Legal Aspects of Cloud Computing in the Polish Banking Sector (EU regulations)
In this article I will attempt to answer the question – what kind of solutions and legislation at the EU level concerning personal data protection, banking secrecy and outsourcing can help banks use cloud computing? But first let us begin with a little history.
The banking sector is highly computerised and most of its investments in digitalisation were made at the turn of the century. During that time large projects tailored separately for each bank and based on independent hardware resources were implemented. Each bank possessed their own processing data centres which are still in operation. Computerisation on the industrial scale at that time required huge financial efforts. Therefore, it was only available for a few. The financial sector had the appropriate resources at its disposal and because it had mainly been occupied with recording numbers for centuries, it was predestined to use IT tools.
IT does not matter
The beginning of the 21st century and the so-called “dot-com bubble”, in conjunction with telecommunication development, changed the rules of the game. Some readers may not remember the incredible bull market for Internet company shares in the early 2000’s (Amazon shares were a classic example). At the same time Amazon was listed as the most overrated company in history. The dot-com bubble burst deprived many investors of money and hope, but capital investments in information and communication technology infrastructure remained real. Substantial financial expenditures were invested in data centres and the traditional way of thinking about IT resources led to a dramatic overgrowth of available computing power in comparison to existing needs. These events, in connection with the consumer-scientific cloud, SETI@home, created for the purpose of searching for alien civilizations, led to a change in traditional thinking about IT resources and released computing power. Amazon is currently the world’s largest universal cloud computing provider.
In 2003, Nicolas G. Carr published an article in the Harvard Business Review titled “IT does not matter” in which he argued that information technology has lost its crucial character and become like electricity, heating and telecommunications (including data transmission), “infrastructure” technology accessible for everyone. The argument presented in that article has become reality. The spread of cloud computing offers resulted to a substantial extent in computing power losing its significance. According to McKinsey, possessing a server is three times more expensive than hiring one in the cloud. Furthermore, the speed of servers is currently doubling every 18 months.
At the same time, the underworld, probably by copying the concept of SETI@home, also gained access to substantial computing power by using the so-called zombie network – single computers infected by viruses and connected to the Internet. With their help an individual is able to launch a coordinated attack on a banking system for example.
Is it safe?
In such an atmosphere bank CIOs and CFOs are currently analysing, under the watchful eye of the relevant authority, how to approach the cloud computing offer and whether to treat it as a threat or rather an opportunity. Concerns regarding security of the cloud computing solutions, transparency of the approach towards security, as well as to the scope of legal liability have been expressed. In response, cloud providers point out budgeting advantages and their industrial approach to safety. The problem of transparency collides with the “need-to-know” security principle and the issue of legal liability should be solved in a practical way, for example through insurance and operational reduction of risk dependent on just one supplier.
European cloud enthusiasm
The European Commission has already assessed cloud computing, explicitly recognizing this technological-business trend as an opportunity for Europe to increase its competitiveness. This statement has been set out in a document meaningfully titled: “Unleashing the potential of cloud computing in Europe”. The European Commission is also constantly conducting works in several threads in order to remove barriers against cloud computing market development in the EU. The following diagram shows how the European Commission’s works are organized.
The European Commission’s works are in progress and their current status can be tracked by following publication of selected materials at the Commission’s website at http://ec.europa.eu/digital-agenda/en/telecoms-and-internet/cloud-computing. I am personally taking part in them as the European Commission’s expert in a thread concerning development of cloud contracts.
The IT sector has expressed concerns that the European Commission’s approach is focused too much on consumer rights, away from its primary objective which is working towards accelerating cloud computing use. However, the simple fact that the European Commission is conducting activities designed to speed up cloud computing use in the European economy (including in public administration) is vital. Moreover, the IT sector’s concerns should result in joint work and studies presenting balanced views and the full consequences of the regulator adopting a too polarized approach. Such actions are part of a widely understood concept of co-opetition (which can be translated as competition or co-competition). In my opinion, a good example of these would be the works on cloud computing led by the Banking Technology Forum at the Polish Bank Association, in which I have participated.
What does cloud computing mean for a lawyer?
To provide a legal framework for various aspects of cloud computing we should start with the assumption that from the lawyer’s point of view, cloud computing is contractual: (1) entrusting the processing of personal data, (2) entrusting a secret, and (3) is an outsourcing process. It should also be noted that the source of the regulations which apply to cloud computing are paradigms of information security knowledge and business continuity.
The most important area of law applicable to cloud computing in the European Union is personal data protection, regulated by Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Data Protection Directive).
The Data Protection Directive uses the well-known concepts of data controller and processor (the person processing data on the controller’s request). In the classic B2B relation the cloud provider is the processor and the cloud’s client (e.g. a bank) is the controller.
Cloud computing legality
In the past, doubts have been expressed concerning the legality of the cloud computing model in light of the EU principles regarding personal data protection. The most controversial was the requirement relating to the controllers’ knowledge about the location of data. Currently, it is widely accepted that the requirement to know the data location is satisfied if we know the location of the cloud provider infrastructure, such as the data processing centres. However, certain differences are also present here. For example, in the UK, under the government’s G-Cloud programme (connected with the processing of strategic importance data), to reduce the risk of attack or physical infiltration the location of the cloud’s provider data processing centres is only disclosed to the relevant agencies.
Cross EEA cloud compliance
The Data Protection Directive is not a tool providing full uniformity of law in all EU Member States, but rather imposes minimum harmonization requirements. From the cloud provider’s point of view, making offers to clients in other European Economic Area (EEA) states means in practice that there are around thirty similar legal systems, but different in detail, where the service should be consistent. This is because the rules binding the controller and the rules connected with the proper security of data in the processor’s seat state should be applied. In practice this means that cloud computing offered to banks in different countries should jointly fulfil all data security requirements specified by the laws applicable to these banks and, therefore, offer a sufficiently high level of security.
Free movement of data within the EEA
It is also important that EU law does not require administrative permits for data transfer within the EEA. This gives a big advantage to cloud providers who have their own infrastructure located within the EEA.
It has to be assumed that export of data outside the EEA must meet certain additional requirements, in particular it needs to be permitted by the relevant personal data protection authority (in Poland, the Inspector General for Personal Data Protection – GIODO).
Additional requirements do not have to be met only if the law of the non-EEA state where the data is to be transferred ensures an adequate level equal to EU personal data protection requirements, or if the cloud provider is Safe Harbour certified, as further discussed below.
Theoretically, the data exporter should make its own assessment whether the country to which it intends to export data ensures an adequate level of personal data protection. Such a subjective evaluation is in practice impossible. In case of an incorrect assessment, the data exporter may risk being held administratively and even criminally liable. Only data transfer to states which by the European Commission’s decisions provide adequate levels of personal data protection will give data exporters confidence that such transfer would not require any additional requirements. The Commission has issued such decisions with respect to several countries (but not always in the full scope), including, e.g. Switzerland, Canada, Israel, Argentina and Australia.
The United States is generally not considered as providing an adequate level of personal data protection. Nonetheless, the EU and the U.S. have negotiated an international agreement under which U.S. companies can ensure an adequate level of personal data protection. Transfer of data to such companies can take place without the need to fulfil any additional legal requirements. It is worth remembering that U.S. companies can selectively join the Safe Harbour programme, e.g. only in relation to their employees’ data.
Edward’s Snowden disclosure of the level of surveillance by the National Security Agency (NSA) partially undermined confidence in the Safe Harbour agreement. However, by providing an additional impetus in the development of the cloud computing offer in the EEA and extending the range of services offered by the European cloud computing providers, it might have positive effects for the whole of Europe. However, in case of using cloud solutions offered by U.S. corporations, it is recommended to choose offers from entities which ensure that data processed in the European offer is not subject to NSA surveillance.
Permission for data export by the Inspector General for Personal Data Protection (GIODO)
Entities intending to export data to a third country may apply for permission from the relevant personal data protection authority (in Poland, in accordance with Article 8 paragraph. 1 of the Personal Data Protection Act of 29 August 1997 (the PDPA), this authority is GIODO). Permission is granted for specific data export to the specific importer to the extent specified in the application. GIODO does not grant general permission to export all categories of data without direct specification. Therefore, if the data exporter would like to extend the scope of the exported data, e.g. due to extending the cloud provider’s offer, it must re-apply for GIODO’s permission.
Standard Contractual Clauses and Binding Corporate Rules
In order to avoid complications and speed up the procedure of obtaining GIODO’s permission for data transfer to a third country, the data exporter may include Standard Contractual Clauses (SCCs) in the relevant agreement, which have been published by the European Commission. SCCs are a set of appropriate standard contractual provisions ensuring an adequate level of personal data protection when data is transferred outside the EU. In such situation, GIODO will automatically adopt the model developed by the European Commission. It will only examine elements such as the purpose and scope of data (whether data processing is adequate and compliant with law) and whether the data importer is obliged to follow the relevant safety measures.
It is possible that in the future GIODO’s permission for data transfer based on SCCs will not be required at all. The Polish government is currently working on amending the PDPA and removing this obligation.
The European Commission has also developed another mechanism to ensure an adequate level of personal data protection, which is based on Binding Corporate Rules (BCRs) adopted by a certain multinational corporation (precisely, by affiliated companies of such corporation which are located in the EEA as data controllers). BCRs are internal regulations binding affiliated companies of a corporation and concerning personal data protection. If these regulations are adopted and approved by the relevant data protection authority, the corporation will be treated as a secure area for data processing, in which personal data are protected at the required EU level.
Data transfer – diagram
This diagram shows the EU legislation covering personal data transfer as mentioned above.
The abovementioned issues are also described at GIODO’s website: http://www.giodo.gov.pl/163/id_art/326/j/en/
Draft EU Regulation on personal data protection
Works on speeding up European cloud solutions are proceeding in conjunction with works on full EU harmonization regarding data protection law, i.e. draft of a general regulation on personal data protection.
On 12 March 2014, the European Parliament adopted a draft Regulation. It has not yet been approved by the Council of Europe but Commissioner Viviane Reding has stated that she expects intensified works on reform in 2014.
The draft Regulation takes the concepts of data controller, data processor, and entrusting the processing of personal data, including its storage, from the Data Protection Directive.
Similarly, as it is defined in the PDPA, administrative liability of the processor (banking cloud provider) will be limited to guarantee that implementation of technical and organizational measures have been adopted.
The draft Regulation defines fairly general technical and organizational measures concerning data security. The European Data Protection Board is to be authorized to define specific technical and organizational measures by publishing guidelines, recommendations and best practices.
The list of the processor’s obligations towards the data controller is to be extended, e.g. the processor provides the data controller and the supervisory authority with all necessary information required to control compliance with the selected processor’s obligations, enables inspection by the data controller and removes personal data after termination of the cooperation (Article 26 paragraph 2 of the draft Regulation). These provisions will be important for the character of the relation established between the cloud client and cloud provider.
In the cloud computing context the following solutions proposed in the draft Regulation are worth mentioning:
- Privacy impact assessment (PIA). The data controller will be, as a rule, obliged to carry out a risk assessment of personal data processing in the cloud computing context regarding data subjects’ rights and freedoms. This assessment should take into account data subjects’ and other interested persons’ rights and legitimate interests and include: a description of data processing, risk assessment regarding data subjects’ rights and freedoms, measures envisaged in order to cope with risks, guarantees, security measures and safety mechanisms aimed to guarantee personal data protection and demonstrate compliance with the draft Regulation. Even now, Article 29 data protection working group and other data protection authorities recommend conducting a PIA in using cloud solutions.
- Privacy by design. The data controller should take personal data protection into account at the designing stage (privacy by design), and should protect data as a default option (privacy by default). Taking the latest technical achievements and implementation costs into account, at the time of establishing measures essential for processing, as well as at the time of processing itself, the data controller implements appropriate technical and organizational measures and procedures for the purpose of processing compliance with the regulation requirements and guarantees protection of the data subject’s rights. The processor will also be obliged to take data protection into account at the stage of designing (privacy by design) and to provide privacy protection as a default option (privacy by default). Current cloud solutions have not generally been designed under this perspective.
- Transferability of data. According to Article 18 of the draft Regulation, the data subject will be entitled to obtain a copy of their data in accessible format from the data controller. Since it is easy to imagine that such an application might be submitted to a bank treated by the banking online customer as a cloud provider, banks should pay special attention to this obligation. The issue of transferability of data was the subject of my lecture during works of the European Commission Expert Group regarding cloud computing contracts.
- Data breach notification. In the event of breaching personal data security, the data controller will be required to immediately notify the relevant data protection authority (the one supervising him). If the right to privacy of a particular person might be infringed, the data controller should also notify that person. Works on the European Commission’s regulation on the measures applicable to the notification of personal data breaches are currently ongoing. The draft Regulation will also be applied to electronic services providers, such as commercial cloud computing operators.
- Joint controllers. The draft Regulation introduces the institution of joint controllers. In case two controllers determine joint purposes, conditions and means of the personal data processing, they are able to define their responsibility for fulfilling their obligations resulting from the draft Regulation and regarding each of them. In particular, this concerns procedures and mechanisms of the data subject. This institution could be useful for banks when using the community cloud.
- Penalties. Last but not least, in case of any breaches the supervisory authority will be entitled to impose the following penalties: (i) a warning letter for the first unintentional breach, (ii) regular audits concerning personal data, (iii) a fine of up to EUR 100 million or 5% of the company’s global income depending which penalty will be more severe. Currently, GIODO can impose a penalty of up to PLN 200,000 only in case of non-performance of its decision ordering the cease of breaches. Contrary to appearances, this “novelty” can cause a notable growth in interest in cloud computing services. I would encourage those who are interested in finding out why this happens to contact us.
Polish banking outsourcing
The Polish Banking Law, like certain other Polish provisions currently in force, does not directly regulate cloud computing. Legal requirements for outsourcing in the banking sector will be applicable for processing in the cloud. These are defined in the Act of 29 August 1997 The Banking Law (the Banking Law), in particular Article 6a – 6d and Article 104 of the Banking Law.
It can be clearly stated that the Polish Banking Law is the most hostile regulation concerning cloud computing in the entire EU financial sector. The Banking Law prohibits, as a rule, any limitation of the outsourcer’s (cloud provider) liability for damages. Such restrictions are not present in any Western World States’ legal systems and prevent the Polish banking sector from using cloud computing potential. The relatively low cost of its usage in relation to the level of benefits for organization results in cloud providers’ unwillingness to accept unlimited liability for possible problems in guaranteeing the proper quality of their services.
This approach is rational, which might be paradoxical, also from the cloud customer’s point of view. Well-designed and monitored cloud computing provides an information security level exceeding that which can be achieved by an internal IT department, without even mentioning cost effectiveness. The way to its rational use in the banking sector is not to keep strict liability of potential cloud providers. The current ban on limiting banking outsourcing liability could result in a misleading sense of security on the banks’ side. They may pay less attention to ensuring effective information security and business continuity by the cloud providers, being content with the illusory opportunity to be compensated for damage which nonetheless would compensate loss of reputation that may arise in the event of discontinuity of cloud-based services. Additional system risk arises if many banks use the service of one cloud provider. Problems concerning relations between this provider and the given entity can be contagious, i.e. lead to the provider’s insolvency and as a result “infect” relations between him and his clients. Infrastructural IT service providers already exist in the Polish banking system and their collapse from the banking sector point of view would be inadmissible.
The correct solution for relations with the cloud service provider should be sought in areas other than the illusion of unlimited liability. This kind of solution may be provided by keeping a backup solution allowing to maintain operation of essential services (operating independence), or at least the ability to restore continuity within a reasonable time. The bank may also consider relying on audits as regards quality of information security and continuity of cloud functioning which should be conducted by independent and trusted operators. A reasonable amount of liability insurance, as an additional guarantee that an insurer will perform a quality control of the security and continuity of functioning of the insured cloud can be expected. Moreover, it is reasonable to expect that the risk that an outsourcer breaches information security is lower than the risk that an insider does so (an estimated 80% of security threats are caused by insiders). It is also reasonable to expect that the interests of a cloud provider is purely financial, and therefore the cloud provider will take care to provide information security and business continuity of its services, otherwise the cloud provider would harm itself.
The banking sector is currently facing challenges to provide a reliable and rapid response to market trends, but at the same time it is also expected to increase the efficiency of the financial sector itself. It is said that banking sector provides the bloodstream to the economy. The more efficient the banking sector is and the less blood it requires to function, the more blood will remain for the health of the national economic organism.
Currently, 80% of banks’ IT expenses are spent on maintaining IT systems, with only 20% invested in IT development. A bank may release its internal resources by entrusting part of its repeatable processes to external suppliers that will perform these processes more efficiently for many recipients. These released expenses could then be redirected to IT development in order to gain a market advantage (not just against competitors from the banking sector, but also against other external competitors entering the financial services market), and also to improve security supervision over the bank’s suppliers.
There can be no turning away from cloud computing. Cost efficiency, responsiveness, flexibility, budget for security and the ability to gather the best of human resources, all of which create an inevitable advantage of this model over IT services provided internally by the organization itself.
The question is whether Poland and the Polish banking sector should be avant-garde, followers of good practice in this field, or if they will rather become a European rearguard in this area.
 Amazon is currently one of the leaders of the cloud computing offering.
 Communication from 7 February 2014 from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions – Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace; Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions – unleashing the potential of cloud computing in Europe, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0529:FIN:en:PDF
 In B2C relations the entire range of consumer regulations will be additionally applied. Luckily, we can leave this aspect aside as it does not fall under the scope of this article.
 (OJ L 281, 23.11.1995, p. 31)
 When discussing EU legislation and cloud computing widely accepted terminology is often used.
 The Act of 29 August 1997 on the Protection of Personal Data (unified text: Journal of Laws of 2002 No. 101 item 926 with amendments)
 This project is part of a deregulation package and can be followed on http://www.sejm.gov.pl/sejm7.nsf/PrzebiegProc.xsp?id=3111A078385D3A9EC1257D1500485CF9
 Commission Regulation (EU) No. 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications
 The Banking Act of August 29, 1997 as published in Dziennik Ustaw (Journal of Laws) of 2012, item 1376 as amended
 That kind of audits should also be considered as regards internal ICT bank infrastructure.