Juristica International

1. Introduction

Infrastructure as a Service (IaaS) accounts for a significant proportion of cloud computing services overall, and, according to Gartner, in 2014 ‘the absolute growth of public cloud IaaS workloads surpassed the growth of on-premises workloads for the first time’ *1 . A recent report from RightScale *2 showed that 95% of the organisations surveyed were already using or experimenting with IaaS *3 , with 89% of respondents using public cloud services *4 . Moreover, 32% of small and medium-sized businesses (enterprises with fewer than 1,000 employees for the purpose of the report) were already using cloud infrastructure heavily at that time, as compared to 25% of enterprises in general *5 .

The widespread adoption of cloud-based technologies among these companies does not come as a surprise: small and medium‑sized enterprises are more likely to seek a less expensive option for maintaining their IT infrastructure and to have a smaller budget at their disposal. Neither is their interest in IaaS, which is usually the first step in adoption of cloud-based solutions, as it requires less preparation and integration than do Platform as a Service (PaaS) and Software as a Service (SaaS) options. Indeed, IaaS provides several benefits when compared to traditional computing infrastructure provision *6 . Nevertheless, it has to be noted that the resources a client acquires under IaaS are pretty much the same ones it can obtain from a traditional IT outsourcing (ITO) provider. Aspects that differ are the process of obtaining and expanding the resources; the nature of business relations between the parties; and, finally, the contractual arrangements.

A few years ago, the European Commission (EC) recognised the potential of cloud computing and certain advantages of promoting its adoption within the EU. Small and medium-sized enterprises *7 (SMEs) have often been given the focus in the EC’s efforts to promote competitiveness of European businesses. The aim with the first comprehensive cloud computing strategy *8 , calling for unleashing the potential of cloud computing in Europe, was to address the factors hindering businesses, especially SMEs, from adopting cloud services. In its turn, the Horizon 2020 programme *9 includes cloud computing on its list of priority areas each year. The Work Programme for 2016–2017 *10 , for example, is intended to foster competitive, innovative, and reliable cloud computing for small and medium-sized enterprises and for public institutions.

These extensive efforts on the part of the EC notwithstanding, adoption of cloud-based solutions is not a clear-cut choice for a business. Compliance is listed among the top three challenges for clients adopting cloud-based solutions *11 and is unlikely to disappear from the list. Aside from there being the issues of compliance related to operation in a heavily regulated industry (alongside finance, health care, etc.), there is the matter of data protection compliance, which is becoming highly topical in light of the recent adoption of the General Data Protection Regulation *12 (GDPR). As a fair percentage of businesses process personal data of their customers in one or another way and offer their services in the EU, it is highly likely that numerous individual SMEs are going to have to comply with the data protection legislation in the EU.

This article provides an overview of the changes wrought in the data protection legislation by the GDPR and discusses how the reform might reshape the data protection compliance requirements for SMEs using IaaS to process personal data. In particular, the article addresses the questions of whether SMEs will still opt for IaaS under the new regulation and whether the GDPR interferes with one of the other EC goals – wider adoption of cloud computing by SMEs. The author uses qualitative methods to analyse the provisions of the GDPR, identify which of them are going to influence the data protection compliance of SMEs using IaaS, and establish whether the reform will impede achievement of wider cloud adoption.

2. Infrastructure as a Service as a cloud service model

Infrastructure as a Service is one of several cloud service models. In this approach, the cloud provider supplies basic computer resources (processing power, storage, routers, etc.) on which clients can run software. The cloud provider owns the infrastructure (or hires it from a third party) and maintains it, while the customer pays for it on a pay-as-you-go basis. It is worth noting at this juncture that, while some scholars use alternative terms for this particular cloud service model *13 , ‘IaaS’ is a widely used term throughout the IT industry *14 . Some examples of IaaS are Amazon’s Simple Storage Service (S3) *15 and Elastic Compute Cloud (EC2) *16 , which was a pioneer in the field and leads the way in IaaS public-cloud operations *17 , with a share of about half of the market *18 .

Since, after all, cloud computing is a result of IT outsourcing’s evolution, *19 IaaS is just an alternative way to obtain infrastructure resources by outsourcing its provision to an external provider. There are a few clear benefits to cloud services, with the most significant of these for a business being the absence of substantial up-front investments. With IaaS, clients get infrastructure resources without negotiating complex outsourcing agreements or engaging in time-consuming negotiations every time they find themselves in need of additional resources. Consequently, what constitutes the difference between IaaS and the traditional outsourcing option is not the resource itself but the way of delivering it, along with the cost and effort necessary to obtain and maintain it.

Companies using traditional ITO services happily adopt IaaS in accordance with their needs. A PwC survey showed that 22% of ITO customers used a public cloud in 2011. *20 However, the percentage using an external or internal private *21 cloud was substantially higher. *22 Despite the many benefits of IaaS, companies using traditional ITO services will not automatically want to switch to IaaS. There are a few reasons for which a company may want to stick with ITO, but this article goes into only one of these – compliance with the EU data protection rules.

Increasing adoption of cloud computing encourages traditional ITO providers to enter the cloud computing market. The competitiveness of a particular provider in the market is influenced not only by specific characteristics of its service but also by that provider’s ability to meet clients’ expectations and flexibility in satisfying clients’ compliance needs. Consequently, changes that complicate specific vendors’ ability to meet data protection compliance requirements may reshape the market as a whole.

3. SMEs and external service providers under the legislation currently in force

The data protection legislation currently in force, the Data Protection Directive *23 , protects the rights of persons whose personal data are being processed. It does so by defining roles and obligations of the parties involved in the processing. The specific roles involved are data controller and data processor, where the former is defined as determining the purposes and means of the processing *24 and the latter as processing personal data on behalf of the controller *25 . The data controller has a variety of obligations with regard to personal data and ability to allocate responsibilities to third parties *26 . The data processor, on the other hand, does not have specific obligations except to act only upon instructions from the controller; *27 to ensure fair and lawful processing of data, compatible with specific purposes *28 ; and to implement appropriate technical and organisational measures to protect personal data against threats *29 .

SMEs collecting personal data of their customers and processing said data for a specific purpose in the course of their business are data controllers within the meaning of the Directive and will have to comply with the relevant provisions. As long as SMEs process the data themselves without involving third parties, they will retain sole responsibility for the compliance with the EU data protection rules. However, if SMEs delegate the processing to an external party or use third-party infrastructure to process the data, the external provider becomes a data processor and, in turn, influences the controller’s data protection compliance. Consequently, SMEs’ data protec­tion compliance is affected by whether they process data themselves via the infrastructure they own or rent or instead outsource the whole process or particular stages of it to an external party.

While there is no doubt that SMEs in those circumstances are data controllers, the question of whether an external provider automatically becomes a data processor is problematic. External providers can be involved in the processing in a number of ways, but should every provider of infrastructure resources be deemed a data processor? In essence, should an IaaS provider supplying merely means of processing and without actual knowledge of the data be considered equal to an ITO provider carrying out certain stages of processing in full awareness of the nature of the data?

Assigning the data processor role to a cloud service provider has, accordingly, been questioned and debated. Nonetheless, the Article 29 Working Party *30 declared that a cloud computing provider becomes a data processor by providing the data controller with the means and the platform for the processing of personal data. *31 Hence, whether SMEs obtain infrastructure resources from an ITO provider or instead use IaaS, the external provider will be regarded as a data processor. It is of great relevance that entrusting a third party with provision of underlying infrastructure influences SMEs’ compliance, specifically the obligations of a controller related to the performance of the data processor.

Firstly, the controller has to choose a processor that provides sufficient guarantees in respect of the technical security and organisational measures governing the processing of data and must ensure that processor’s compliance. *32 Whilst in the process of choosing between IaaS and a traditional outsourcing service or even between individual IaaS vendors SMEs certainly take into account the technical specifications and security features of each service, closer analysis or inspection may not be possible in the case of IaaS. The nature of public IaaS and cloud-based services in general does not afford or entail much integration or co-operation between the parties; rather, it takes a form in which a service provider supplies ready tools available for use by the client for whatever purposes. Reaching the legally prescribed goal is problematic unless the IaaS provider makes the service available for examination.

Secondly, there must be a legally binding contract between controller and processor, under which the obligation to ensure appropriate technical and organisational measures to protect the data must be binding for the processor too. *33 The obligation to conclude a binding agreement serves the purpose of providing the data controller with complete control over the processing of personal data and eases ensuring of data protection compliance. While ITO agreements serve this purpose – to define the relationship between the parties and meet their expectation *34 – IaaS is different in this respect. Cloud service providers supply cloud services on the basis of terms of service *35 specified on a Web page, which in most cases are decided upon unilaterally (especially with public IaaS) and do not provide assurance that the service to be delivered suits the client’s purposes. While large enterprises might have the bargaining power to negotiate a tailored contract as IaaS clients, the same certainly is not true for SMEs.

Therefore, even with the legislation currently in place, opting for a traditional ITO service (provision of the infrastructure, owned and managed by the provider on the SME’s premises or in a remote location) will be beneficial in terms of SMEs’ compliance with the data protection rules. The outsourcing provider still becomes a processor of personal data; however, SMEs will have a lot more control over the process, by negotiating an agreement and meeting their compliance needs. On the other hand, this will require more effort in the stage of entering into a contract and maintaining it, so the agreement will come at a higher transaction cost.

4. Forthcoming changes and challenges for data protection compliance

The forthcoming changes to the data protection framework, in the form of the recently adopted General Data Protection Regulation *36 , do not provide a completely new system to protect the interests of data subjects whose personal data are being processed. These changes are, however, going to influence the cloud computing industry in general and SMEs obtaining cloud services in particular. Although the roles associated with the processing of personal data remain the same, obligations will be substantially widened, ­especially those of a data processor.

The data processor will now be obliged not to engage other processors in the processing of data without prior specific or written consent from the data controller. *37 On the data controller’s side, it will be difficult to ensure meeting of this requirement in the context of IaaS, as the nature of cloud computing services is geared fundamentally toward service composed of elements delivered by various vendors. In the likely event of planning to switch vendor or approach new vendors, cloud service providers are unlikely to inform their clients in advance or, even more improbable, to obtain consent for doing so. In addition, another obligation of the data processor – to maintain a record of all the data processing activities *38 – might be difficult to fulfil in the context of cloud agreements. It requires adoption of additional organisational and technical measures. These measures have to be negotiated in each and every case or, alternatively, be part of functionality built into the service itself. Once again, the cost of entering into agreement is going to increase.

The obligation to notify the controller of any personal-data breach without undue delay *39 will result in additional substantial changes. Unlike with ITO services wherein the provider actively reports to the clients, the burden of detecting and communicating violations of the service level agreement *40 (SLA) in IaaS usually rests with the client ^*41 and not the provider. Currently, SMEs not only have to monitor availability of the cloud service but also must report any violations of the SLA in time if they are to receive compensation. *42 Therefore, this obligation requires considerable changes in the respective SLAs.

Perhaps the most problematic aspect of the GDPR for SMEs using IaaS is that a contract between controller and processor will have to stipulate the nature and the purpose of the processing of personal data, categories of data subjects, etc. *43 This is customary in outsourcing agreements, wherein the provider and client typically seek long and lasting partnership and share more information on the nature of the activities to be performed, so as to meet the objectives of the outsourcing better. However, in the absence of a specific connection between a public IaaS provider and its client, it is unlikely that the client will be willing to share such information; that the provider will be interested in it; and, finally, that doing so is absolutely necessary. Hence, standard IaaS contracts will have to be modified, just as SLAs will. At present, the practice is slightly different, to put it mildly. In 2010, 31 cloud services, offered by 27 cloud providers, were subjects in a study of terms of service *44 . The results, while somehow expected, were still surprising: 18 agreements had been modified during the previous half-year period and the change was reported (the last revision date was available), 28 agreements remained unchanged and there was notification of this fact, a further 19 were unchanged without that being reported (no revision date was available), and four agreements had been changed without notification. *45

In light of what is stated above, it becomes apparent that, to comply with the GDPR, SMEs will need to invest more in IaaS in the stage of negotiations and entering into an agreement than before. The business model behind IaaS provides a cost-saving approach by eliminating costs associated with infrastructure maintenance and entering into a contract, thereby enabling clients to access and expand the resources without undue delay. In consequence, the current advantages of IaaS over traditional ITO will be diminished by the upcoming changes.

Setting aside the fact that, because of differences in bargaining power, it could well be problematic to force an IaaS provider to negotiate all the terms, we can see that compliance will also substantially increase transaction costs *46 . Various hidden costs have been attributed to IT outsourcing in the past *47 ; however, these will become a reality for cloud computing services too. Companies consider cloud computing to be a way to reduce transaction costs *48 ; therefore, increases in these costs will also influence SMEs’ intention to adopt cloud computing *49 .

Ironically, the GDPR excludes SMEs from the application of the data portability right, as it serves solely the data subjects *50 . The wording of the relevant clause allows only the data subject to receive the data in a widely used format and does not grant the SME (as a data controller and not the subject) the right to request the same from the data processor. In the case of SMEs using IaaS, the SME would be obliged to provide the data to its clients (data subjects) in a widely used format while the IaaS provider would have no obligations whatsoever to the SME in this regard.

This is by no means an exhaustive list of the changes that will directly influence relations between SMEs and IaaS providers. The upcoming reform threatens cloud service as such or, more precisely, its provision by cloud providers established in the EU or offering services to European customers *51 . Even if cloud providers proactively adapt to the forthcoming changes, opting for a cloud service will not be as beneficial as it was before, so whether SMEs would still consider IaaS an option at the end of the day is questionable. In the absence of clear indications of readiness to adapt, the scale of the impact remains to be seen.

5. European Commission initiatives aimed at fostering cloud computing

On the other hand, wider adoption of cloud computing by SMEs is an objective set by the European Commission in the context of its Digital Single Market Strategy *52 . A number of European Commission ­initiatives have looked specifically at the contractual aspect of relations between clients and cloud providers. Three of them are of particular relevance for SMEs’ compliance with data protection legislation: The Data Protection Code of Conduct for Cloud Computing, the Cloud Service Level Agreement Standardisation Guidelines, and the Report on Standards Terms and Performance Criteria in Service Level Agreements for Cloud ­Computing Services.

In early 2015, the Cloud Select Industry Group (C-SIG) presented the first draft of the Data Protection Code of Conduct *53 , which is a voluntary instrument for cloud service providers’ use in proactively demonstrating their compliance with the data protection principles, via adherence to the code by either self-evaluation or a third-party audit. Notwithstanding its potential, it faced criticism from the Article 29 Working Party *54 for failure to acknowledge the forthcoming changes, to clarify the notion of personal data, and to prevent terms of service that favour the service provider. When updated in response to the concerns raised, the code can become an instrument that cloud providers would rely on to attract SMEs as IaaS clients. However, the balance has to be maintained in order for the code to remain appealing for adherence, since indicating support for it does not automatically mean compliance. Rather, it indicates recognition of clients’ demands.

C-SIG also presented the Cloud Service Level Agreement Standardisation Guidelines *55 , which cover B2B relations (relations between service providers and clients who are not consumers). The aim with these guidelines was to contribute to the development of relevant ISO standards and to list basic principles to be borne in mind in drafting of SLAs for cloud services. Among other things, they address data protection compliance and provide a tool for a controller’s use to evaluate a particular service. Nonetheless, they do not take into account the forthcoming changes. If updated accordingly, however, the guidelines can be useful for both SMEs and IaaS providers who are willing to enter into an agreement compliant with data protection rules.

The objective for the final report ‘Standards Terms and Performance Criteria in Service Level Agreements for Cloud Computing Services’ *56 was to summarise existing rules with respect to SLAs in the Member States and to create a model SLA that could be used by cloud service providers. The study for that report showed that it is uncommon to have cloud- and SLA-specific legislation in place and that global providers offer standard, non-negotiable SLAs, whereas small national providers may allow clients to negotiate the terms. The model SLA developed in the report is not a standalone contract but a cloud-oriented set of elements to be addressed in SLAs, comprising only measurable and technology-neutral metrics. It targets B2B contracts and is not comprehensive, but it could complement existing guidelines if the results of the separate initiatives for these were to be revised, codified, and developed further.

One of the most recent proposals made by the European Commission in the context of the Digital Single Market Strategy is the Digital Content Directive *57 , designed to harmonise some facets of contracts for supply of digital content *58 . Cloud services are within the scope of the proposed Directive because the notion of digital content (the subject of the Directive) encompasses services that allow creation of the data at issue *59 . However, it excludes SMEs from the scope of application by defining a consumer as a natural person acting outside the connection of said person’s trade or business *60 . Hence, SMEs will not be eligible to enjoy ­certain rights in respect of contracts for the supply of cloud services, in contrast to private consumers.

In summary, it can be stated that the European Commission sees SMEs’ adoption of cloud computing as beneficial for the Digital Single Market and has initiated various studies in this con­text. Still, most of the reports addressing data protection compliance are no longer accurate, be­cause of the forthcoming changes. Furthermore, some of the related legislative initiatives fail to acknowledge B2B relations, by being consumer-centric – namely, the Digital Content Directive.

6. Conclusions on how the new regulation is likely to affect SMEs’ use of IaaS

When we return to the initial questions – that is, whether SMEs will be equally interested in adopting IaaS when the GDPR comes into force and whether the GDPR interferes with the objective of wider adoption of cloud computing by SMEs – it is apparent that the former is to be answered in the negative and the latter in the affirmative. The coming changes will diminish the main benefits that IaaS offers today, which are low transaction cost and rapid access to easily scalable resources. To remain compliant with the data protection rules, SMEs will have to invest heavily in negotiations with the providers (if providers will actually be willing to negotiate) or consider alternative options – namely, traditional outsourcing services.

Data controllers’ and data processors’ compliance under the forthcoming data protection regime can be effectively secured through an appropriate agreement and co-operation when SMEs obtain traditional outsourcing services. However, cloud computing does not anticipate the same level of co-operation between the parties; the services are offered on a take-it-or-leave-it basis. A sensible choice for SMEs seeking to obtain infrastructure resources would be to co-operate with a traditional IT outsourcing provider (possibly previously known) rather than approach an external cloud provider and use a public IaaS solution. Consequently, the GDPR interferes with another EC objective, wider adoption of cloud computing by SMEs.

While interest in cloud services is currently growing, the proposed data protection regime will either slow it down or considerably change the state of the market. As data protection rules better suit outsourcing relations, long-established ITO providers with a large customer base will certainly benefit. By catching up with recent technological developments, they will be able to offer more flexible solutions and provide comprehensive guarantees as to data protection compliance. Obtaining outsourcing services does still have its dangers; *61 nevertheless, some of them may soon be addressed by the European Commission proposals. *62

Despite a considerable number of initiatives to promote cloud adoption by SMEs, the results of most of them are going to become obsolete – firstly, because they do not refer to the GDPR; secondly, because they assume the parties to have equal bargaining power; and, finally, because they lack provision for incentives for the service providers. The cloud computing market is largely self-regulated right now, and, although there are competition concerns at the moment, they will be overshadowed by compliance concerns and increases in transaction cost.

While large enterprises may be able to address these compliance concerns effectively by allocating the necessary resources, SMEs will not be able to do the same and will need to reconsider their options. Those SMEs that are planning to adopt IaaS may want to think twice about whether to entrust the provision of resources to an external cloud provider and opt for a public cloud option or instead turn to an outsourcing provider and purchase a private-cloud or even non-cloud solution. Those SMEs already taking advantage of public-cloud IaaS will have to either negotiate new terms with the provider (which might prove difficult) or turn to an outsourcing provider.

One could avoid such consequences by developing a data protection framework that is more suitable for today’s realities. Rather than assume that similar business relations exist between each company processing personal data and the respective subcontractor(s), the data protection scheme should acknowledge diversity of business models and consider whether it is necessary to make the same demands of each and every actor. Secondly, the EC may want to consider making data protection rules less data-subject-oriented. As was shown above, the EC, in an attempt to serve data subjects, misses an opportunity to address B2B relations too and provide further benefit to data subjects. Thirdly, it could be advantageous to look for an alternative notion of personal data. There have been discussions about what that could be, with proposals ranging from abolishing the controller–processor concept and vesting data controller obligations in anyone processing the data *63 to not treating encrypted data as personal data in the absence of an encryption key *64 .

Although the Commission ‘does not tend to be overly intrusive, in order to avoid hampering the technological development of the ICT sector in the EU, which is perceived to be a key sector of the EU economy’ *65 , it remains to be seen how the forthcoming changes are going to affect competition in the market for computer infrastructure resources. A transaction cost that has become so high that it exceeds the perceived benefit could hinder the intended impact of the legislation. *66 Forcing an ill-suited framework into place may harm competition without achieving substantial results in protecting data subjects’ rights and could hamper further development of technology, not to mention interfering with the efforts to promote cloud computing’s adoption.