GDPR — a flaw in Article 28

Michael Gentle
Sep 24, 2018 · 3 min read

It hasn’t caught up with developments in cloud computing

Image for post
Image for post

When a controller transfers data to a third party for processing, Article 28 of the GDPR legislation states that there has to be a ‘written contract’ covering the processor’s obligations and liabilities — including ‘documented instructions from the controller’ on how to process personal data.

That particular rule clearly originated in the days before the cloud came into existence, and people were still writing contracts. Today, cloud computing has become commoditised beyond all recognition. Controllers now deal with multiple cloud providers, each serving thousands, or even millions, of customers. And they do this on a self-service basis, without issuing any written instructions to anyone.

Most cloud service providers never even meet their clients

Needless to say, cloud providers like Amazon, Google or Salesforce are not going to sign individual GDPR-related contracts with their customers, most of whom they will never meet. Instead, they include their GDPR credentials in their generic terms of service, which controllers have no choice but to accept.

Now as long as cloud providers meet their GDPR responsibilities, there is nothing wrong with this approach — indeed, it is the most practical solution.

Article 28 is ultimately still work in progress

Since technology always moves much faster than legislation, this disconnect is understandable. So Article 28 should be seen as work in progress, until such time as the regulator takes into account commoditised cloud computing. When this happens, ‘written contracts’ will probably expand to include ‘terms of service’, and ‘documented instructions’ will become optional. Until that happens, controllers and processors today could both be technically in breach of Article 28; but the regulator is unlikely to enforce it.

What do controllers know anyway?

Article 28 also states that a processor ‘must not use a sub-processor without the prior written authorisation of the controller’. In the pre-cloud world, this approach made sense because of the risks involved in your outsourcer changing suppliers, which could have an impact on your operations. Today, however, we have a smorgasbord of interconnected cloud services, most of which are completely transparent to the controller. To put it bluntly, your average controller simply does not have the expertise to authorise a processor to use — for example, Stripe rather than Polka Dot for payments.

In order to be compliant, therefore, all a processor can realistically do is to inform its thousands of customers of any upcoming changes in its supply chain, and give them the option to approve — or to cancel their contract if they object. Not much of a choice, true, but it’s the only realistic one.

Here too, Article 28 needs to be amended to recognise the de facto right of a cloud-service provider to choose its own sub-processors without requiring the authorisation of its clients. Until then, processors can take comfort in the fact that they are not in breach of Article 28, since they do inform their controllers of any changes to their sub-processor supply chain. It’s just that it’s essentially an FYI, rather than an ‘opportunity to object’.

Michael Gentle is the founder of The Balance of Privacy, based in Geneva. For similar articles by Michael, click here.

Further reading

What’s wrong with the ICO’s draft guidance on controller-processor contracts?

GDPR: Killing cloud quickly?

Article 28 of the GDPR: problems for processors

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store