Office 365 v. Google Apps: A data protection perspective

Jan Tomíšek

Abstract

This article lists the requirements of European data protection law as regards the contents of a contract between cloud provider and cloud client. Based on these requirements the contracts for the provision of Google Apps for Work and Microsoft Office 365 for small and medium enterprises are evaluated and compared from the data protection perspective. The article also discusses the shortcomings of the current legal framework for data protection with regard to cloud computing, and analyses the possible improvements made by the General Data Protection Regulation.

A cloud client usually plays the role of a data controller, while the provider may be a data controller, data processor or he may not fall under the scope of data protection law. The relationship between the client and cloud provider, as a data processor, must be governed by a contract stating that the provider is bound by the instructions of the client as well as describing the security measures.

The contract for Microsoft Office 365 was found to be compliant with data protection law. The contract for Google Apps for Work suffers from several deficiencies that may cause a breach of data protection law.

The current data protection framework lacks unification, clarity and scalability. With the exception of unification, the General Data Protection Regulation is not expected to bring a substantial improvement if it is adopted using the proposed wording. To cope with the current law, cloud clients and providers may use the Cloud Service Level Agreement Standardisation Guidelines.

Keywords

Data protection; cloud; SaaS; Google Apps; Office 365; data processing agreement; DPA

Full Text:

References

Show references Hide references

Directive 2000/31/EC on electronic commerce.

Directive 95/46/EC on protection of individuals with regard to processing of personal data.

Commission Decision 2010/87/EU.

Data Protection Act 1998 (UK Data Protections Act).

Ley Orgánica 15/1999, de 13 de diciembre, de Protección de Datos de Carácter Personal (Spanish Data Protection Act).

Real Decreto 1720/2007, Reglamento de desarrollo de la Ley Orgánica 15/1999, de 13 de diciembre, de protección de datos de carácter personal (Implementing directive for the Spanish Data Protection Act).

Rozporządzenie Ministra spraw wewnętrznych i administracji Dz. U. z 2004 r. Nr 100, poz. 1024, w sprawie dokumentacji przetwarzania danych osobowych oraz warunków technicznych i organizacyjnych, jakim powinny odpowiadać urządzenia i systemy informatyczne służące do przetwarzania danych osobowych (Implementing directive for the Polish Data Protection Act).

Zákon č. 101/2000 Sb., o ochraně osobních údajů (Czech Data Protection Act).

Agencia Española de Protección de Datos, 2013 [accessed 2015-02-11], ‘Guía para clientes que contraten servicios de Cloud Computing’, retrieved from http://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/common/Guias/GUIA_Cloud.pdf (Spanish DPO Guidance), p. 13.

Article 29 Data Protection Working Party, 2012, Opinion 05/2012 on Cloud Computing (WP196), viewed 11 February 2015, <http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- ecommendation/files/2012/wp196_en.pdf>

Article 29 Data Protection Working Party, 2006, Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunications (SWIFT), viewed 11 February 2015 p.26., <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/wp128_en.pdf>.

Blume, P 2015, ‘It Is Time for Tomorrow: EU Data Protection Reform and the Internet’, Journal Of Internet Law, vol. 18, no. 8, pp. 3-13.

Blume, P. 2014, ‘The myths pertaining to the proposed General Data Protection Regulation‘, International Data Privacy Law, 2014, vol. 4, no. 4, pp. 269-273. https://doi.org/10.1093/idpl/ipu017

Cloud Select Industry Group – Subgroup on Service Level Agreement 24 June 2014, Cloud Service Level Agreement Standardisation Guidelines, viewed 15 February 2015, <http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?action=display&doc_id=6138>.

Czech Data Protection Office. 2013, Communication of Czech Data Protection Office No. 65/2013/4, viewed 11 February 2015, <https://www.uoou.cz/VismoOnline_ActionScripts/File.ashx?id_org=200144&id_dokumenty=3002, (Czech DPO Communication)>.

Debussche, J, Van Asbroeck, B, Chloupek et al. 24 November 2014, ‘Cloud computing and privacy series: the data protection legal framework, part 2 of 6, viewed in 11 February 2015 <http://www.twobirds.com/en/news/articles/2014/global/cloudcomputing-and-privacy-series-the-data-protection-legal-framework>.

European Commission 2012, Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data nd on the free movement of such data (General Data Protection Regulation), COM/2012/011 final, viewed 15 February 2015 , <http://eur-lex.europa.eu/legalcontent/EN/TXT/HTML/?uri=CELEX:52012PC0011&from=EN>.

European Commission 27 September 2012, Unleashing the Potential of Cloud Computing in Europe, viewed 15 February 2015, <http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0529:FIN:EN:PDF>.

European Parliament 12 March 2014, Legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)‘, viewed 15 February 2015,<http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0212&language=EN>.

Eurostat, 16 January 2015, Use of cloud computing services, viewed 15 February 2015, <http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=isoc_cicce_use&lang=en>.

Google 2015, Data Processing Amendment to Google Apps Agreement, viewed 11 February 2015, <https://www.google.com/intx/en/work/apps/terms/dpa_terms.html>.

Google 2015, Model contract clauses for Google Apps, viewed 11 February 2015, <https://support.google.com/a/answer/2888485?hl=en>.

Google 2015, Standard Contractual Clauses (processors)for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, viewed 11 February 2015, <https://www.google.com/intx/en/work/apps/terms/mcc_terms.html>.

Google February 2014, Google Apps Enterprise (Online) Agreement, viewed 11 February 2015, <https://www.google.com/intx/cs/work/apps/terms/2014/2/premier_terms_ie.html>.

Hon, KW, Millard, C, Walden, I 2012, 'Who is responsible for ‘personal data’ in cloud computing?—The cloud of unknowing, Part 2',

International Data Privacy Law, 2011, vol. 2, no. 1, pp. 3-18. Information Commissioner’s Office. 2012, Guidance on the use of cloud computing (UK ICO Guidance), viewed 11 February 2015,p.8., <https://ico.org.uk/media/fororganisations/documents/1540/cloud_computing_guidance_for_organisations.pdf> (UK ICO Guidance)

Kotschy, W 2014, ‚The proposal for a new General Data Protection Regulation—problems solved?‘, International Data Privacy Law, 2014, vol. 4, no. 4, pp. 274-281. https://doi.org/10.1093/idpl/ipu022

KPMG, 2012, Exploring the Cloud: A Global Study of Government´s Adoption of Cloud, viewed 15 February 2015, <http://www.kpmg.com/AU/en/IssuesAndInsights/ArticlesPublications/cloud-computing/Documents/exploring-the-cloud-governmentadoption.pdf>.

McGillivray, K 2014. ‘Conflicts in the Cloud: Contracts and Compliance with Data Protection Law in the EU’, Tulane Journal of Technology & Intellectual Property, 17 (2014), pp.217–253.

Microsoft 2015, Microsoft Online Subscription Agreement, viewed 13 February 2015, <portal.office.com/Commerce/Mosa.aspx?cl=en&cc=en-UK> (available only upon registration for the services, no up to date and publicly available wording was found).

Microsoft 2015, Online Services Terms January 1, 2015, viewed 13 February 2015, <http://www.microsoftvolumelicensing.com/Downloader.aspx?DocumentId=8248>.

Microsoft 2015, Privacy Notice, viewed 13 February 2015, <http://www.microsoft.com/online/legal/v2/?docid=18&langid=en-UK>.

Reding, V 2012, ‘The European data protection framework for the twentyfirst century’, International Data Privacy Law, vol. 2, no. 3, pp. 119-129.

Sator, G 2013, ‘Providers' liabilities in the new EU Data Protection Regulation: A threat to Internet freedoms?’, International Data Privacy Law, vol. 3, no. 1, pp. 3-12. https://doi.org/10.1093/idpl/ips034

Svantesson, DJB 2012, ‘Data protection in cloud computing – The Swedish Perspective’,in: Computer Law & Security Review 28, 2012, pp. 476-480.

https://doi.org/10.5817/MUJLT2015-1-6



Copyright (c) 2015 Masaryk University Journal of Law and Technology