Public Operators and Cloud Services

Vaar Has Assessed the Major Cloud Service Providers’ Terms Under the GDPR

The General Data Protection Regulation – the GDPR – has since the Regulation entred into force in Norway on 20 July 2018 necessitated major changes for Norwegian businesses, bot public and private. Public operators must, as a result of requirements for their own processing of personal data, also impose requirements on cloud service providers. 

We see a growing need and desire among public operators to adopt cloud services. In this connection, it is important that these customers make a thorough assessment of the standard agreements with the cloud service provider against their own requirements and expectations. Hey issues in the assessment should be compliance with privacy and security requirements.  

Vaar has recently reviewed the standard agreements from the major international cloud service providers in relation to the purchase of cloud services for a large player in the public sector. In light of the GDPR, the parts of the terms which affect privacy and privacy related issues have been the focus of the review. Vaar has discovered that where the GDPR permits it, the standard agreements go in the suppliers’ favour. That is, Vaar has uncovered conditions in the standard agreements that deviate from the typical requirements in a data processing agreement drawn up by the controller, without necessarily contravening the GDPR. 

Our experience shows that the standard agreements are extensive and have a complexity that makes them difficult to access for customers. The suppliers have a potential for improvement with respect to appropriately facilitate information and the standard agreements for the customers. The suppliers can benefit from a better understanding of the requirements that public operators must impose on suppliers before they can adopt cloud services. Despite this, the review shows that the suppliers mainly comply with the GDPR, and the importance of information security and privacy is highlighted in the standard agreements.  

The cloud services are designed so that the supplier provides the technology and the cloud service to the customer, without any involvement with the customer’s use. The customer decides how the cloud service should be used and what content that should be added to the service. 

None of the identifies conditions preclude the conclusion of standard agreements or use of cloud services, as the cloud service providers must comply with the GDPR in the same as public operators. However, the review and assessments have shown that there are several conditions in the standard agreements that customers should be aware of: 

  • A recurring rule is regulations where it is standard that the supplier can use technical data from the customer which may also include personal data for its own purpose.
  • The standard agreements also allow the cloud service provider to freely engage sub-processors. The standard agreement entails a general approval of sub-processors, where public actors automatically approve new sub-processors. Such general approval deviates from the data processing agreement typically used by public operators, which requires a prior approval of sub-processors. 
  • Transfer of data to third countries, including special processing such as temporary storage, can, according to the standard agreements, be done outside EU/EEA. In many ways, this is a natural consequence of the nature of the cloud service since they have a global delivery platform.  
  • Cloud services are constantly evolving and changing rapidly. This may be problematic with regards to both dynamic and static agreements. The main problem with static agreements is that they do not take into account the rapid development. Regarding dynamic agreements that change along the way in the contractual relationship, there is a greater demand for follow-up by the customer.  

Despite the above-mentioned conditions, the cloud service providers have introduced comprehensive quality assurance routines in the services offered. This involves, among other things, the preparation and implementation of security measures such as logical and physical security, access management, security breach notification, audit of sub-processors, standard third-country transfer clauses, international security certifications and annual third-party audits. Although the customer’s audit access is limited, the information is made available to the customer.  

It can be challenging for customers to demand changes in the agreements with the major cloud service providers. In our view, it seems appropriate that the cloud service providers themselves control the audit access and use of subcontractors. This is because the cloud service providers have the best conditions and initiatives to ensure quality in both third-party audits and in the use of sub-processors. 

Public operators and other customers should thoroughly review the standard agreements prior to the conclusion of the agreement and prepare a data protection impact assessment (DPIA) for the use of cloud services. The extent to which the cloud services are to be adopted depends on the outcome of the DPIA and the customer’s internal safety requirements. As part of this work, the customer should put together a team with the right expertise, including legal personal with expertise in privacy and special legislation, IT and security architects and technical personnel. 

Regardless of the above, the customer must fulfil its obligations as a controller. Typically, this will include sufficient documentation on: 

  • Internal control,
  • Statutory safety and risk assessments including risk reducing measures, 
  • DPIA, and
  • Policies and procedures.

Vaar is a business-oriented law firm with expertise in technology, privacy and public procurement. We assist both public and private companies in all matters related to said areas.

1. May 2019


See more articles