The General Data Protection Regulation grants targeted rights and obligations to actors involved in any operation or set of operations which is performed on personal data, labelled as “processing”. Faced with particular contexts such as cloud computing, data protection authorities are redefining roles to mitigate new personal data risks.
On June 1st, 2022, the Slovenian Information Commissioner, representing the National Data Protection Authority, operated a requalification of a controller/processor relationship as joint controllership, in the presence of a cloud provider.
Defining who is a controller and a processor is a key component in achieving compliance with the GDPR. Indeed, qualification as a controller grants control and decision-making power over the processing of personal data, which in turn raises obligations and liability.
The Slovenian Information Commissioner assessed the status of a cloud computing provider acting as an intermediary in a client query processing service, subsequently redefining the roles of each actor: Can a cloud service intermediary, typically labelled as a processor be bound by controller obligations under the GDPR?
On February 5th, 2019, the Slovenian Information Commissioner asked a cloud computing provider to submit written documentation regarding its status in a data processing operation: the latter acted as an intermediary in a horizontal information system for the implementation of electronic inquiries. Clients could generate a wide variety of questions, which, through dynamic data connection and grouping procedures within the system, could be logically connected to answers from various data sources in real time. The system further enabled safe and reliable storage of all acquired data. The Slovenian inspection procedure attempted to determine the business model of the cloud computing provider, which, thus far, had qualified as a processor under the GDPR.
Findings of the Slovenian Information Commissioner
The investigation revealed that the cloud computing provider served as a crucial technical central point for conducting electronic inquiries into data sources. It furthermore highlighted key practices:
- The cloud service provider enacted bilateral agreements with the data clients and the data sources respectively;
- Communication was based a on a two-way protocol: First, a data call protocol allows the client the initiate a request, checked by the cloud service provider. Second, a data acquisition protocol, initiated by the cloud service provider, stores the data source answers in coded form. The cloud computing provider later informs client of acquired data status and proceeds to saving in archive databases.
The investigation finds that the basic idea of the system is to simplify the technical complexity of obtaining data from different data sources, through the enablement of interdependent queries. This system supposes the construction and maintenance of a very complex data retrieval procedure which transforms data requests into atomic queries to specific data sources.
Among the long list of content features listed by the Slovenian Information Commissioner, it was established amongst others that:
- The cloud computing provider has a clear purpose, that to provide a high level of abstraction of access to the data of data sources. If the client deals with end data interpretation, it is the cloud service provider which is concerned with creation of reliable and secure technological access to data.
- The cloud computing provider creates and organizes different means of communication and processing: For example, it creates micro processes which each represent a different functionality for retrieving data for a specific data source and uses modern programming techniques to enable provision of connectivity to data sources.
Legal qualifications under the GDPR: What is a controller?
The cloud computing provider initially qualifies itself as a processor in its relationship with data clients and data sources: It argues that its actions refer to mere intermediary goals, through provision of a platform, in a transaction between the data client queries and their corresponding answers.
However, contrary to the current determined controller/processor relationship, factual proof seems to demonstrate that the GDPR’s definition of a controller is more fitting to qualify the cloud computing provider’s actions.
According to the GDPR article 4(7), the controller stands out as the “person determining the purposes and means of processing”: It controls the goal to be achieved, and how to reach that goal: What kind of personal data will need to be processed? To which recipients? For how long? In which software tools? How will the personal data be secured? Stored?
On the other hand, a processor does not determine both means and purposes of the processing: although it can decide on non-essential means of processing, the controller still has influence over chosen measures.
Key practices and content features raised by the Slovenian DPA show the role given to determination of purposes and means of processing linked to the cloud computing provider’s practice.
The Slovenian Information Commissioner requalified the relationship between the cloud service provider and its clients as a joint-controller relationship, given the factual purposes and means deployed. The joint determination of intentions and means in this case affects the processing of personal data and requires a dual responsibility for the implementation of GDPR obligations.
This concept of joint management is determined by GDPR Article 26, which was further clarified by CJEU caselaw. This arrangement determines respective compliance responsibilities for both controllers through self-arrangement, which essence has to be made available to data subjects.
The Slovenian Information Commissioner focused on the importance of analysis of actual circumstances rather than legal form grounds, to define a processing relationship between actors. It advises abandonment of a formal point of view (Which person is designated as manager?) and adoption of a functional point of view (Which person factually has decision making power?).
The particular context of cloud computing
The plurality and complexity of cloud computing services requires a departure from the binary distribution of roles interpreted in the GDPR: The lack of transparency and control that comes with cloud services makes it impossible for cloud service users alone to ensure GDPR obligations.
The plurality and complexity of cloud computing services requires a departure from the binary distribution of roles interpreted in the GDPR: The lack of transparency and control that comes with cloud services makes it impossible for cloud service users alone to ensure GDPR obligations. Requalifying cloud service providers as controllers when needed, on a case-by-case basis, ensures appropriate mitigation of personal data risks in the use of cloud services and adequate determination of respective responsibilities.
The Slovenian regulator’s decision might have been foreshadowed by similar earlier positions, such as the French CNIL’s 2012 recommendations. The CNIL had argued that if clients were unable to give instructions to a cloud computing provider and control its measures to ensure data security, the cloud provider should be considered a joint data controller. Although the Slovenian Information Commissioner’s decision is a step forward regarding responsibility sharing in the context of cloud processing, certain areas remain blurry regarding specific means that qualify as essential, thus chosen by a controller, or non-essential.