Expert Group on Cloud Contracts, 30 April 2014
Discussion Paper: Data Disclosure and Integrity
Ian Walden
A cloud service encompasses a wide range of components and the contract governing their provision
will likewise address these different components. Cloud contract terms can be broadly distinguished
into those concerning the treatment of ‘data’ submitted to, or generated by, the service on behalf of
the cloud user, and the specifications of the ‘service’ being supplied to the user. For the purposes of
this briefing note, issues of data disclosure and data integrity are seen as primarily falling into the
former category, i.e. data handling, although service levels can also clearly impact on both.
1. Scope
In this briefing note, a data disclosure is distinguished from a data transfer, examined in another
Expert Group paper1, although recognising that they are overlapping concepts. A disclosure is
presumed to involve data passing from one entity (controller/processor) to another entity (another or
within a controller/processor). The disclosure may occur either with or without the authorisation of
the disclosing entity. In the latter scenario, the conduct of the recipient entity is presumed to be
unlawful.
Unauthorised disclosures resulting from illegal access, interference or interception2 can clearly impact
on the integrity of the data held by the cloud service provider (‘Provider’), but such criminal conduct
is not examined further in this note. An authorised disclosure authorised by another controller or
processor does not necessarily equate with a lawful disclosure, as the disclosing party’s conduct may
itself be unlawful.
A disclosure may be by “transmission, dissemination or otherwise making available”3, the latter
phrase being an example where disclosure may not constitute a data transfer4. A data transfer involves
data being disclosed to a recipient in a third country or international organisation outside the EEA, it
can take place between different entities in different countries, or within a single entity to a different
country. Data integrity is concerned with ensuring that the data processed by a Provider on behalf of a
customer, or on the Provider’s own behalf, is secured against unauthorised destruction, loss or
modification, whether resulting from deliberate, inadvertent or accidental actions of the Provider or a
third party, including other users of the cloud service. The term data integrity is sometimes used to
encompass all forms of security breach, including loss of confidentiality and availability. For the
purposes of this briefing note, a breach of confidentiality is seen as equating to an unlawful data
disclosure; while data availability is viewed as an element of service availability and is considered in
another Expert Group paper5.
2. Standard terms
The following summarises the current position with respect to aspects of data disclosure and data
integrity based on the standard terms offered by some of the leading cloud service providers.
2.1 Data disclosure
1
Bartoli, E., “Data Transfers in the Cloud”, 28 March 2014.
See further Directive 13/40/EU ‘on attacks against information systems’, OJ L 218/8, 14.8.2013.
3
Directive 95/46/EC, art. 2(b).
4
Lindqvist [2004] Q.B. 1014, making available does “not as such constitute a transfer [of data] to a third
country” (para. 70).
5
Czarnowski, P., “Service availability (in the clouds)”, 24 March 2014. The issue is also being addressed by the
Cloud Select Industry Group on Service Level Agreements.
2
1
Expert Group on Cloud Contracts, 30 April 2014
All providers state that they will disclose customer data in response to a valid court order6. Some
providers include procedural safeguards, stating that they will endeavour to provide the customer with
prior notification of any such legal request, where legally permissible, to enable the customer to take
steps to challenge any such request. Providers also often reserve the right to disclose in urgent
circumstances, i.e. where there is a clear and immediate need to disclose in the public interest or to
preserve life.
There is a spectrum of approaches to disclosing in other circumstances, from retaining a broad
unfettered discretion to obligations to act in ‘good faith’ or on a ‘reasonable’ belief. The relevant
interests may generally include the Provider’s own interests as well as those of third parties. Given the
publicity over Microsoft recent decision to access a user’s Hotmail account in the course of an
internal investigation7, it should also be borne in mind that a disclosure to a third party, e.g. a law
enforcement agency, may be preceded by unilateral access by the Provider rendered permissible under
the terms of service.
2.2 Data integrity
In the Cloud Legal Project’s 2010 and 2013 surveys8, it was found that the majority of Providers
placed responsibility for the integrity of customer data with the customer. Some Providers promised to
use their ‘best efforts’ to preserve customer data, but still disclaimed responsibility for data integrity.
Customers are also recommended to take various steps to address data integrity concerns; from the
use of encryption to making back-up arrangements (which are sometimes offered by the Provider at
additional cost): e.g.
You are responsible for properly configuring and using the Service Offerings and taking your own
steps to maintain appropriate security, protection and backup of Your Content, which may include the
use of encryption technology to protect Your Content from unauthorized access and routine archiving
Your Content9.
To reflect customer concerns, as well as data protection obligations, Providers usually incorporate
provisions recognising a general commitment and obligation upon them to implement and maintain
‘industry-standard’, ‘reasonable’ or ‘appropriate’ security measures.
Providers sometimes accept higher levels of liability for a loss of confidentiality resulting from a data
security breach, although this would not usually cover other forms of loss of data integrity.
3. Data protection analysis
A Provider can be seen as processing three broad categories of personal data relating to a customer:
(a) Content supplied to, or generated by, the cloud service by users;
(b) Attributes data or meta-data generated through use of the service, and
(c) Subscriber or user data identifying characteristics of those authorised to use the service.
With respect to these different categories of data, the Provider is likely to have different roles from a
data protection perspective, as either controller or processor10. For the purposes of this note, it is
presumed that the Provider is a controller in respect of categories (b) and (c), but a processor in
6
Note that valid does not mean legally binding or enforceable.
The Guardian, “Former Microsoft employee arrested over Windows 8 leaks”, 20 March 2014.
8
See Bradshaw, Millard and Walden, “Standard Contracts for Cloud Services” in Cloud Computing Law (ed.
Millard), OUP, 2103.
9
AWS Customer Agreement, at 4.2.
10
See Article 29 Working Party, Opinion 05/2012 on Cloud Computing, WP 196, 1 July 2012.
7
2
Expert Group on Cloud Contracts, 30 April 2014
respect of (a); although in any particular circumstance it may be held that the Provider’s conduct is of
a different nature.
As controller or joint controller, the Provider’s obligations in respect of data integrity and disclosure
are governed by national law implementing Directive 95/46/EC, as well as any contractual
obligations accepted or negotiated between the Provider and its customers. Data disclosures require a
legitimate basis (arts. 7 and 8); while obligations with regard to data integrity can be found primarily
in the principles relating to data quality (art. 6) and the security of processing operations (art. 17).
As a processor, the Provider may not necessarily have direct regulatory obligations under Directive
95/46/EC, but must at least be subject to contractual obligations vis-à-vis the controller11. Those
obligations are to process the data only in accordance with the instructions of the controller and to
implement appropriate technical and organisational security measures12. The former is primarily of
relevance to data disclosures, while the latter to the maintenance of data integrity.
3.1 Data disclosure
As a controller, a Provider may face three kinds of liability resulting from a data disclosure:



Liability for authorising an unlawful disclosure;
Liability for failing to prevent an unauthorised disclosure, or
Liability for failing to comply with notification obligations consequent from an unauthorised
disclosure13.
With respect to the first, the disclosure could take place between two controllers, either acting
independently or jointly. The disclosing controller will, in the first instance, decide the lawful
justification for making the disclosure, from consent to the legitimate interests of the controller or “the
third party or parties to whom the data are disclosed”14. So, for example, a disclosure in urgent
circumstances would seem permissible by a Provider as controller in respect of both personal data and
sensitive personal data, if justified either because it is necessary to protect the ‘vital interests of the
data subject’15 or by law, in particular in the public interest16. The disclosure may be held
subsequently to be unlawful, however, either by a national supervisory authority or tribunal.
A Provider will usually impose provisions designed to limit its contractual or tortious liability in all
three circumstances above; although a Provider is not be able to transfer any regulatory liability under
data protection law. It may try to contractually shift any financial implications consequent from a
finding of non-compliance on to other parties in the cloud supply chain, i.e. processors and subprocessors, such as an IaaS, through indemnity provisions concerning any acts or omissions
committed by a processor or sub-processor that results in the Provider’s liability. In addition, under
the current regime, regulatory liability arising from the conduct of a receiving controller, e.g.
processing for incompatible purposes, would not generally result in any liability on the disclosing
controller unless it can be shown that he had some responsibility for the unlawful conduct, e.g. he
disclosed data knowing that the receiving controller was intending to engage in unlawful processing17.
However, the parties may alter the regulatory position through contract, agreeing to be ‘jointly and
11
We note that a processor may have direct regulatory obligations under the national law of a Member State and
will have distinct obligations under the proposed Regulation.
12
Article 17(3).
13
E.g. under Directive 02/58/EC, art. 4(3); the draft Regulation or the draft Network and Information Security
proposal.
14
Art. 7(f). See also Article 29 Working Party Opinion 06/2014, WP 217, 9 April 2014.
15
Directive 95/46/EC, arts. 7(d) and 8(2)(c). For sensitive data, the exemption extends to the vital interests of
‘another person’, as well as the data subject.
16
Art. 7(e).
17
Art. 23(2).
3
Expert Group on Cloud Contracts, 30 April 2014
severally liable’ for any damage caused to a data subject by any breach; which is the position adopted
under the Model Clauses for data transfers between controllers18.
As a processor, any contractual obligation on the Provider to only process on the instructions of the
controller is subject to an exception: “unless ... required to do so by law”19. If required by law, a
Provider can in certain circumstances disclose a user’s content data, category (a), without instruction
from the user, as controller. Considerable controversy exists as to the source of any such ‘legal
requirement’, as a requirement originating from a third country is arguably not enforceable against a
processor established in a Member State, while any subsequent disclosure would constitute a data
transfer, subject to Chapter IV of Directive 95/46/EC and is beyond the scope of this note.
3.2 Data integrity
The requirement for a Provider (as processor) to implement appropriate security measures also
requires that a customer (as controller) choose a processor that provides ‘sufficient guarantees’ and
can ensure ongoing compliance with those measures by the processor20. Each aspect should be
reflected in the contract with the Provider, through commitments to meet and maintain certain security
standards and to enable some form of ongoing oversight. The latter may take various forms of
responsibilities for the processor; from a specific right to audit systems; an obligation to supply copies
of 3rd party audits, to security breach notification procedures.
Liability for breaches of data integrity will obviously depend in part on the cause; whether resulting
from conduct of the Provider, the customer or a third party. Recently, for example, the Microsoft
OneDrive service has been accused of altering the meta-data of files in the course of synchronizing
such files by customers21. From the customer’s perspective, the Provider will be presumed to take
responsibility for the conduct of any other processors or sub-processors that provide part of the supply
chain, e.g. an IaaS; although whether such risks are adequately addressed through the contractual
chain may be questionable22.
A critical third party in cloud computing is the communication providers that transmit data between
the customer and the Provider. Both parties will obviously have contractual relations with their own
communication provider, but will not generally have such contracts with any intermediary provider.
Indeed, where the traffic is carried over the public internet, the Provider and customer’s
communication provider are also very unlikely to have a chain of agreements. To the extent that any
communication provider is subject to EU law, they will have direct regulatory obligations to secure
the service, protect the confidentiality of communications and control the disclosure of traffic and
location data under national law provisions transposing Directive 2002/58/EC23.
Identifying the cause of a data integrity breach, a first step in the attribution of responsibility and
ultimately liability, can often be extremely difficult itself due to the complexities of the different
layers of applications that comprise a cloud service and their interaction with the applications and data
used and supplied by a customer, or the conduct of others within a multi-tenanted environment. In
such situations, public law intervention may be required to assist consumers to recover any harm or
loss suffered, ranging from the imposition of strict liability to evidential presumptions. Such matters
are beyond the scope of this note.
18
Commission Decision 2001/497/EC, ‘on standard contractual clauses for the transfer of personal data to third
countries’, OJ L181/19, 4.7.2001.
19
Art. 16.
20
Art. 17(2).
21
http://collaboristablog.com/2014/04/microsoft-onedrive-business-can-alter-files-syncs/
22
See Hon, Millard and Walden, ‘Negotiating cloud contracts – Looking at clouds from both sides now’, 16
Stanford Technology Law Review, 81, 2012.
23
Articles 4, 5, 6 and 9 respectively.
4
Expert Group on Cloud Contracts, 30 April 2014
4. Questions for discussion
4.1 Data disclosures

Should there be contractual limits on the right of a Provider to disclose data
submitted/generated by a Cloud Customer?

Should there be contractual limits on the right of a Provider to disclose attributes data or
identity data?

What procedural safeguards should be detailed in the contract regarding Provider disclosures;
and to which categories of recipient should such safeguards apply?

What procedural safeguards should be detailed in the contract regarding disclosures in urgent
circumstances?

Should a disclosing Provider be held contractually liable for the conduct of a receiving
Provider?

What ‘legal requirements’ should permit a processor to disclose data without the authorisation
of the Cloud Customer?
4.2 Data integrity

Should Providers be subject to certain minimum contractual guarantees concerning data
integrity?

Should the contract specify what constitutes a breach of data integrity?

What contractual obligations should be required to enable adequate on-going oversight of a
processor’s obligations?

Should Providers be contractually liable for a breach of data integrity by any of its processors
and sub-processors?

What liability should communication providers have towards a Provider or its customers?

Should the contract specify who is responsible for proving the cause of any data integrity
breach?
5