The introduction of Regulation (EU) 2016/679, otherwise known as GDPR (“the Regulations”) has resulted in significant changes to the UK and European data protection landscape.
As businesses large and small consider the practical and operational implications of these changes, an interesting aspect might be the relationship between the providers of cloud services and their clients. An example, of this can be seen in Article 28 of the new Regulations, which sets out a prescriptive and detailed set of data protection obligations that controllers are required to contractually impose on their processors.
Of course, under GDPR the client would normally be the controller of personal data, and the cloud provider its processor. At a time when businesses are increasingly reliant on cloud computing services, the provisions of Article 28 will create an interesting challenge for small businesses who as controllers, are now required to ensure the detailed list of obligations required under Article 28 are included in their cloud services contracts.
One particular obligation under Article 28(2), is that the processor must provide the controller with notice of any sub-processors it wishes to appoint and the controller will have the right to object. Typically, large cloud providers are reluctant to move away from their standard terms of business, and many adopt a “take-it-or-leave-it” position in contract negotiations, in particular with respect to their preferred sub-processors. However, European data protection supervisory authorities have indicated that an inequality in the bargaining position between a cloud client and its supplier will not release the small cloud client from its obligations under Article 28.
Therefore, a careful review of the terms of their cloud services contracts by all cloud service clients is strongly recommended. It also goes without saying that as a result of Article 28 of the Regulations, cloud providers used to operating under their standard terms, will in future be required to display a greater degree of flexibility when negotiating contracts with prospective smaller clients.