What does the new EU data protection regime mean for datacentres and cloud service operators?
Changes to European data protection law will put new responsibilities on datacentre and cloud providers
The process of reforming European data protection law has been protracted, to say the least. However, the target for a final text of the EU General Data Protection Regulation (GDPR) is now firmly set for the end of 2015, and it is expected to come into force some time in 2017.
Under the current data protection regime, the law draws a sharp distinction between “controllers” and “processors”, with the controller having all the legal liability. In the datacentre and cloud context, the controller is almost always the customer.
This means datacentre and cloud operators’ direct legal obligations in respect of personal data have been rather limited outside the terms of their contracts with customers, and the adequacy or otherwise of the terms of those contracts have firmly been the customers’ problem.
All that will change when the GDPR comes into force. For the first time, data processors will have direct legal obligations in respect of the personal data they process, and data subjects will be able to claim compensation for unlawful processing of their personal data direct from the processor – that is, the datacentre or cloud service operator.
By far the most important of those direct obligations for datacentre and cloud operators is that processors will, for the first time, be directly liable both to the regulators and to data subjects for security breaches. This is a significant risk for datacentre operators previously accustomed to being liable only to their customers for security problems, and having the protection of (hopefully) robust contractual exclusions and liability caps.