Party (Art 29 WP), cloud service customer is accepted as data controller while cloud service provider is deemed as data processor. It is important to understand the difference between data controller and data processor in order to distinguish their liabilities under the cloud service agreement.
b)Data Controller and Data Processor Distinction
Data Controller is the party who determines the purpose and limits for processing of personal data and who is primarily responsible for personal data protection. Data controller collects the data, informs the data subject with regards to purpose of collecting and processing his personal data, determines purpose and methods of processing, maintains security of personal data and ensures that data subject’s requests in relation to erasure and rectification of data are met properly.
Data processer on the other hand, is required to act in accordance with data controller’s instructions while processing the data on behalf of data controller. Data processor, if and to the extent authorized expressly by data controller, processes the personal data, determines the manners and methods of processing, storing, securing, rectifying and erasing personal data.
In the light of the definitions above, the major difference between data controller and data processor comes from the authority and control over personal data and its processing manners and purposes. However, in a cloud service relationship it is not easy to observe if data controller actually holds the authority over the means used for processing and storing personal data because cloud service providers often use subcontractors for hosting and unilaterally decide on security measures and location of servers, which makes it difficult for data controllers to even determine where the data is stored.
In spite of this complicated delegation of authority, cloud service providers are accepted as data processors under EU Law because the independence and authority for processing personal data pertains to cloud service customer.
‘Although the cloud provider provides a range of services and uses a great deal of its own technical expertise to do this, it is still only a data processor. A key consideration is that the conditions of the contract mean the cloud provider has no scope to use the data for any of its own purposes. In addition, the cloud provider does not collect any information itself. All the personal data it holds in connection with its provision of the service is provided by the local authority.’
Another major issue for cloud service users is the difficulty to negotiate the cloud service agreements since cloud services are presented as standard services subject to same terms and conditions for all customers. Although cloud service providers tend to have online terms and clickwrap agreements which cannot be amended for each user; these difficulties are not accepted as legal excuses for data controllers. Both Art 29 WP and Information Commissioner’s Office in UK state that the ultimate liability for data protection shall, in any case, rest with the cloud service customer as being the data controller.
‘It is ultimately the client who decides on the allocation of part or the totality of processing operations to cloud services for specific purposes; the cloud provider’s role will be that of a contractor vis-ẚ-vis the client, which is the key point in this case. As stated in the Article 29 Working Party Opinion 1/2010on the concepts of controller and processor, “the imbalance in the contractual power of a small controller with respect to large service providers should not be considered as a justification for the controller to accept clauses and terms of contracts which are not in compliance with data protection law.”’
Therefore data controllers are expected to choose a provider who provides its clients legal certainty and adequate protection in cloud service agreements on top of eligible technical services.
c)Subcontractors of Data Processors as Sub-processors
As formerly mentioned, cloud services usually involve secret players as subcontractors of cloud service providers. These subcontractors provide hosting, network or processing services to cloud service provider and therefore cloud service provider, as the data processor of the cloud customer, may not be the only processor of the cloud platform.
Subcontractor of a data processor is deemed as a sub-processor of personal data and constitutes one of the most critical parts of data controller – data processor relation. Since data controller will at all times remain as the ultimate responsible party for data protection, the methods used by all processors should be approved and even audited by data controller via technical measures and legal provisions.
One major question for subcontractor authorization relates to the place where personal data is stored and/or transferred to for processing operations. Data Protection Law regulates that personal data cannot be transferred abroad without data subject’s explicit consent and, in exceptional cases where consent is not required, can only be transferred to countries where adequate level of data protection is ensured. The list of countries which ensure adequate level of protection is published by Personal Data Protection Commission. As a consequence, location of sub-processor servers should be identified by data processor and declared to data controller in order to ensure conformity with data subject’s consent for processing.
Another important aspect is the liability for acts and omissions of subcontractors. For clarity, limitations and principles for processing should be defined in writing between data processor and data controller. Accordingly, data processor should execute back-to-back agreements with its subcontractors and procure compliance with processing and purpose limitation instructed by data controller. An efficient solution for subcontracting authorization may be established by granting an advance approval for domestic subcontractors and requiring additional written approval for foreign subcontractors and transferring data to foreign countries.
V. CRITICAL POINTS OF CLOUD COMPUTING AGREEMENTS
a)Agreement between Cloud Service Provider and Hosting Company
Most cloud service providers use third party contractors for hosting their software and licensing their operating systems. These third party hosting companies are subcontractors and fulfillment of cloud service provider’s undertakings before its customer depends on their competence. This is the reason why the agreement between cloud service provider and hosting company should include back-to-back provisions from end user agreements to guarantee a proper pyramid of obligations and division of labor where the aim is to protect and provide qualified services to end customer.
It can be claimed that the first critical back-to-back provision is the service level agreement (SLA) offered to the end user. SLA is simply defined as part of a standardized service contract where a service is formally defined. In cloud services, where the same resource is used for many customers, SLAs focus on characteristics of the data center and the system availability. The system availability is calculated and defined with terms such as downtime or outage durations, maintenance windows and recovery times. All these terms relate to service availability which is the duration when the system is working and the service is available to end users.
Cloud service provider stipulates SLA to the end user as an assurance of its services where certain availability duration is promised and in case the promised availability level is not reached, indemnification and/or termination options are provided. Outages may be scheduled for upgrade and maintenance reasons or they may be unplanned and caused by system failures. In cloud platforms, hardware and network services are deemed as some major reasons of outages. Consequently, hosting companies should provide SLAs to cloud service providers in terms of their own services.
Another critical back-to-back provision, specific to cloud services, should be drafted for sub-processing of personal data. Purposes and limits of processing should be explicitly defined and limited in the hosting agreement. In order to avoid unauthorized processing in foreign countries, subcontractor should also be subject to limitations for hosting/processing locations. Subcontractor should also be obliged to act in accordance with cloud service provider instructions for returning or destroying personal data.
Last but not least, subcontractors should be expressly notified of and bound by their obligations regarding data breach scenarios, requests from legal authorities for disclosure of data, confidentiality and compliance with Data Protection Law. This approach may be thought in favor of both parties because processors using personal data in breach of Data Protection Law are considered to be data controllers and therefore may be held directly liable for infringements.
b)Collaboration Agreement between Cloud Service Provider and Third Party Software Company
As cloud technology expands to different industries and companies focus keenly on mobile applications/servers; software companies are eager than ever for collaboration projects and multi-sided business models. White-labeling agreements in software market may be given as a common example for collaboration projects. Software companies and web applications choose to use white labeling for specific services to avoid investing big amounts in relevant infrastructure. For example, a web application or an e-commerce web site may establish a collaboration project for payment gateway technology: While the credit card payment would be made via the e-commerce web site, the transaction would actually be forwarded by payment gateway service provider and the end-user would still see the e-commerce web site as owner of the services offered.
In these collaboration projects, personal data is usually transferred, processed or stored by more than party. It is therefore important for all such parties to determine the task sharing and implement security measures for protection of personal data, such as encryption of data or delegation of authority for data access. In addition, all other obligations stated in sub-contractor heading should also be taken into consideration when drafting relevant agreements.
c)Agreement between Cloud Service Provider and End Customer
Although the agreement between cloud service provider and end customer (End Customer Agreement) forms the main document and lays out fundamental principles of cloud service, it is hard to say that it is the reflection of mutual agreement because of standard customer agreements, but it does not reduce or change the liability of end customers before data subjects or third parties. Claiming indemnification of damages from cloud service providers may not always be adequate and recourse right may not always fully protect the end customer. For this reason, customer is expected to choose a cloud service provider whose terms and conditions offer compliance with Data Protection Law and sufficient legal protection. Below listed are some issues to be considered specific to cloud service agreements:
- Purpose Limitation for data processing and technical measures: Purposes and limits of personal data processing should be defined in the End Customer Agreement and further use or processing should be prohibited. Each customer's data should be processed and stored in separate environments where customers cannot access data of other customers.
Due to complex structure of cloud environments, technical measures should be adopted and authorization criteria for accessing data should be defined to limit disclosure risks. All employees and subcontractors should be bound with confidentiality undertakings before such access is granted. In case of sensitive data being processed, encoding data may be considered as a protection method.
Cloud service provider should also assist and comply with end customer's instructions, particularly for data subject requests regarding personal data. National and international standards which have been developed for data protection may be referred and relevant certification may be required by end customer. The European Privacy Seal is an example of projects which provide certification for data protection conformity of IT based services.
- End Customer's right to monitor and audit cloud services: In order to track compliance with agreement, legislation and SLAs provided in End Customer Agreement, end customer should be granted the right to conduct certain audits and monitor services. Although audit itself is deemed as a trigger for some risks (e.g. breach of confidentiality) and may be costly and extremely difficult in case of subcontracting, it is recommended that the possibility and conditions of use of verification tools should always be fully transparent to end customers.
- Subcontractors of Cloud Service Provider: In contradiction to requirements of Data Protection Law, it is not always the data controller but the data processor who decides where data is stored, which subcontractors process data and which security measures are taken. Most of the time data passes through and is stored in different virtual servers across the world. This means in terms of data subjects and data controllers that they may not be able to exercise their rights to the extent set forth under Data Protection Law. It is also possible that when the regulations of the jurisdiction to where data is transferred do not offer an equivalent level of protection, data controllers will have liabilities because of non-compliance with Data Protection Law.
For this reason, it is recommended that End Customer Agreement includes the list of sub-contractors and location of servers. On the other hand, requiring written approval for each subcontractor may raise difficulties for both parties. Instead of a binding list, advance permission for local subcontractors may be given in the End Customer Agreement and appointing a foreign subcontractor or using servers located abroad may be subjected to prior written approval of end customer.
- Erasure and return of data: Including but not limited to personal data, all data uploaded by end customer to cloud platform should be returned and/or destroyed upon written request of end customer.
With regards to personal data, once the purpose for processing personal data and its retention is not necessary, it should be destroyed securely. On the other hand, in case of termination of cloud services or upon end customer's request, data should be returned in a secure and useful way. In order to avoid any future discussions and unjust treatments, the format for redelivering data (initial data, metadata etc) should be defined in the End Customer Agreement. Defining a specific format may not be accepted as the best solution because technological changes may introduce new formats, but a sufficient solution may be stating that data should be returned in a generally accepted, reasonable format which allows end customer to re-use the data and which does not create disproportionate costs on cloud service provider. It should also be noted that even in case of rightful termination of agreement by cloud service provider, data should be returned in accordance with these rules to prevent irreversible damages on end customer side.
The term, during which data will be stored after termination of End Customer Agreement, should not be long considering both data protection rules and the financial burden on cloud service provider.
- SLA: SLA definitions for downtime and maintenance should be clearly reviewed together with relevant undertakings and penalties. If such terms are not fairly defined, outage periods may be considered as uptime and end customer may not have the right to ask for remedies. Although downtime periods are critical, the needs of every business differ from each other; therefore, downtime provisions should be analyzed separately by each end customer according to its own internal procedures, business hours and needs.
In spite of many End Customer Agreements stating that penalty amount/credit stated in SLA is the only remedy End Customer can claim in case of SLA breaches, it is recommended that End Customer is granted the right to terminate the agreement above certain ratio of service unavailability.
- Liability: In addition to general issues to be considered for liability clauses, cloud services may raise other discussions for allocation of risks and liability. From a cloud service provider perspective, one error in the system may immediately affect all customers and cause a system crash. From an end customer perspective, unavailability of services may have severe effects on production and cause massive damages. Thus, cloud service provider's desire to limit its liability for certain cases is understandable to some extent. However, end customer should pay attention to wording of liability clause to understand significant details and its exclusions. For instance liability limited to service fees agreed is different than the liability limited to service fees paid or the effect of deductions made under SLA should be clearly defined for limitation scenarios.
- Switching Vendors and Transition Assistance: Although many cloud service providers ask for two or three year commitments, end customers should have the right to switch to other cloud service providers. In order to avoid vendor lock-in, transfer of data upon termination, its costs and the transition period should be carefully designed in end customer agreements.