Cloud Service Providers Can Be Both Data Processors and Data Controllers

Cloud computing—or internet-based computing whereby shared resources and information are hosted on remote servers “in the cloud”—has caused a significant paradigm shift that has changed the way data and software applications are accessed and used. Throughout the world, businesses and governments are embracing cloud computing as a way to reduce cost, adapt to the ebbs and flows of market demands, simplify access to information, and much more. The model is frequently presented as an on-demand self-service where the customer can purchase access to the resources in any quantity, and at any time. Cloud service providers flaunt the rapid provisioning and lower cost of their offering.

As part of their effort to reduce costs and expenses, cloud service providers are also trying to automate the process used for contracting for their services, and insist on the use of form, click-wrap type agreements where there is little or no room for negotiation. The terms of these contracts tend to be one-sided and include provider-friendly terms. Most cloud service providers want full control over the data (where the data are located, which tools to use when processing the data), and the terms of the contract (ability to change price, and terminate, suspend or change the service). Concurrently, they disclaim any warranties or liability for these data, and shift to the customer the full responsibility for ensuring adequate security for the data.

When it is expected that personal data held in the cloud might be subject to the laws of a foreign country, the typical cloud computing services agreement usually requires the customer to acknowledge that the cloud service provider is a “data processor” whereas the customer is a “data controller.” The terms “data processor” and “data controller” are references to the Directive 95/46/EC of the European Commission (“95 Directive”). ¹Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (OJ L 281, November 23, 1995, p. 31). Like all other European Union Directives, the 95 Directive also applies to the EEA countries, i.e., Norway, Iceland and Liechtenstein under the EEA Agreement (see Decision of the EEA Joint Committee No. 83/1999 of June 25, 1999 amending Protocol 37 and Annex XI (Telecommunications Services) to the EEA Agreement); OJ L 296/41, of November 23, 2000. The statement that the cloud service provider is only a “data processor” is intended to shield the cloud service provider from any liability that it might have under applicable data protection laws of the European Union Member States or any other country that follows the principles that are outlined in the 95 Directive. ²Each Member State of the European Union and of the European Economic has implemented in its own way the mandatory concepts that are outlined in the Directives of the European Commission. There are significant differences between the interpretation and the implementation of the Directives, including the 95 Directive, in each Member State. This article only looks at the general principles found in the 95 Directive and the guidance and other documents issued by the European Commission and other European Union authorities, such as the Article 29 Working Party. In order to analyze a specific situation, it would be appropriate of look at the particular circumstances of a cloud service agreement under the specific applicable law of a specific EU or EEA Member State. Under these laws, data controllers have many more obligations and responsibilities than data processors, ³See, e.g., 95 Directive Article 17. are subject to significant compliance and reporting requirements, and may in most cases be held fully liable for the acts or omissions of their data processors. ⁴See, e.g., Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under Directive 95/46/EC of the European Parliament and of the Council (February 5, 2010) clauses 4 and 6(1).

There is an inherent contradiction between, on one side, wanting full freedom and control, and, on the other, claiming a status that substantially reduces one’s liability for one’s acts or omissions. After analyzing the opinion, tests, and criteria currently provided by European Union officials for determining whether an entity is a data controller, this article applies these tests and criteria to cloud-based offerings. We conclude that while some categories of cloud services might qualify as those of “data processors,” this is not always the case. According to several opinions of the Article 29 Working Party discussed in this article, whether a cloud service provider is a “data processor” or a “data controller” does not result from a contractual provision. Instead, it depends on the facts of the specific relationship. As a result, some activities of cloud service providers are likely to put them in the category of “data controllers.” Companies negotiating a cloud service agreement should not take it for granted that the customer is the sole data controller and the cloud service provider is only a data processor.

1 - BACKGROUND

This section briefly describes the typical characteristics of cloud computing services and cloud computing contracts, as well as the difference between the duties and obligations of data controllers and data processors.

A - Cloud Service Models

Cloud computing services are usually classified in three categories: ⁵For a detailed description of cloud based offerings, and analysis of the cloud services agreements, see, e.g., Gilbert, Cloud Service Contracts May be Fluffy, Journal of Internet Law, Volume 14, Number 6, page 1 (December 2010).

• –  SaaS (software as a service), where the customer has access to a menu of capabilities, and the provider furnishes hosting, storage, platform and software application for immediate use with the customer’s data; ⁶Examples of SaaS providers include Gmail, Yahoo Mail, Google Docs, Mint, and Salesforce.

• –  PaaS (platform as a service), where the customer has the ability to deploy onto the cloud infrastructure the application that it has created using programming languages and tools supported by the provider. The PaaS retains total control over the network, servers, and storage, and has administrative control over the applications and the middleware; ⁷Examples of PaaS providers include Windows Azure, Google Apps, Force.com, OrangeScape, and Wolf PaaS. Facebook is also a PaaS because third parties can write with Facebook new applications that are made available to end users. and

• –  IaaS (infrastructure as a service), where the customer has access to processing, storage, networks and other fundamental computing services. The customer has total control over the operating systems and the applications hosted by the IaaS providers, and the IaaS provider retains administrative control over the hardware. ⁸Examples of IaaS providers include Amazon Web Services, Amazon Elastic Compute Cloud, IBM, and Rackspace Cloud.

The contracts for each of the categories described above vary slightly because the services are different. Nevertheless, the general features of these contracts have many common elements.

B - Cloud Computing Contracts

Most cloud service providers tend to distinguish their offering from the traditional forms of information technology services by flaunting the greater efficiency, agility, flexibility, and elasticity of the cloud services, and offering these services for sale at a lower price than comparable services on a proprietary platform. Cloud service providers are able to offer these attractive prices by reducing their costs, banking on economies of scale, offering generic non-customized services, limiting their liability, and reducing the cost of customer acquisition by using (in most cases) automated methods of contracting.

As a result, products and services provided by SaaS, PaaS and IaaS providers are usually offered “as is” ⁹See, e.g., Section 11.5 of the Amazon AWS Service Agreement, available at http://aws.amazon.com/agreement/. (version dated December 6, 2010). without any representations or warranties. ¹⁰See, e.g., Section 11.1 of the Google Apps for Business via Reseller Agreement, available at http://www.google.com/apps/intl/en/terms/reseller_premier_terms.html While the marketing materials may flaunt the security measures taken by the service provider, the contract may impose on the customer the sole responsibility for the data and require the customer to bear the sole responsibility for adequate security, data protection, or backups. ¹¹See, e.g., Section 7.2 of the Amazon AWS Service Agreement, available at http://aws.amazon.com/agreement/. (version dated December 6, 2010). The service provider may disclaim liability for direct damages ¹²See, e.g., Section 11.8 of the Amazon AWS Service Agreement, available at http://aws.amazon.com/agreement/. (version dated December 6, 2010). in addition to disclaiming liability for consequential or other damages. The provider may retain the unilateral right to change the terms—including the price ¹³See, e.g., Section 8.1 of the Amazon AWS Service Agreement, available at http://aws.amazon.com/agreement/. (version dated December 6, 2010).—or to suspend or terminate the services at any time, and on short notice. ¹⁴See, e.g., Section 3.3 of the Amazon AWS Service Agreement, available at http://aws.amazon.com/agreement/. (version dated December 6, 2010). It may also retain the right to process the data in any country in which it does business. ¹⁵See, e.g., Section 15 of the Google Apps Additional Terms, available at http://www.google.com/apps/intl/en/terms/additional_services.html.

Where the cloud service is likely to host personal data in a foreign country, or to process personal data that pertain to individuals who are located abroad it is also common for the cloud service agreement to include a provision that states that the customer is the “data controller” and the cloud service provider is a “data processor.” ¹⁶See, e.g., Section 14 of the Google Apps Additional Terms, available at http://www.google.com/apps/intl/en/terms/additional_services.html. By doing so, the cloud provider attempts to shift to the customer the entire responsibility for legal compliance with the applicable data protection laws.

C – Definitions of “Data Controller” and “Data Processor”

The concepts of “data controller” and “data processor” play a crucial role in the application of the 95 Directive, since they determine who is responsible for compliance with data protection rules, how data subjects can exercise their rights, which national law applies and which Data Protection Authority can operate.

The definitions of ‘controller’ and ‘processor’ in Article 2 (d) and (e) of the 95 Directive read as follows:

‘Controller’ shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations the controller or the specific criteria for his nomination may be designated by national or Community law;

‘Processor’ shall mean a natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the controller.

The 95 Directive assigns to data controllers significant duties and obligations, and makes them liable for any act or omission with respect to personal data in their custody. For example, data controllers must comply with specific rules about how they collect or use personal data; they must provide access to these data to the data subjects, and they are responsible for any use of these personal data by their service providers. In addition, some or most data controllers must register with the applicable data protection authority in order to make transparent their data handling practices.

On the other hand, the 95 Directive assigns only a small amount of obligations on data processors. These responsibilities usually pertain to keeping personal data secure from unauthorized access, disclosure, destruction, or accidental loss. In addition, in some countries, such as Ireland, data processors whose business consists in whole or in part in processing personal data on behalf of data controllers who are required to register are also themselves required to register as data processors with the applicable data protection authority.

Thus, whether an entity is a data controller or a data processor has significant consequences. It is important for each party in a cloud relationship to have a clear understanding of the actual rights and obligations of each party.

2 - WORKING PARTY’S OPINION ON THE MEANING OF “DATA CONTROLLER” AND “DATA PROCESSOR”

A - Overview

The data protection concepts that were incorporated into the 95 Directive and other seminal documents ¹⁷See, for example, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980). and that were implemented in the national laws of many countries (both in Europe and elsewhere, e.g., Asia, the Americas, Africa) were developed at a time where the interactions between companies and their service providers were simpler and more predictable. Today, computers, networks, the Internet, and other modern information technologies make it very easy to access, share or transfer data. Web 2.0 applications, collaboration tools and other tools allow data to be used, reused, shared, analyzed, sliced and diced, and processed in ways that had not been contemplated by the drafting of the 95 Directive.

This evolution of the information technology environment has caused the European Union authorities to take a closer look at the way in which companies use or process personal data entrusted to them, which in turn prompted an in depth analysis of the concepts of data controller and data processor. First, several cases arose where the definition of “data controller” was a key factor. ¹⁸See discussions below regarding the Working Party’s opinions with respect to the social networks (published in 2009, as WP 163) and with respect to the activities of the Society for Worldwide Interbank Financial Telecommunications (SWIFT) (published in 2006, as WP 128). Then, in early 2010, the Article 29 Working Party issued an opinion on the meaning of “data processor” and “data controller.” Further, in the past two months, the European Commission ¹⁹Communication From the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions: A comprehensive approach on personal data protection in the European Union, COM (2010) 609, published on November 4, 2010, available at http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf. See also Gilbert, Proposed Changes to Data Protection in the European Union – What Consequences for Businesses?, (9 PVLR 1574, 11/15/10). and the Article 29 Working Party ²⁰Opinion 8/2010 On Applicable Law, Article 29 Working Party Document 0836/10/EN WP179 (WP 179); available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp179_en.pdf. have also indicated their concern with respect to the use and protection of personal data in the context of cloud computing and provided additional examples of cloud offerings where the service provider is deemed a data controller. These various activities and the related documents published by EU officials show that the concepts of data controller and data processor are evolving, and are much more complex than the definitions provided in the 95 Directive. With the upcoming amendments to the 95 Directive, it is, more than ever, important to read the tea leaves and be able to predict and anticipate the next move of the EU officials.

B – 2010 Opinion on the Concepts of “Controller” and “Processor”

In its Opinion 1/2010 on the Concepts of “Controller” and “Processor” (“WP 169”) the Article 29 Working Party points out that the way in which service providers are being evaluated is evolving. ²¹Opinion 1/2010 on the Concepts of “Controller” and “Processor,” Article 29 Data Protection Working Party Document 00264/10/EN (WP 169); available at: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdf. Although in the past outsourcing service providers were deemed data processors, nowadays situations and assessments are often much more complex. ²²WP 169, page 2. WP 169 analyses in depth the definitions of these terms and provides guidance on the criteria that it believes to be relevant in determining whether, and in which circumstances, some activities of a service provider would cause it to be deemed a data controller. ²³WP 169, page 29.

The opinion explains that the current definition of “data controller” provides for the possibility of pluralistic control (“which alone or jointly with others”). In addition, it analyses the essential elements that distinguish the controller from other actors (“determines the purposes and the means of the processing of personal data”). WP 169 concludes that the concept of controller is autonomous, in the sense that it should be interpreted mainly according to European Community data protection law, and functional, in the sense that it is intended to allocate responsibilities where the factual influence is, and thus based on a factual rather than a formal analysis. ²⁴WP 169, pages 1, 8, and 32.

C - Possibility of Pluralistic Control – Concept of Joint Controller

The typical cloud computing contract that addresses the issue of “data controller” and “data processor” seems to make an all or nothing assumption that the customer is a data controller, and since the customer is a data controller, there cannot be any other data controller, and thus the service provider can only be a data processor. This assumption is erroneous. Indeed, the definition of “data controller” in the 95 Directive refers to an entity that “alone or jointly with others” determines the purpose and means of the processing.

In WP 169, the Working Party stresses that under the current definition of “data controller” several entities can be data controllers at the same time with respect to the same data. In some circumstances, several data controllers can be separate data controllers with respect to the same data; in other circumstances, they can be deemed joint controllers. ²⁵WP 169, page 20.

WP 169 also points out that in an increasing number of situations, different parties may act concurrently as controllers and that the assessment of this joint control should be made by taking a substantive and functional approach and focusing on whether the purposes and the essential elements of the means are determined by more than one party. ²⁶WP 169, page 18. Further, the participation of several parties in the determination of the purposes and means of processing in the context of joint control may take different forms and does not need to be equally shared.

WP 169 provides several examples of different kinds and degrees of joint control. It also points out that in complex systems with multiple actors, access to personal data and exercise of other data subjects’ rights can also be ensured at different levels by different actors. Different degrees of control may also give rise to different degrees of responsibility and liability. ²⁷WP 169, pages 1, 33.

In one example, a bank uses a financial message carrier in order to carry out its financial transactions and both parties agree about the means of the processing of financial data. ²⁸WP 169, page 20. The processing of personal data concerning financial transactions is carried out at a first stage by the financial institution and at a later stage by the financial message carrier. In this case, the Working Party opines that the bank and the message carrier can be considered as joint controllers.

In another example, an ISP provides hosting services. If the services are limited to website hosting and maintenance, it is only a processor. If however, the ISP further processes the data contained on the websites for its own purposes, it is a data controller with regard to that specific processing. A processor that goes beyond its mandate and acquires a relevant role in determining the purposes or the essential means of processing is a (joint) controller rather than a processor.

In summary, the Working Party believes that there is a wide spectrum of possible joint or concurrent controller status, where in some cases the entities may be separately liable for their activities, and in others, they might be joint and severally liable.

Further, the second example above would support the view that, as soon as a service provider uses the data for its own purposes it is deemed a data controller. It is not clear, however, whether the conclusion would be the different if this secondary use were specifically permitted or if the contract did not raise the issue.

D - Capacity to Determine the Purposes and Means of Processing

The other crucial element that is discussed in WP 169 is the fact that for any entity to be a data controller, it must “determine the purposes and means of the processing” of the personal data.

(1) Determine

First, the Working Party points out that the capacity to determine the purposes and the means of processing may stem from different legal and/or factual circumstances: (a) an explicit legal competence, when the law appoints the controller or confers a task or duty to collect and process certain data; (b) common legal provisions or existing traditional roles that normally imply a certain responsibility within certain organizations (for example, the employer in relation to data of its employees); and (c) factual circumstances and other elements (such as contractual relations, actual control by a party, or visibility towards data subjects, etc.). ²⁹WP 169, pages 10-11.

In this last case, the Working Party stresses that “the terms of a contract are not decisive under all circumstances, as this would simply allow parties to allocate responsibility where they think fit… In case of doubt, other elements than the terms of a contract may be useful to find the controller, such as the degree of actual control exercised by a party.” ³⁰WP 169, page 11-12. This makes it clear that contract terms in a cloud computing agreement where the parties would decide among themselves that the cloud service provider is only a data processor would be irrelevant, and probably unenforceable (at least in the event of an interaction between the cloud provider and a national Data Protection Authority established in the European Union).

According to WP 169, the fact that somebody determines how personal data are processed may entail the qualification of data controller, even though this qualification arises outside the scope of a contractual relation or is explicitly excluded by a contract. ³¹WP 169, page 11. A clear example of this situation is the SWIFT case discussed in WP 128, where SWIFT decided to make available certain personal data for purposes other than the original agreed upon purpose. WP 169 does not specifically state whether activities such as storing or backing up the data in a server located in a different country would qualify as data controller activity. In practice, a cloud service provider is likely to take the initiative to store or archive the data as it sees fit, and may not be acting pursuant to a specific instruction from the customer. In this case, would the fact that the cloud service provider is taking the initiative, and making the decision to locate the data in a different country be sufficient for this activity to be deemed that of a data controller?

Further, the Working Party also observes that other elements may be used in determining whether an entity is a data controller, such as the actual control exercised by a party. ³²WP 169, page 12. This last element is particularly significant in most cloud computing agreements. Indeed, numerous cloud computing agreements contain provisions regarding the control that is kept by the service provider. For example, it is common to see provisions allowing the service provider to:

• –  Change the description of the services from time to time and without notice;

• –  Change or retire a service feature;

• –  Keep control over the location of the data (and in most cases, to not disclose the specific location of the data); or

• –  Increase prices.

In addition, most cloud computing agreements also fail to provide the customer with an ability to audit the service, or the security measures.

These clauses, or absence thereof, which grant the service provider the freedom to change the terms of the service or move the data, might have substantial importance in showing the degree of control that the cloud service provider retains over the means of the processing.

In summary, it appears that the Working Party is proposing a balancing test. The more the service provider follows the specific instructions of the client, the more chance it has to be deemed a data processor. On the other hand, the more the service provider has autonomy, and has the ability to make decisions regarding the data, the more likely it is that, at least with respect to these specific activities, the service provider would be deemed a data controller.

(2) Purpose and Means of the Processing

The Working Party also observes that while determining the “purpose” of processing triggers the qualification of (de facto) controller, the determination of the “means” of processing can be delegated by the controller, as far as technical or organizational questions are concerned. However, substantial questions that are essential to the core of lawfulness of processing—such as identifying the data to be processed, determining the length of storage, or providing access—are to be determined by the controller. According to WP 169, this evaluation is to be made on a case-by-case basis.

A service provider that uses the data for new purposes in addition to those for which the data were transferred would be deemed a data controller. ³³WP 169, page 14. An entity that decides on how long data shall be stored or who shall have access to the data processed is acting as a “controller” concerning this part of the use of data. ³⁴WP 169, page 14.

The factors described above are also frequently part of the typical cloud service agreement. To take advantage of the economies of scale, and to keep the service offering as generic and uniform as possible, cloud service agreements frequently either specifically or implicitly give the vendor the ability to decide on the storage or destruction of the data as well as where or how the data will be backed-up. In this case, would this right and control retained by the service provider make them data controllers, at least for the activities related to the retention, destruction, and safeguard of the data?

WP 169 also notes “when it comes to assessing the determination of the purposes and the means with a view to attribute the role of data controller, the crucial question is therefore to which level of details somebody should determine purposes and means in order to be considered as a controller… A pragmatic approach is needed, placing greater emphasis on discretion in determining purposes and on the latitude in making decisions. In these cases, the question is why the processing is happening and what is the role of possible connected actors like outsourcing companies: would the [service provider] have processed data if it were not asked by the controller, and at what conditions?” ³⁵WP 169, page 13.

Here again, the way cloud service providers keep control over the data, such as when moving the data to different servers located in different regions or countries, would tend to weigh in favor of a data controller status, at least when dealing with the specific activity of storing and processing the data.

(3) Suggested Criteria to be Used in Determining the Qualifications of the Various Data Subjects

WP 169 provides several criteria that may be helpful in determining the qualification of the various subjects involved: ³⁶WP 169, page 27.

• –  Level of prior instructions given by the data controller, which determines the margin of maneuver left to the data processor;

• –  Monitoring by the data controller of the execution of the service. A constant and careful supervision by the controller to ensure thorough compliance of the processor with the instructions and terms of contract, provides an indication that the controller is still in full and sole control of the processing operations;

• –  Visibility/image given by the controller to the data subject, and expectations of the data subjects on the basis of this visibility;

• –  Expertise of the parties: in certain cases, the traditional role and professional expertise of the service provider play a predominant role, which may entail its qualification as data controller.

For example, an accountant who provides services to the public on the basis of general instructions (“Prepare my tax returns”) will be deemed a data controller. On the other hand, an accountant who is subject to detailed instructions from the in-house accountant of a company, perhaps to carry out a detailed audit, in general will be deemed a processor. ³⁷WP 169, page 29.

Most of the criteria above are met in many cloud service offerings. For example, there may be little instructions provided by the customer, especially if there is no negotiation of the terms of the contract. Most contracts do not offer the customer the ability to audit the performance of the cloud provider.

The “expertise of the parties” test may also be crucial in the case of cloud services. Indeed, in many cases the customer uses the service because it does not have the expertise to run these functions in-house. This is especially the case for SaaS providers, and it is indeed one of the primary selling points used by these service providers. They provide the technical expertise to achieve a particular goal, for example the operation of a CRM system, so that the customer may focus on the important activities that are directly related to the unique expertise of the customer, such as the development, marketing, and sale of its own products and services. Would not a cloud service provider that flaunts its expertise at a particular task (such as the design and operation of a CRM database) be in a position similar to that of the accountant in the example above?

3 – EXAMPLES OF CASES WHERE SERVICE PROVIDERS HAVE BEEN DEEMED DATA CONTROLLERS

Before the Article 29 Working Party published WP 169, they had the opportunity to comment in several instances about the qualification of an entity as a data controller. This was done recently when evaluating the responsibilities of social networks, and a few years ago, as well, in an enforcement case against SWIFT related to the alleged illegal transfer of personal information to the United States. In addition, in its recent Working Paper WP 179, the Working Party has also provided additional examples of cases where a service provider would be deemed as a data controller.

A – Working Party Opinion 179

In its Opinion 8/2010 on Applicable Law published as Working Party Document WP 179, ³⁸Opinion 8/2010 on Applicable Law, Article 29 Data Protection Working Party Document 0836/10EN WP 179, adopted on December 16, 2010, available at: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp179_en.pdf. (WP179) the Article 29 Working Party reiterates its position that service providers can be data controllers with respect to all or some of the personal data that they receive from or through their customers. WP 179 provides examples showing that cloud computing relationships come in different flavors. As a result, a cloud service provider may in some cases be deemed a “data processor” and in other cases, a “data controller.” In other words, there may be categories of activities for which the customer (or primary user of the service) is the only data controller and others where the cloud service provider may be a joint data controller. Opinion WP 179 provides two examples. ³⁹WP 179, page 22. In the first one, the user of the service is the sole data controller, in the second, both the user and service provider are data controllers. In the first example, a company uses an online agenda service to organize meetings with clients. It is acting as a mere repository of information; it is a data processor. In the second example, the same entity offers additional services such as synchronization of appointments and contacts. In this case, the cloud service provider is deemed as a data controller.

The difference between the two cases might be that in the first example, the service provider provides only basic service (perhaps services that are deemed not to require expertise), while in the second case, the service offering is more complete and complex. This second offering might require the “special expertise” identified above as one of the tests proposed by the Working Party.

B - Social Network Services as Data Controllers

In its opinion WP 163 on Social Network Services (“WP163”) issued in 2009, ⁴⁰Opinion 5/2009 on Online Social Network; Article 29 Data Protection Working Party Document 01189/09/EN (WP 163) adopted on June 12, 2009; available at: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp163_en.pdf. the Article 29 Working Party focused on the operation of social networking sites, with the intention to provide guidance with respect to compliance with EU laws. The Working Party opined that social network service providers (“SNS“) and, in many cases third party application providers as well, are “data controllers.” ⁴¹WP 163, page 3, 5.

WP 163 examines the relationship between the users, the SNS providers, and the application providers who develop applications that run in addition to the ones that are developed by the SNS. WP 163 concludes that both the social network service providers (“SNS) and the users of the SNS are data controllers. WP 163 goes on to state that, in addition, application providers who develop applications that run in addition to the ones that are provided by the SNS may also be data controllers. ⁴²WP 163, page 5.

The Opinion focuses on several characteristics of the SNS service: The SNS provides the means for processing user data, provides all the “basic” services that are related to user management (e.g., registration and deletion of accounts), and also determines the use that may be made of user data for advertising and marketing purposes—including advertising provided by third parties. ⁴³WP 163, page 5.

In the specific situation where the cloud service provider is a social network service provider, WP 163 identifies as triggering factors the fact that the SNS service provider: (i) provides (and consequently determines) the means for processing the user data; (ii) provides (and consequently determines) the tools necessary for the management of the user accounts, and (iii) determines some of the uses of the personal data in its custody, such as for advertising, marketing or other commercial purpose.

Some of the characteristics described above may also be found in many other types of cloud-based offerings, in particular those that are based on a SaaS model where the SaaS provider has developed an application for which it has determined the features and proposed uses, and the customer is only able to assert its control over the use of the data hosted by the SaaS by deciding some specific settings. In this case, it would seem likely that at least some SaaS offerings might qualify as “data controllers.”

It is not clear whether the fact that the service provider uses personal data for advertising and marketing purposes is a required component, or whether it is only one of the manifestations of its freedom and autonomy, and the ability of the service provider to make decisions about the personal data.

C - SWIFT Service as a Data Controller

In 2006, the Article 29 Working Party issued a similar opinion as to the activities of the Society for Worldwide Interbank Financial Telecommunication (SWIFT). ⁴⁴Opinion 10/2006 on the Processing of Personal Data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT); Article 29 Data Protection Working Party Document 01935/06/EN (WP 128). Available at: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/wp128_en.pdf. SWIFT is a worldwide financial messaging service that facilitates international money transfers. SWIFT stored all messages at two operation centers that were mirroring each other, one within the European Union, and one in the United States. The messages contained personal data, such as the names of the payer and that of the payee. After the terrorist attacks of Sept. 11, 2001, the U.S. Department of the Treasury (“UST”) issued subpoenas requiring SWIFT to provide access to message information held in the United States. SWIFT complied with the subpoenas.

In its Opinion 10/2006 on the Processing of Personal Data by the Society for Worldwide Interbank Financial Telecommunications, Working Paper WP 128 (“WP 128”), the Working Party concluded that, based on the activities described above, both SWIFT and the financial institution shared joint responsibility as “data controllers” within the meaning of Article 2(d) of the 95 Directive. ⁴⁵WP 128, page 2. Even though SWIFT was formally considered a data processor, it acted—at least to a certain extent—as data controller. ⁴⁶WP 128, page 11.

WP 128 made it clear that even though the designation of a party as data controller or processor in a contract may reveal relevant information regarding the legal status of this party, such contractual designation is nonetheless not decisive in determining its actual status. The legal status of the parties must be based on concrete circumstances. ⁴⁷WP 128, page 23.

While SWIFT had considered itself to be a mere data processor operating a messaging service, the Working Party identified several factors that in its view meant that SWIFT extended its role beyond that of a mere data processor. For example, SWIFT took on specific responsibilities, which went beyond the usual set of instructions and duties for execution by a data processor. Its management was able to determine the purposes and means of the processing by developing, marketing and altering the SWIFT services; it provided additional value to the processing. Further, its management had the autonomy to take decisions, such as determining the security to be applied and the location of the data centers.

Specifically, WP 128 states in relevant parts: ⁴⁸WP 128, page 11.

Independently of the contractual relationship between SWIFT and the financial institutions under civil or commercial law, which may include the term “subcontractor”, from the point of view of data protection, SWIFT is not a simple “subcontractor” or processor … for the normal processing of personal data for its usual commercial purpose… Even if it was assumed for a moment that SWIFT acted as “processor”, SWIFT has taken on specific responsibilities which go beyond the set of instructions and duties incumbent on a processor and cannot be considered compatible with its claim to be just a “processor”… The management of SWIFT decides autonomously on the level of information that is provided to the financial institutions in relation to the processing. SWIFT management is able to determine the purposes and means of the processing by developing, marketing and changing the existing or new SWIFT services and processing of data, e.g., by determining standards applicable to it clients as to the form and content of payment orders, without requiring the consent of the financial institutions. SWIFT also provides added value for the processing of personal data, such as the storage and validation of personal data and the protection of personal data with a high security standard. SWIFT management has the power to take critical decisions with respect to the processing, such as the security standard and the location of its operating centers. Finally, SWIFT management negotiates and terminates with full autonomy its services agreements and drafts and changes its various contractual documents and policies. The above are the practical and legal means of the processing.

For the transfer of personal data to the UST, SWIFT decided to comply with the US subpoenas. It also took the initiative to negotiate in a non-transparent manner, through correspondence and a comfort letter with the UST, the conditions for passing the personal data to the UST. It deliberately decided not to inform the financial institutions concerned of this negotiation. Indeed, the control mechanisms obtained and operated by SWIFT affected the purpose and scope of the transfer of data to the UST. These actions exceed by far the normal capacities of a data processor in view of its supposed absence of autonomy with respect to the instructions of the data controller.

While SWIFT presents itself as a data processor, and some elements might suggest that SWIFT has acted in the past as a processor in certain cases on behalf of the financial institutions, the Working Party, having considered the effective margin of maneuver it possesses in the situations described above, is of the opinion that SWIFT is a controller as defined by Article 2 (d) of the Directive, for both the normal processing of personal data… as well as for the further processing by onward transfer of personal data to the [United States].

The Working Party 29 opined that because of its role as a joint data controller, SWIFT was required to comply with its obligations as a data controller under the Directive, including, provide appropriate information to data subjects, notify the processing to the applicable data protection authority, and provide an appropriate level of protection for international transfers of personal data. ⁴⁹WP 128, page 26.

4 - ACTION ITEMS FOR CLOUD PROVIDERS AND USERS

Cloud computing services have taken off like a wild fire to take advantage of promised savings. In the haste of signing up for these services, companies may be disregarding provisions that, in other circumstances, they would have questioned or negotiated. One of these provisions allocates to the Customer the role of sole “data controller” for the processing of personal data in the custody of the cloud service provider.

Regulators, while recognizing the invigorating effect of cloud services, are concerned that the privacy and security of personal information hosted with cloud providers might be at risk, and they are likely to pay increased attention to the use or misuse of personal data in the cloud. A company that accepts without negotiation that it is the sole data controller for data hosted in the cloud might regret its decision if trouble occurs such as a security incident or the misuse of data held in the cloud for which the cloud provider is the responsible party. Its prior admission that the service provider is only a data processor might be a significant obstacle in later attempting to shift cost and liability to the service provider or proving that a contractual provision is not enforceable.

On the other hand, a cloud service provider that builds its business model and cost structure on the assumption that it is only a data processor without much obligation or liability may be surprised to hear that its self-determination has been rejected, and that it must fulfill all of the duties, obligations and compliance requirements of a data controller. The price tag associated to fulfilling these duties is much higher.

Before agreeing to a contract that makes the service provider a data processor and shifting significant responsibilities to the customer as the sole data controller, it would be prudent to stop and analyze more carefully the nature of the relationship. Based on the tests proposed by the Article 29 Working Party, the parties should look at least at the following issues:

• Does the service provider present itself as an expert in its field?

• Will the customer:

• ο  Provide detailed instructions to the cloud service provider?

• ο  Be relying on the expertise of the service provider?

• ο  Be allowed to monitor the activities of the service provider?

• Will the cloud service provider:

• ο  Openly and clearly describe how or where it processes the customers’ data?

• ο  Agree to follow instructions from the customer and not have any other activities with respect to the data?

• ο  Decide which data are to be processed?

• ο  Use the data for purposes other than the specific purposes identified by the customer?

• ο  Process the data if not asked by the customer?

• ο  Decide how long the data should be retained?

• ο  Decide when the data will be destroyed, and how to destroy the data?

• ο  Use the data for marketing or commercial purposes?

• ο  Have the right to alter the service?

• ο  Have the ability to change the terms of its engagement?

• ο  Have the authority to determine the security measures to be applied?

• ο  Have the autonomy to decide the location of the data centers?

• ο  Have the autonomy to determine the standards applicable to its clients, the form, and content of the tools used by the customer?

• Will the data subject know, or understand, that the services are provided through the cloud company?

The responses to these questions might help determine the extent to which the service provider is acting independently, which in turn might help determine whether the service provider is a data controller for some of its activities. The opinions issued by the Working Party show a sliding scale. At one end of the spectrum, a service provider that provides only basic services is a data processor. At the other end, a service provider that is “in control,” e.g., has autonomy, retains the power to draft and change its contracts and policies, or provides added value for the processing of the data, should be deemed a “data controller,” and should share with the customer the liability and risks associated with the processing of personal data.

Cloud based offering have been a concern for regulators throughout the world. In Europe, the European Commission has announced that it will update the 95 Directive to take into account new uses of technology, and it is specifically mentioned its concern that the processing and hosting of personal data in the cloud raise significant privacy and security issues. Based on the prolific publications of the Article 29 Working Party, it is clear that one of these issues to be addressed in the new Directive will be whether and in what way a cloud based service provider is a data controller. Until the overhaul of the 95 Directive provides specific guidance, companies must look carefully at the opinions of the Article 29 Working Party with respect to this question.