Compliance with basic data protection principles in cloud computing

Compliance with basic data protection principles in cloud computing: the aspect of contractual relations with end-users

Darius Stitilis, Inga Malinauskaite

Mykolo Romerio Universiteto

Cite as Stitilis, D., & Malinauskaite I., "Compliance with basic data protection principles in cloud computing: the aspect of contractual relations with end-users", in European Journal of Law and Technology, Vol 5., Issue 1., 2014

Abstract

The aim of this article is to analyse the compliance with basic data protection principles in selected consumer oriented cloud computing contracts, and also to highlight the adequate level of data protection in the mentioned contracts.

In order to achieve the goal, the authors introduced the concept of the cloud computing, reviewed the features and functions of cloud computing , also considered the advantages and disadvantages of the cloud computing (from end-user perspective).

Mitigating the main risks in cloud environment, the significant moment of compliance with data protection principles in end-users' contracts was identified. Authors presented main data protection principles, established in the current data protection legal framework, also in the EU draft of general data protection regulation. In addition, the authors executed the case study on selected consumer focused cloud computing service contracts analysing the particular cases on compliance with main data protection principles in cloud computing service contracts. While achieving the adequate level of data protection, the compliance with main data protection principles shall be ensured.

The case study revealed the implementation of theoretical data protection principles in the reality. Even if the majority of the data protection principles are established in the contracts with the cloud end-users, exist plenty of differences in the provisions of privacy policies, which may significantly influence the behaviour of the end-users.

1. Introduction

Cloud Computing has become one of the most popular topics of conversation among the different communities. Quickly spreading global technological infrastructure raises variety of legal issues - applicable law, data portability, liability, copyright, etc. Some authors (Daniel J. Gervais and Daniel J. Hyndman, 2012, P.64; Dan Jerker B. Svantesson, 2012, P. 476) indicate that one of the major challenges in cloud environment is the concern regarding data protection issues [1] [2], which shall be explicitly analysed.

Based on the fundamental legal requirements, established in the European Union data protection directive 95/46/EU [3] (further - Directive 95/46/EU) data protection principles, applied in the cloud environment should be examined. However, Directive 95/46/EU was enacted at the times when cloud computing did not exist. In addition, should be examined currently prepared Regulation of the European Parliament and the Council on the protection of individuals with the processing of personal data and on the free movement of persons [4] (further - General data protection regulation or Regulation). The examined data protection provisions, applied in the cloud computing environment of regulation shall be considered.

2. Defining cloud computing

Cloud computing is becoming increasingly widespread phenomenon in business processes, in private life of individuals and in the public sector. Since cloud computing in works of scientists and other works so far is little examined, first of all, the authors will provide the concept of cloud computing, also main features from end-user perspective.

In the opinion of European Commission, cloud computing is the storing, processing and use of data on remotely located computers accessed over the internet. [5] The concept of cloud computing is also established in Data protection review of the European Parliament. [6] According to this document, cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. In accordance to the opinion of the authors (Mark H. Wittow ir Daniel J. Buller, 2010, P.5 ), cloud computing generally involves a subscription-based service that satisfies computing and storage needs from a virtually unlimited hardware and communication infrastructure, which is managed by a third party provider. [7] From the provided definitions it might be implied that the concepts of cloud computing are quite different, although the essence of the concept does not vary so much. Consequently, cloud computing (in the context of this article) may be defined as a complex structure, enabled by the internet, and whereas services are provided for the end-user, also the end-user is empowered to implement the majority of actions in quit simple and convenient environment.

While analyzing the phenomenon of cloud computing it is very important to emphasize the main features and functions of cloud computing from end-user perspective. Using special software the end-users connect their devices to a remote platform. In this platform data processing is provided by huge data centres' with hundreds of servers and data storage systems, which are capable of interacting with any of the software, which is needed for the end-users.

In the European Commission Communication on Unleashing the Potential of Cloud Computing in Europe [8] (further - the Communication) are established further features, which define cloud computing, and which, according to authors, are related with end-user`s personal data protection:

  • hardware (computers, storage devices) is owned by the cloud computing provider, not by the end-user who interacts with it via the internet;
  • the use of hardware is dynamically optimised across a network of computers, so that the exact location of data or processes, as well as the information which piece of hardware is actually serving a particular user at a given moment, does not in principle have to concern the user, even though it may have an important bearing on the applicable legal environment;
  • cloud providers often move their end-users' workloads around (e.g. from one computer to another or from one data centre to another) to optimise the use of available hardware;
  • at the same time, users can very easily modify the amount of hardware they use (e.g. bring new storage capacity online in a matter of seconds with a few mouse clicks).

Author Jill Billhorn (2010) determines two separate methods of cloud computing. The same methods are also mentioned in the Article 29 data protection working party's opinion on cloud computing. The second relevant method - personal (private) cloud computing infrastructure, which belongs to one organisation, delivering cloud computing services, whereas the organisation itself or third party might be controlled any time and from any place. [9]

Cloud computing functions also can be analysed from the end-user, organization and corporate positions. In our case, functions related to end-users are relevant. Consumers can use cloud services to store information (e.g. pictures or e-mail) and to use software (e.g. social networks, streamed video and music, and games).

As it was already mentioned, cloud providers often create such internet environment moving their end-users' workloads around and optimising the use of available hardware. Cloud computing also offers significant computer capability and economy of scale that might otherwise be affordable to businesses, in particular to small and medium size enterprises, which may not have financial and human resources to invest into information technology infrastructure. Author Kim-Kwang Raymond Choo (2010) as the main advantage of cloud computing mentions the lowest capital and running costs. The end-user pays only for the actual used capacity on a "pay as you go" economic model. [10] Therefore, the end-users avoid the expenses and time consuming tasks such as buying software, maintaining hardware and taking care about storage of data. In addition, end-users save money, physical space of the room and the management of IT human resources. Cloud computing enables the rapid increase in capacity or capability, without additional investments into infrastructure, human resources or software licensing. The Communication of European Commission establishes the advantages of cloud computing such as enhanced mobile working, productivity, standardisation, as well as new business opportunities. [11]

The majority of cloud computer end-users refer to the simplicity and convenience as the principal advantages of usage of cloud computing, also the availability to access the data from any computer device. The increasing popularity of Internet notebooks, or "netbooks" contributes to the end-users' choice to use the cloud. Netbooks are usually low-cost, lightweight laptop computers with reduced hardware capacity that are primarily designed to provide the user with access to the internet.[12] Therefore cloud computing is easily accessible without the need to invest in local hardware and at the same time providing the unlimited resources for the end-users.

Despite the cloud computing benefits mentioned in this section, end-users shall also take into account the technological, commercial and legal challenges, created by the new technology. First, the attention shall be taken into the fact that cloud computing is the integral part of the internet and is directly dependant on the network. This means that if there are problems with internet connection, there will be delays or temporary terminations in delivering the cloud computing services. In addition, the increasing number of end-users and transferred amount of data, there is a risk to receive the needed service or replay in time. The tools of cloud computing only burdens the amounts of transferred data in the internet, therefore prolonging the time, in which the service shall be delivered. On the other hand, the end-users of cloud computing are also dependant on traditional internet environment risks, such as technical mistakes, cybercrimes, etc.

Other big challenge of cloud computing is data security [13] and confidentiality. And this is particularly important for the business companies, managing huge amount of confidential information. In cloud environment end-users neither possess their data, nor control such data. Cloud users have no access to the physical hardware providing their storage and processor resources. The end-users shall trust that cloud service providers are taking risks of data loss and security seriously. Authors Buller D.J. and Wittow M.H (2010) state that the users' expectations of security and reliability and the lack of direct control that the users have over the hardware providing the data and processing power present particularly challenging problems for the cloud computing model [14].

As it is referred in the document of the European Commission, supplementing Communication on unleashing the potential of cloud computing in Europe, the principal concern regarding the future of cloud computing refers to the adequate data protection, consumer protection, and interaction, related with the transfer of data.

Concluding the section it might be stated that cloud computing is a complex structure, enabled by the internet, whereas services are provided for the end-user, also the end-user is empowered to implement the majority of actions in quit simple and convenient environment of services management. Despite the all mentioned benefits of cloud computing, some disadvantages might be indicated. The disadvantages of cloud are closely related to the legal aspects of the phenomenon of cloud computing.

As we can see, one of the principal issues is the insurance of data protection in cloud environment. The authors will discuss data protection principals, which are applied (or should be applied) in cloud computing in the context of contractual relations with the end-users. In addition, the authors will compare the compliance of the presented data protection principles in chosen contracts and/or privacy policies with service providers regarding cloud service provision.

Legal requirements may be defined as a set of rules, stated in the regulations and in which are established the forms of possible activities and techniques. Legal requirements, related to the privacy and insurance of data protection in cloud environment in the context of contractual relations with end-users, are derived from data protection Directive 95/46/EC. Since in the Directive 95/46/EC there are no special rules regulating cloud computing, in order to emphasize the specific legal requirements of the examined object will be considered data protection principles, set in the Directive 95/46/EC. And since in the immediate term, the Directive 95/46/EC is intended to be replaced by the currently prepared General data protection regulation, in the article will be presented data protection principles, set out in the proposal for regulation.

The word principle is derived from the Latin word principium and has the meaning of start, foundation. In the most common sense, principle is understood as guiding sense of requirements in the particular phenomenon underlying the content, specific manifestations of individual elements. Legal principles are the principles underlying the formulation of jurisprudence.[15] The examination of different data protection principles, applied for cloud computing and established in legal acts, it can be noticed that these data protection principles should ensure the successful and effective background in cloud computing. Data protection principles are important for several reasons. First, they are the guidelines, cloud computing service providers and end-users shall comply with. Second, data protection principles are more general, they do not necessary define each new situation. Third, data protection principles implement the function of filling the legal gaps. And fourth, data protection principles help to unify and improve cloud computing strategies; as well they should be taken into account when interpreting arisen practical situations.

Considering the fact that cloud computing services are usually provided by the companies, and sometimes big enterprises, it is obvious that arising issues of privacy and personal data protection brings a lot of uncertainty and lack of confidence for the end-users, at the same time threatening the smooth development of information society. The article will present the European Union's data protection principles in the context of cloud computer so far, as related to the contracts with end-users - transparency, purpose specification and limitation, erasure of data and others. It should be noted that in the article, the contracts with the end-users are understood in a broad sense. The concept of the contracts also includes the privacy policies and/or terms and conditions of the service providers.

The following part will present particular data protection principles, applicable in a cloud computing environment.

3.1. Data protection principles in Directive 95/46/EC and Regulation

Data protection principles establish the basic and most important provisions of personal data to ensure appropriate and adequate level of data protection. The lawfulness of the processing of personal data in the cloud depends on the adherence to basic data protection principles. In the opinion of authors, these principles shall be included into each cloud computing contract in order to ensure the adequate level of data protection.

Transparency

Transparency is one of the main features in order to ensure fair and legitimate processing of personal data. Directive 95/46/EC obliges the cloud service provider to deliver a data subject from whom data relating to him are collected with information on his identity and the purpose of the processing. [16] The cloud service providers should also provide any further information such as on the recipients or categories of recipients of the data, which can also include processors and sub-processors in so far as such information is necessary to guarantee fair processing in respect of the data subject. As it is stated in opinion on cloud computing of the Article 29 data protection working party, transparency in the cloud means it is necessary for the cloud service provider to be made aware of all subcontractors contributing to the provision of the respective cloud service as well as of the locations of all data centres personal data may be processed at. [17]

On the other hand, Article 12 of Directive 95/46/EC describes the conditions under which a cloud computing service end-user has the right to obtain information, including but not limited to, approval, whether the data, related to the end-user of services is being processed and information at least as related to the purposes of the processing, the categories of end-users to whom the data is disclosed, or categories; notice in an understandable form about the processed data and about any available information, related to the data resources.

In the case the end-user is properly informed in accordance to the provisions of Directive 95/46/EC, the end-user may become an active in evaluation the transparency in cloud environment. Contrary, if the end-user is not informed or is informed insufficiently due to the conditions of Directive 95/46/EC, there is a breach in rights of the end-user and increases the situation of legal uncertainty and confidence. In addition, as it is referred in the opinion on cloud computing of Article 29 data protection working party, if for instance the provision of the service requires the installation of software on the end-user's systems, the cloud service provider should as a matter of good practice inform the client about this circumstance and in particular about its implications from a data protection and data security point of view. Vice versa, the end-user should raise this matter ex ante, if it is not addressed sufficiently by the cloud service provider. [18]

General data protection regulation also establishes the principle of transparency. In Article 11 of the Regulation it is stated that the controller shall have transparent and easily accessible policies with regard to the processing of personal data and for the exercise of end-users rights. The controller also shall provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the end-user. Where personal data relating to the end-user is collected, Article 14 of the Regulation establishes the imperatively provided information amount, which should be submitted to the end-user by the data controller. Such defined information amount consists of information including, but not limited to the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based; the period for which the personal data will be stored; the recipients or categories of recipients of the personal data. On the other hand, based on Article 15, the end-user shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. In addition, Regulation establishes the imperatively provided information by data controller. Such information includes the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data are to be or have been disclosed; the period for which the personal data will be stored and other data.

According to the above mentioned specific content and the wording in legal acts of the European Union of transparency principle, it should be concluded that the transparency principle should be established in a cloud computing service contract as one of the binding contractual obligations from the service provider side. Such establishment of transparency principle would increase the end-users' legal certainty and confidence in the whole environment of cloud computing service provision.

Purpose specification and limitation

The principle of purpose specification and limitation requires that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (Article 6(b) of Directive 95/46/EC). [19] The same principle is also established in the General data protection regulation (Article 5 (b)).

Cloud computing service provider must define the purpose of data collection before starting to collect data from the end-user and to inform the end-user about these circumstances. The service provider shall not transfer data for other purposes than those obviously defined and identified. In addition, data shall be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed (Article 6 (c) of Directive 95/46/EC). Authors presume that the purpose specification and limitation principle shall be one of mandatory conditions in cloud computing service agreements. The end-user shall be ensured that personal data would not be unlawfully processed for other purposes than those defined in the provisions of cloud computing service providers and subcontractors. As usual cloud environment model may easily involve a large number of subcontractors, the risk of processing of personal data for further, incompatible purposes must therefore be assessed as being quite high. According to the opinion on cloud computing of Article 29 data protection working party, in order to minimise the risk, the contract between cloud provider and end-user should include technical and organisational measures to mitigate this risk and provide assurances for the logging and auditing of relevant processing operations on personal data that are performed by employees of cloud provider or subcontractors. The opinion also states about the imposition of penalties in the contract against the provider or subcontractor if data protection legislation is breached.

Erasure of data

In accordance to the Article 6 (e) of Directive 95/46/EC, personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. [20] Personal data that are not necessary any more shall be erased or truly anonymised. If this data cannot be erased due to legal retention rules, access to this personal data should be blocked. It shall be noted that erasure of data is important for both cases - during the cloud computing contract period and after its termination. The principle of erasure of data principle is also important in case of change of subcontractor. The principle of erasure of data applies to personal data regardless the location and manner if storage of data. For example, if personal data is kept redundantly on different servers locations, it must be ensured that each instance of them is erased irretrievably. Temporary files and even fragments are to be deleted as well.

The end-users shall be aware of the fact that log data, modifications or erasure of data also qualify as personal data relating to the person who initiated the respective processing operation.

Article 17 of the General data protection regulation establish the right of end-users to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the end-users while he or she was a child. The General data protection regulation states the grounds, according to which the end-user is able to request the erasure of his or her personal data. These grounds include the circumstances whereas the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject withdraws consent on which the processing is based; he data subject objects to the processing of personal data; the processing of the data does not comply with this General data protection regulation for other reasons.

Following the established provisions of legal acts, it may be concluded that cloud service providers shall ensure secure erasure in the above-mentioned sense and cloud service contract contains clear and binding provision for the erasure of personal data. The same shall be applied for the contracts between cloud providers and subcontractors.

Confidentiality

In cloud environment most of the data by the end-user is being transferred for the service provider. In doing so, the end-users want to be assured that the service provider is using the data only for service use and / or will not disclose them without the end-user's consent. The assurance of service provider that the data will be transferred and stored complying with the requirements of privacy and confidentiality should be clearly set out in the terms of cloud computer contracts. Such obligation is established in Article 16 of the Directive 95/46/EC, stating that any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law. The scientists distinguish two basic approaches of confidentiality in cloud computing - physical isolation and cryptography. [21]

The working group of Article 29 of Directive 95/46/EC emphasizes the importance of encryption of personal data in cloud environment. [22] However, encryption may contribute to the confidentiality of personal data protection, if used in a correct way; do not rendering personal data irreversibly anonymous. [23] As well as personal data encryption could be used for data transit and transfer of data. For example, transfer of medical records into cloud in the context of Article 8 Directive 95/46/EC (The processing of special categories of data) having in mind the particular question of professional secrecy.

In some cases (for example IaaS storage service) cloud end-user cannot rely on cryptography service, offered by service provider, however in this case the end-user may encrypt the data himself or herself before sending it to service provider.

Other technical measures, established in the opinion on cloud computing of 29 Article data protection working party in order to protect confidentiality include authorization mechanisms and strong authentification. Keeping in mind the above mentioned circumstances, may be concluded that assurance of personal data confidentiality in cloud service contracts with end-users - important and one of the recommended conditions. Service provider wants to be sure that the data will be transferred and stored in accordance with the privacy and confidentiality requirements and in the authors' opinion such contractual clause would be advisable to include into each cloud computer service contract.

Availability

Article 12 of Directive 95/46/EC provides the grounds of right to access. Based on these grounds each data subject has a right to obtain information from the controller without constraint at reasonable intervals and without excessive delay or expense. Providing availability means ensuring timely and reliable access to personal data. Regulation establishes separate Section 2 describing information and access to data and provides the comprehensive rights and obligations of controller and data subject. It should also be noted that the principle of availability in practice is associated with specific risks. One special threat to availability in the cloud is accidental loss of network connectivity between the end-user and service provider or of server performance caused by malicious actions such as (Distributed) Denial of Service (DoS) attacks. [24] Other availability risks include accidental hardware failures both on the network and in the cloud processing and data storage systems, power failures and other infrastructure problems. Therefore, the end-users, before starting to use the cloud computing services, shall check whether the cloud service provider has adopted reasonable measures to settle the risks. Service provider, in accordance to the provisions of the General data protection regulation, shall take appropriate technical and organisational measures in order to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any kind of unlawful processing of data. In the context of the analyzed principle, authors believe that cloud computing service contract shall include contractual clause on the service provider's effort to ensure that the end-users should be enabled easily access their personal data and that the service provider will make every effort to protect personal data against destruction and/or loss.

Integrity

Integrity may be defined as the property that data is authentic and has not been maliciously or accidently altered during processing, storage or transmission. [25] Authors (Zhang Rong, Zhou Minqi, Zhou Aoying, Qian Weining, Xie Wei) refer that keeping data integrity is a fundamental task in providing cloud computing services. [26] Detecting alterations to personal data can be achieved by cryptographic authentification mechanisms such as message authentification or signatures. Article 17 of Directive 95/46/EC provides that controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. According to the General data protection regulation the controller and the processor shall, following an evaluation of the risks, take the measures referred to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal data (Article 30 (2)). An examination of this principle reveals that it would be highly recommended to include the principle of data integrity into cloud computing service contract describing the service provider's liability in respect for the end-user to take all possible measures for the assurance of data integrity.

Indemnification

During the examination of specific personal data protection principles, applicable in cloud computing environment, it was observed that indemnification issue and/or liability for failure to comply with data protection principles is extremely important. Directive 95/46/EC establishes that Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered (Article 23 (1)). The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage (Article 23 (2)). The General data protection regulation also states that any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this regulation shall have the right to receive

compensation from the controller or the processor for the damage suffered (Article 77 (1)). In case of several providers, the regulation establishes that where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage (Article 77 (2)). The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they are not responsible for the event giving rise to the damage (Article 77 (3)). Authors believe that it is highly recommended to include the contractual provision of indemnification of service provider, protecting the right of end-user to receive compensation if data protection provisions are breached.

Cloud environment comprises of many different layers and components and has its particular features. In addition, the environment of cloud services is distinctive from the other services' environment. The Directive 95/46/EC establish no special rules regulating cloud computing, therefore above text presented general data protection principles, which among other environments may be applied also in cloud environment. In some situations, general rules may not cover situations, appearing in specific cloud services. In the opinion of authors, data protection principles set out in the Directive 95/46/EC should be revealed in the Regulation in more detail way. After principles' examination, it is also worth mention that some of the data protection principles, for example transparency and availability principles are established in the Proposal of Regulation in a more comprehensive manner, setting separate section for the principle, describing more variety of grounds and circumstances.

4. Practical analysis of cloud service provider contracts

4.1. Research methodology

In the following section of the article authors will investigate practical aspects of personal data protection principles in cloud services in the context of end-user contracts. In order to evaluate the compliance with basic personal data protection principles, practical examples of selected cloud services providers will be accessed. Considering the presented features and definition of cloud computing, authors for the practical case study have chosen the following cloud computing providers, delivering services for the consumers, as well as for the business enterprises in the European Union: Google, Dropbox, Amazon and Rackspace. They are among the biggest cloud computing service providers, and the contracts with end-users and their conditions have the significant amount for the wide range of consumers. Therefore the analysis of the provisions of these public contracts in the context of the compliance with the data protection principles while delivering cloud computing services shall be interesting and valuable.

Object of the research - cloud service provider contracts, including privacy terms and/or policies.

Purpose of the research - evaluation of selected cloud service providers' contracts with end-users.

Several different methods will be used in the research: analysis method, comparative method and deduction method. Method for the analysis of legal documents (contracts) will be used for the analysis of provisions of end-users contracts regarding cloud services. Comparative method will be used to compare provisions of end-users contracts between selected cloud service providers. The method of analysis, together with the comparative method, allows exploring a relationship between basic European data protection principles with the provisions of selected cloud provider contracts. Using sources of scientific literature, authors deployed a deduction method which will enable arriving at sufficiently reliable conclusions.

For the purpose of the research it was selected several of the most popular consumer-focused cloud computing service providers, also their end-users contracts. The selected cloud computing service providers: Amazon, Google, Dropbox and Rackspace. These providers deliver cloud computing services also to European consumers; therefore it is important to examine the compliance with the European data protection principles.

Contracts are the main tools whereby providers set the terms of their relationship with customers, called Service Level Agreements (SLAs) or End User Agreements (EULAs). Privacy terms and conditions appear separately or incorporated into the others. Authors examined consumer-based cloud contracts, including privacy terms.

Thus, the mentioned research of cloud provider contracts examined 4 sets of standard terms and conditions of cloud computing providers targeting individual consumers. These personal data protection principles were evaluated: transparency, purpose specification and limitation, erasure of data, confidentiality, availability, integrity, indemnification.

4.2. Research results

Privacy policy/

Agreements

Data

protection principles

Amazon

Google

Dropbox

Rackspace

1. Transparency

Is implemented.

Amazon informs the customer about the collected information.

Collected information comprises of different types of information: data, received from the customers, automatic information, mobile, e-mail communications, information from other sources.

Amazon specifies the ways in which it shares collected information about customers with affiliated business, third party service providers, promotional offers, business transfers. Amazon also informs the customer about the ways it releases personal information when it is appropriate with the compliance of law. In other cases the customer has an opportunity to choose about sharing personal information.

Is implemented.

Google comprehensively informs customer about the collected information.

Collected information comprises of different types of information: account data of customer, usage data, device information, log information, location information, unique application numbers, local storage.

Google also informs customer about the usage of collected information.

Customer is also enabled to make meaningful choices about how information is used including, but not limited to review and control, view and edit, use Google's editor, control and take information out.

Google also states the types of specific information it shares with companies, organisations and individuals outside Google.

Is implemented.

Dropbox informs customer about the collected information.

Due to the terms of the privacy policy, information is collected in a number of ways: providing customer's personal data, uploading files, collecting data through use of the service, collecting data through cookies.

The privacy policy also provides the list of collected information, including, but not limited to name, e-mail address, credit card number, billing address etc.

The policy also provides that Dropbox may share some of customer's information with third-party applications, but only if customer choose to use those applications.

Half implemented .

Rackspace informs customers about the transfer of personal data for third parties - affiliates and subcontractors.

Rackspace informs customers about collecting and storing information related to customer use of the Services, such as use of
SMTP, POP3, IMAP, and filtering.

However, all the wording in the cloud term of services is not structured in a way favourable for the customer and might be identified as the business disclaimer. For instance, „You agree that we may use this information for our general business purposes and may disclose the information to third parties in aggregate statistical form,
provided that we do not include any information that could be used to identify you."

2. Purpose specification and limitation

Is implemented.

Amazon uses the information that customer provides for such purposes as responding to customer's requests, customizing future shopping for customer, improving Amazon's stores, and communicating with customer.

Is implemented.

Google obviously specifies the goal - collection of information to provide better services to all of users - from basics, such as which language customer speak to more complex things, such as which ads customer will find most useful or the people who matter most to customer online.

Is implemented.

Dropbox uses information either for provision of services to customer or improvement of the services.

Dropbox also uses some of data for its own analytics purposes.

In addtition, customer is enabled to choose not to have customer's data accessed by analytics.

Not implemented.

There is no obvious provision, stating the usage of collected data in the cloud term of services.

Rackspace cloud terms of services establishes that customer agrees that Rackspace may use information for their general business purpose.

3. Erasure of data

Is implemented.

There is no provision, stating that personal data that are not necessary any more must be erased or truly anonymised.

However, Help feature tells customers can disable or delete data used by browser add-ons, such as Flash cookies, by changing the add-on's settings or visiting the Web site of its manufacturer.

Is implemented.

As it was stated above, Google enables customer himself/herself to take information out of Google.

Also, in Google privacy policy there is a provision stating that if information is wrong, Google strives to give customer ways to update it quickly or to delete it - unless Google has to keep that information for legitimate business or legal purposes.

Is implemented.

Dropbox privacy policy enables customer

to review, update, correct or delete the personal information. Also if customer's personally identifiable information changes, or if customer no longer desires Dropbox service, customer may update or delete it by making the change on customer's account settings.

Not implemented.

There is no provision, stating that personal data that are not necessary any more must be deleted.

4. Confidentiality

Half implemented.

There is no statement in the privacy policy. Amazon's Customer agreement specifies the definition of confidential information. Also the Customer agreement defines the use of confidential information. However, the wording of the provisions makes binding the obligations of the end-users' and not the undertakings of the service provider'.

Is implemented.

Google's privacy policy establishes that Google restricts access to personal information to Google employees, contractors and agents who need to know that information in order to process it for Google and who are subject to strict contractual confidentiality obligations.

The policy also states that processing of personal information for the third parties is based on the compliance with Google's Privacy Policy and any other appropriate confidentiality and security measures.

Google Cloud storage Terms of Service also provides the definition of confidential information and Google's obligation in regard to this information.

Half implemented.

There is a statement in the Dropbox's privacy policy concerning confidential information.

However, it is a difference between private and non-private information. The policy states that Dropbox may disclose customer's non-private, aggregated, or otherwise non-personal information, such as usage statistics of Dropbox Service.

Is implemented.

Rackspace defines that both Rackspace and customer agrees not to use the other's Confidential Information except in connection with the performance or use of the Services, as applicable, the exercise of respective legal rights under the Agreement, or as may be required by law. Also they agree not to disclose the other's Confidential Information to any third parties except in defined cases.

5. Availability

Is implemented.

Amazon's privacy notice states explicit examples of information customer can access easily. Such information consists of including, but not limiting to up-to-date information regarding recent orders; personally identifiable information; payment settings; e-mail notification settings; etc.

Is implemented.

Google's privacy policy establishes that whenever customer uses Google's services, Google aims to provide customer with access to customer's personal information.

Google also informs customer that if customer's Google Account is managed for customer by a domain administrator then customer's domain administrator and resellers who provide user support to customer's organisation will have access to customer's Google Account information.

Is implemented.

Dropbox's terms and conditions provides that the company is in the business of holding on to customer's personal files so customer can access them from anywhere, or easily share them with others.

Is implemented.

Rackspace's cloud terms of services specify separate sections on access to data.

Customer will not have access to Customer's data stored on the Services during a suspension or following termination.

6. Integrity

Is implemented.

Amazon's privacy notice does not specifies any integrity principle, however Amazon Customer Agreement provides that Amazon will implement reasonable and appropriate measures designed to help customer secure customer's content against accidental or unlawful loss, access or disclosure.

Is implemented.

Google's privacy policy establishes the statement about information security. It emphasizes that Google works hard to protect Google and users from unauthorised access to or unauthorised alteration, disclosure or destruction of information that Google holds. Policy also specifies particular measures, including, but not limited to the encryption and verification.

Is implemented.

Dropbox in the privacy policy has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement.

There is a link to the program provided and contacts for the raised possible questions.

Not implemented.

Rackspace does not have knowledge of the data customer stores within the Rackspace Cloud system, including the quantity, value or use of the data. Customer is therefore responsible to take all reasonable steps to mitigate the risks inherent in the provision of the Services, including data loss.

7. Indemnification

Not implemented.

Amazon's privacy notice does not specify any sanctions, responsibility for the unlawful use of data.

In addition, Amazon Customer Agreement states the limitation of liability that Amazon and their affiliates or licensors will not be liable to customer for any authorised access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of customer content or other data.

Not implemented.

Google's privacy notice does not specify any sanctions, responsibility for the unlawful use of data.

Google SQL Terms of service specify that Google and its suppliers are not responsible or liable for the deletion of or failure to store any customer data and other communications maintained or transmitted through use of the services. It is also stated that customer is solely responsible for securing and backing up its application, project, and customer data.

Not implemented.

Dropbox's privacy notice does not specify any sanctions, responsibility for the unlawful use of data.

In the terms of services there are statements whereas Dropbox limits its liability. For instance, if customer uses some kind of apps, customer is subject to provider's terms and policies, and Dropbox isn't responsible for what they do with customer's data.

Not implemented.

Rackspace cloud terms of services do not specify any sanctions, responsibility for the unlawful use of data.

Contrary, as it was already mentioned, Rackspace disclaimers constitute the biggest part of the provisions.

Customer acknowledges that there are risks inherent in Internet connectivity that could result in the loss of customer's privacy, Customer Data, Confidential Information, and property.

4.3. Summing-up the research results

Transparency principle . While looking at the provisions of contracts of all four cloud service providers it might be concluded that transparency principle is established in all contracts of presented cloud service providers. It is worth stating that Google involves end-user making meaningful choices of reviewing, controlling, editing and erasing data. Amazon and Google specify the types of collected information. The weakest provisions of transparency are established at the contract of Rackspace. The provisions are formulated in a way that the end-user in advance shall accept the way the information is collected, used and disclosed to the third parties.

The principle of purpose specification and limitation . Three cloud service providers include the statements of purpose specification and limitation. The comprehensiveness of such provisions varies - Google obviously establishes the goal of collecting information of end-users; Amazon and Dropbox generally expresses the purpose of collection of information. Rackspace has no particular provision of purpose specification and limitation and again using the formulation of advanced agreement establishes that end-user agrees that Rackspace may use information for the general business purpose.

The principle of erasure of data. Google and Dropbox enable end-users himself or herself erase personal information. Amazon enables end-users disable or delete data. Rackspace has no provision establishing that personal data that are not necessary any more must be deleted.

The principle of confidenciality. Looking into the terms of cloud service providers it might be stated that Amazon contractual clauses are formulated in a way of end-user obligation and not service provider's confidentiality statement. Google most extensionally expresses the different aspects of confidentiality. Dropbox and Rackspace establish confidentiality statements. Rackspace obligates not to disclose confidential information to the third parties, and Dropbox divides confidential information into the private and non-private. The latter may be disclosed.

Availability principle . All four service providers have the contractual clauses establishing that end-users may access their personal data anytime from anywhere and easily share with others.

Integrity principle . Three service providers - Amazon, Google and Dropbox implement different technical and organisational measures in order to secure end-user's content from accidental or unlawful loss, access or disclosure.

The principle of indemnification . None of the cloud service providers establishes relevant clauses in the contracts. Contrary, Amazon, Google, Dropbox have the clauses which limit the liability of the companies in case of unlawful use of end-user data. Rackspace again formulates the statement that end-user acknowledges that there are risks inherent in internet connectivity that could result in the loss of end-user's privacy, customer data, confidential Information and property.

5. Conclusions and recommendations

The article provides the definition of cloud computing referring to the cloud computing as a complex structure, enabled by the internet, and whereas services are provided for the end-user, also the end-user is empowered to implement the majority of actions in quit simple and convenient environment.

After the brief analysis of main features of cloud computing, authors introduced the features of cloud computing, main functions, advantages and major risks from end-user perspective. The article mainly considered one of the potential risks - data protection issue in the context of the contractual relations with end-users.

Authors distinguished several data protection principles, applicable in a cloud computing environment (in case of contractual relations with end-users). Data protection principles include transparency, purpose specification and limitation, erasure of data, confidentiality, availability, integrity and indemnification. The brief content of each principle established the grounds for possibilities of inclusion of each principle into the cloud computing service contracts.

From the brief analysis of selected consumer oriented cloud computing service providers may be noted that more or less all data protection principles, established in the legal acts are reflected in the privacy policies and/or service agreements. The contracts of each cloud company provide minimum adequate requirements, which are established in the Directive 95/46/EC and General data protection regulation. However, still it may be noted differences in legal expressions, strength of expressed data protection principles in analyzed documents. In the opinion of authors, the best reflection of established data protection principles is provided in Google contractual clauses. Almost all data protection principles, established in the mentioned documents are reflected in the contract of Google. The formulations of Google contract are understandable, clear and unambiguous. In other words it is user - friendly clauses. In addition, following the clauses of Google contract, the end-user himself or herself is enabled to make choises in controlling, collecting, disclosing and erasing information. It is recommended for Google to include the clause of indemnification.

The weakest expression of data protection principles is established in the contract of Rackspace. Contract is lacking data protection principles of purpose specification and limitation, erasure of data and indemnification statements. The formulations of clauses are ambiguous, limiting liability of the company and transferring liability to the end-user with his or her consent. The wording of contract conditions sound more like disclaimers and therefore are not favourable for the customers. For the Rackspace it is recommended to replace the contractual expressions into the customer oriented, more obvious conditions and include the clause of indemnification.

The provisions of Amazon and Dropbox seem to be in compliance with the basic data protection principles, established in the main regional legal instruments. However, they lack provisions of confidentiality and indemnification. Dropbox and Amazon shall improve the clauses of confidentiality and include the clauses of indemnification.

Some of the data protection principles, for example transparency and availability principles should be established in the Regulation in a more comprehensive manner, setting separate section for the principle, describing more variety of grounds and circumstances.

References

[1] Daniel J. Gervais and Daniel J. Hyndman (2012). Cloud control: copyright, global memes and privacy. Heinonline - 10 J. (Telecomm & High Tech. L. 53, Vol. 10).

[2] Dan Jerker B. Svantesson (2012). Data protection in cloud computing - The Swedish perspective. Faculty of Law Bond University, Queesnsland, Australia. (Computer law & security review 28).

[3] 24 October 1995 Directive of the parliament and of the council 95/46/EB on the protection of individuals with regard to the processing of personal data and on the free movement of such data. [1995] O.L. L281/31.

[4] Proposal for a regulation of the European Parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data , [interactive], European Commission, Brussels, 25 January 2012. (http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf).

[5] European Commission Memo: Unleashing the Potential of Cloud Computing in Europe - What is it and what does it mean for me? [interactive] European Commission, Brussels, 27 September 2012. ( http://europa.eu/rapid/press-release_MEMO-12-713_en.htm).

[6] Data Protection Review: Impact on EU Innovation and Competitiveness, [interactive], European Parliament, Brussels, December 2012. ( http://www.europarl.europa.eu/committees/en/studiesdownload.html?languageDocument=EN&file=78970 ).

[7] Buller D.J. and Wittow M.H (2010). Cloud computing: emerging legal issues for access to data anywhere, anytime. (Journal of Internet law - Aspen publishers,Vol. 14, Issue 1).

[8] Communication from the commission to the European Parliament, the Council, the European economic and social committee and the committee of the regions. Unleashing the Potential of Cloud Computing in Europe, [interactive], European Commission, Brussels, 27.9.2012 COM (2012) 529 final, P. 3-4, ( http://ec.europa.eu/information_society/activities/cloudcomputing/docs/com/com_cloud.pdf ).

[9] Billhorn, J. Cloud computing tips for smalls business, [interactive], 19 September 2011, ( http://www.smallbusinesscomputing.com/biztools/article.php/10730_3939301_2/Cloud-Computing-Tips-for-Small_Business.htm ).

[10] Choo K.K.R (2010). Trends and issues in crime and criminal justice, [interactive], Australian Government, Australian Institute of criminology, ( http://aic.gov.au/documents/C/4/D/%7BC4D887F9-7D3B-4CFE-9D88-567C01AB8CA0%7Dtandi400.pdf ).

[11] Communication from the commission to the European Parliament, the Council, the European economic and social committee and the committee of the regions. Unleashing the Potential of Cloud Computing in Europe, [interactive], European Commission, Brussels, 27.9.2012 COM (2012) 529 final, P. 4. ( http://ec.europa.eu/information_society/activities/cloudcomputing/docs/com/com_cloud.pdf .).

[12] Oxford dictionary online, [interactive].

[13] Commission staff working document accompanying the document Communication from the commission to the European Parliament, the Council, the European economic and social committee and the committee of the regions.

[14] Buller D.J. and Wittow M.H (2010). Cloud computing: emerging legal issues for access to data anywhere, anytime, P.6. (Journal of Internet law - Aspen publishers, Vol. 14, Issue 1).

[15] Dictionary.com, [interactive]. (http://dictionary.reference.com/browse/legal+principle).

[16] 24 October 1995 Directive of the parliament and of the council 95/46/EB on the protection of individuals with regard to the processing of personal data and on the free movement of such data. [1995] O.L. L281/31.

[17] European Union Data Protection Directive 95/46/EC Article 29 data protection working party opinion 05/2012 on cloud computing, [interactive], European Commission, Brussels, 1 July 2012, P.11, ( http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf ).

[18] European Union Data Protection Directive 95/46/EC Article 29 data protection working party opinion 05/2012 on cloud computing, [interactive], European Commission, Brussels, 1 July 2012. P.11, ( http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf ).

[19] 24 October 1995 Directive of the parliament and of the council 95/46/EB on the protection of individuals with regard to the processing of personal data and on the free movement of such data. [1995] O.L. L281/31.

[20] 24 October 1995 Directive of the parliament and of the council 95/46/EB on the protection of individuals with regard to the processing of personal data and on the free movement of such data. [1995] O.L. L281/31.

[21] Zhang Rong, Zhou Minqi, Zhou Aoying, Qian Weining, Xie Wei. Security and privacy in cloud computing: A survey. 2010 Sixth International Conference on Semantics. Knowledge and Grids. Software engineering institute, East China Normal University, Shanghai, China. National Institute of information and communications technology, Kyoto, Japan. (IEEE Computer Society Washington, DC, USA, 2010, P. 108).

[22] European Union Data Protection Directive 95/46/EC Article 29 data protection working party opinion 05/2012 on cloud computing, [interactive], European Commission, Brussels, 1 July 2012, P.1. (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf).

[23] According to the Directive 95/46/EC preamble clause 26, whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.

[24] A DoS attack is a coordinated attempt to make a computer or network resource unavailable to its authorised users, either temporarily or indefinitely.

[25] European Union Data Protection Directive 95/46/EC Article 29 data protection working party opinion 05/2012 on cloud computing, [interactive], European Commission, Brussels, 1 July 2012, P.15. ( http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf ).

[26] Zhang Rong, Zhou Minqi, Zhou Aoying, Qian Weining, Xie Wei. Security and privacy in cloud computing: A survey. 2010 Sixth International Conference on Semantics. Knowledge and Grids. Software engineering institute, East China Normal University, Shanghai 200062, China. National Institute of information and communications technology, Kyoto, Japan. (IEEE Computer Society Washington, DC, USA, 2010, P. 108).