The Regulation of Cloud Computing Service Providers in Greek Law

In simplified terms, cloud computing can be understood as the storing, processing and use of data on remotely located computers accessed over the internet (see p. 1 of the Commission Communication of 27 September 2012 “Unleashing the Potential of Cloud Computing in Europe”, COM (2012) 529 final).

Cloud computing services (CCS) qualify primarily as information society services, since they are normally provided for remuneration, at a distance, by electronic means and at the individual request of the recipient of these services, i.e. provided through the transmission of data on individual request, whereas providers exercise editorial control over the content transmitted, i.e. they normally control the logical infrastructure of the service (see art. 2 παρ. 2 of Presidential Decree 39/2001). Hence, the provision of CCS is not regulated by electronic communications law, but rather by specific provisions of the legal frameworks regarding e-commerce, intellectual property, data protection, the confidentiality of communications and consumer protection.

A CCS may follow four different models of provisioning, i.e. the private (solely for an organization), the community (shared by several organizations and supporting a specific community that has shared concerns), the public (available to the general public and owned by the cloud provider) and the hybrid models (a composition of two or more clouds bound together by standardized or proprietary technology) (see Grance, Tim and Mell, Peter, 2009. The NIST definition of cloud computing). Furthermore, CCS may be categorised in three types, namely “software as a service” (SaaS), in which the provider delivers software applications and makes them available to customers, “platform as a service” (PaaS), in which the provider hosts the applications of customers, and “infrastructure as a service” (IaaS), in which the provider leases the whole infrastructure to customers (see p. 26 of Article 29 Data Protection Working Party, Opinion 5/2012 on Cloud Computing (WP 196), adopted on July 1st 2012).

Detailed legal evaluation varies depending on the type of CCS offered, especially when it comes to the drafting of the contractual framework between the provider and the customer, however certain general remarks adequately cover all types of CCS.

Internet Intermediaries’ Liability for CCS Providers

CCS providers qualify as internet intermediaries that offer internet hosting services. Therefore, the obligations already exhibited in chapter 5.5 above in relation to internet hosting providers also apply to CCS providers.

As far as law enforcement matters are concerned, CCS providers are obliged to grant access to ordinary personal data of their customers, such as name, address etc, if retained, in cases that law enforcement authorities request access by virtue of a relevant Public Prosecutor’s Order in the context of a criminal investigation (see article 3 παρ. 2β of the Act no. 2472/1997 (General Data Protection Act – GDPA), Public Prosecutor’s at the Supreme Court Opinion 6/2012).

CCS providers are not obligated under the law to give access to electronic communications data or grant real – time lawful interception of communications, since they do not fall under the definition of publicly available electronic communication network/service providers (see the Presidential Decree no. 47/2005). Nevertheless, the possibility that law enforcement authorities act in contradiction to the law and request for access to internet communications data or for the lawful interception of internet communications by CCS providers should not be totally excluded.

Copyright Issues for CCS Providers

It is in the nature of CCS to be utilized by customers as digital lockers for content or synchronisation tools to access content from different devices. As a consequence, these service features may permit users to keep and access on demand copies of intellectual works. From the perspective of the Act 2121/1993 on copyright, in the case of protected works, such copies are technically and legally no different from copies that the user can create at home, and should therefore benefit from the private copying exception (see article 18 παρ. 1 of the Act). Therefore, the cases mentioned above do not pose any regulatory risks for the CCS providers, which will host the relevant content. The European Commission has recently though raised the question whether such features should lead to the collection of private copy levies by CCS providers (see p. 7 of the Commission Communication).

In relation to copyright, regulatory risks arise in two cases :

Under Greek law, the private copying exception applies on the condition that the initial copy is legitimate. If not, CCS providers shall be regulated under the “safe harbour” provisions and are obliged to comply with the “notice and take down” procedure for internet hosting providers analysed in chapter 5.5 above.

The private copying exception only covers CCS, in which the hosted content remains intended for the user. However, in cases where content is made accessible to the public, protected works are no longer intended for private use, rather they are exposed to copying by third parties. In these cases yet again CCS providers shall be regulated under the “safe harbour” provisions and are obliged to comply with the “notice and take down” procedure for internet hosting providers analysed in chapter 5.5 above.

Data Protection Issues for CCS Providers

Taking also into account the duties described in chapter above, additional data protection issues that arise in the particular context of cloud computing services can be summarised as follows :

  • Data Controller / Processor Relationship – In most cases, CCS providers qualify as data processors under data protection law, whereas their customers should be considered as the actual data controllers of the personal data submitted in the CCS infrastructure (see p. 8 of Article 29 Data Protection Working Party, Opinion 5/2012 on Cloud Computing (WP 196), adopted on July 1st 2012). Therefore, CCS providers must draft their provider / client contracts in such a way, so as to commit their customers to observe and comply with data protection legislation, to allocate all the data controller’s legal duties to the latter and to hold themselves indemnified in the event of infringement by the controller/CCS customer.
  • Contracts between CCS providers and the CCS customers must necessarily be in writing. The contract must provide that the CCS provider carries out data processing only on instructions from the controller and that the confidentiality and security obligations arising from the law shall also mutatis mutandis be borne by the CCS provider (see article 10 παρ. 3 of the GDPA).
  • CCS providers (as processors) have the duty to ensure the confidentiality of the content hosted in their infrastructure or via their services (see article 10 παρ. 1 of the GPDA).
  • CCS providers (as processors) are responsible for adopting the organisational and technical measures to secure the data under processing and protect them against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access as well as any other form of unlawful processing. Such measures must ensure a level of security appropriate to the risks presented by processing and the nature of the data subject to processing (see article 10 παρ. 3 of the GDPA).
  • CCS providers must also support and assist the controller/customer in complying with exercised data subjects’ rights (see p. 9 of Article 29 Data Protection Working Party, Opinion 5/2012 on Cloud Computing (WP 196), adopted on July 1st 2012).
  • The processing must be carried out solely and exclusively by the personnel of the CCS provider upon the latter’s instructions and shall have adequate professional qualifications in respect of technical expertise and personal integrity, in order to ensure such confidentiality (see article 10 παρ. 2 of the GDPA).
  • CCS providers may subcontract services out to subprocessors only on the basis of the consent of the controller/customer, which may be generally given at the beginning of the service, with a clear duty for the CCS provider to inform the customer of any intended changes concerning the addition or replacement of subcontractors, and with the customer retaining at all times the possibility to object to such changes or to terminate the contract. There should be a clear obligation of the CCS provider to name all the subcontractors commissioned.
  • In addition, CCS providers must sign contracts with subcontractors, which shall mirror the provisions of the contract between CCS providers and CCS customers (see p. 10 of WP Opinion 196).
  • Physical location of the personal data must be known by the CSS customer in every phase of the processing.
  • Greek data protection law shall apply in all cases that the processing of personal data is carried out : (a) by a CCS customer established in the territory of the Greek state, (b) by a CCS Processor established in the territory of the Greek state and (c) if the CCS infrastructure used for the purposes of processing personal data is situated in the territory of the Greek state, unless such infrastructure is used only for purposes of transit through such territory (see article 3 παρ. 3 of the GDPAsee Article 29 Data Protection Working Party, Opinion 8/2010 on Applicable Law, adopted December 16th 2010).