THE DUE APPLICATION OF TERRITORIAL SCOPE OF GDPR TO CLOUD COMPUTING SERVICES ESTABLISHED OUTSIDE OF EU
Amarbat Batzul
After the application of General Data Protection Regulation (GDPR) in 2018, many modern technologies face an obligation to comply all of its functions and activities with the articles of GDPR. Although the previous data protection directive reflected necessary provisions to ensure the security of personal data that are stored in variety of technologies, it never fulfilled the demand of dramatic increase of modern technologies such as cloud computing. Consequently, there is still uncertainty and necessity to research how the specific regulations of GDPR would apply to specific technological methods. This paper will focus on territorial scope of GDPR and its compliance and application to emerging modern technological development and software delivery method which is cloud computing technology.
As mentioned above, more specifically, this paper will explicitly rely on application of Article 3.2 of GDPR to cloud computing services. Article 3.2 of GDPR says “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behavior as far as their behavior takes place within the Union”[1].
This article is substantially saying that GDPR shall apply to processors and/or controllers who are not established in EU when they processes personal data of data subjects who are in the European Union. In other words, GDPR broadens the scope of territorial scope of its application in comparison with previous data protection directive by stating that even the non-EU established controllers and processors should be under the regulation of GDPR.
However, there is a justification of the applicability of territorial scope of GDPR to non-EU established controller and processors. In any case, the processing of personal data should be targeted to EU data subjects when applying Article 3.2 of GDPR. The European Data Protection Board therefore considers that the focus should be on the connection between the processing activities carried out by the processor and the targeting activity undertaken by a data controller[2]. For example, if US cloud service provider collects data of EU data subjects and store them in a cloud database in US, the GDPR shall apply to US cloud service provider. To this extent, the issue of written representative should further arise.
For the traditional business activities, it should not be argued under the applicability of GDPR territorial scope if they collect EU data subject’s personal data. Instead, the question is that how GDPR’s Article 3.2 should duly apply to cloud computing services. Cloud computing is the modern technology which offers variety of opportunities and services through outsourcing to companies.
Cloud computing can be defined as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction[3]. In other words, cloud computing service can be accessed via the internet and stores the data in different servers where locate in different jurisdictional servers.
On the basis of nature of cloud computing, personal data can be stored in different servers under different jurisdictions where the processor is not established in EU. In one side, cloud computing simplifies the whole IT environment by offering easy accessible data storages around the world. For instance, it is practical that cloud service provider could be US based company and it can have data servers in EU, in Asia and in Africa, anywhere in the world. It raises many legal questions including territorial application of GDPR and also clash of jurisdictions.
In theory, by nature there are three main parties involving in a cloud-based environment: cloud provider, cloud customer and cloud users[4]. By task collection, the participants of cloud-based environment should make the task allocation firstly. In cloud computing service, the data subject shall be the data controller who should identify the purpose of data processing and the cloud service provider shall be data processor.
According to data protection working party, Article 29 Working Party (WP29) came with a list of recommendation how to integrate and use cloud computing technology as the concern were that massive use of cloud technology will lead to data at risk and with lack of control over data[5]. When processing EU data subject’s personal data in a data server where locates outside of EU, GDPR shall apply for that cloud service provider under Article 3.2 of GDPR. Under the previous data protection directive, it was impossible to protect personal data that are stored in a server established outside of EU. In one hand, GDPR can protect it, but in the other hand, the current DPD is quite inadequate, unclear and confusing dealing with the new technological advancements[6]. The cloud providers operating from outside the EU need to improve their processes and procedures to match the same Quality of Service (QoS) and standards offered by their competitors that resides in the EU[7].
Since the GDPR broadens the protection of personal data, as a result of my research, GDPR shall apply to any cloud service provider when they process EU data subject’s personal data. Also, this question will arise another structural question that the non-EU data processor shall issue written representative in EU Member States if they run an active operation under Article 27 of GDPR.
In the world of cloud computing, there are many good examples of how the non-EU cloud service provider complies with GDPR. For example, Google issued “Google cloud whitepaper”[8] in May 2018 which states the detailed compliance regulations of Google cloud and GDPR. In this whitepaper, Google says that anyone who is using Google cloud as a customer, they should be considered as data controller. Specifically, Google is non-EU company which operating an activity in EU and over EU data subjects.
From a legal perspective, the cloud embodies a new template for interactions: all interactions in the cloud — unlike those that occur purely via the Internet — are contract-based[9]. Hence, the business entities who receives cloud service through outsourcing should focus on compliance level of cloud service provider with GDPR when concluding a contract. On the other side, cloud services include Software as a service (SaaS), thus SaaS providers should have adequate and satisfied technical measures to ensure the security of personal data of EU data subjects.
In conclusion, Article 3.2 of GDPR shall principally apply without any obstacles to cloud service providers who process EU data subject’s personal data in their data storage wherever they locate in.
[1] General Data Protection Regulation, European Parliament, Regulation 2016/79, 2016
[2] Guidelines on the territorial scope of GDPR (Article 3), Guidelines 3/2018, EDPB, 2018
[3] The National Institute of Standards and Technology (NIST) Definition of Cloud Computing, U.S.
Department of Commerce, Special Publication SP800–145, September 2011, available at http://csrc.nist.
gov/publications/nistpubs/800–145/SP800–145.pdf
[4] Faye Fangfei Wang, “Jurisdiction and Cloud Computing: Further challenges to internet jurisdiction”, F Wang, Internet Jurisdiction and Choice of Law: Legal Practices in the EU, US and China (Cambridge: Cambridge University Press, 2010).
[5] WP 29 Opinion 05/2012 on Cloud Computing, adopted on 1 July 2012.
[6] Andrej Savin, EU Internet law, Elgar European Law series, 2013
[7] Luis Borges Gouveia, “The Implication and Challenges of GDPR’s on Cloud Computing Industry”, available at https://www.researchgate.net/publication/319800996_The_implication_and_challenges_of_GDPR's_on_Cloud_Computing_Industry/citations
[8] “Google cloud whitepaper”, 2018, available at https://cloud.google.com/security/gdpr/resource center/pdf/googlecloud_gdpr_whitepaper_618.pdf
[9] Damon C. Andrews, & John M. Newman, Personal Jurisdiction and Choice of Law in the Cloud, 73 Md. L. Rev. 313 (2013) Available at: http://digitalcommons.law.umaryland.edu/mlr/vol73/iss1/12