Fact is that many organizations find it difficult to stay in control over modern IT systems, whether they hire service providers to provide IT infrastructure or whether they host, operate and maintain systems themselves. Even with respect to self-operated systems, most companies usually have to work with support service providers who have to be granted access to the systems and data to analyze performance problems, troubleshoot errors and provide support and maintenance. Most companies find it prohibitively expensive to customize systems (whether self-hosted or hosted by a service provider) beyond the configuration options provided by the vendor as part of the standard offering. Consequently, there are significant limits to the degree of control that users can and want to exercise over their systems – whether self-hosted or hosted by a provider.
Yet, from a legal perspective, it is imperative that the service provider remains in the role of a data processor and the customer in the role of the data controller. If the service provider obtains or retains too much discretion about aspects or details of the processing, the service provider could become a co-controller, which is not acceptable for either party: The service provider would suddenly assume all kinds of compliance obligations, including to issue notices to data subjects, assure data integrity, grant access, submit filings to data protection authorities, ensure compliance with data retention and deletion requirements, etc. A cloud computing service provider cannot discharge these data controller obligations because it does not know the data subjects or what data is uploaded into its systems. And, if the service provider did in fact qualify as data controller, then the customer would typically violate statutory prohibitions and privacy policy promises regarding data sharing. Therefore, both provider and customer have to work towards an arrangement that keeps the provider limited to the role of a data processor.
The cloud customer is the data controller as long as it decides what data to upload, download, access, transfer, delete and otherwise process. This is the case with respect to most cloud computing offerings because the service provider tends to offer a platform or software functionality as a service without any interest, knowledge or influence regarding data and processing purposes. However, the service provider may require access to customer data in order to provide technical support or install upgrades. While being granted this access does not automatically make the service provider a co-controller, the parties need to assure contractually and technologically that the vendor’s personnel only accesses data on the system to provide the service and prevent support issues.
To keep the customer in control, the cloud computing service provider also has to provide key information about storage locations, processing practices and subcontractors. Some service providers withhold such information based on trade secret protection objectives.
To resolve such conflicts and keep the service provider in the ‘processor’ role, vendors could disclose to their customers key aspects of their data processing practices, equipment locations and significant subcontractors with access to the customer’s personal data. Also, any contractual requirements to safeguard control and data protection need to be passed on to the subcontractors. In connection with cost-efficiently designed, standardized cloud computing solutions, it can be very difficult and expensive for providers to accommodate customization requests by individual customers. To ensure it remains in control over data processing in such cases, the customer might want to retain a right to receive prior notice regarding all relevant details of the data processing and changes thereto, so that the customer can withdraw data or change the use of a cloud solution in case changes are not acceptable. Or the customer could agree or instruct the provider to update service and technology from time to time, as the provider deems appropriate, on the condition that the provider will not lessen the security and privacy measures agreed.
