How to avoid unavoidable data protection audits
Anyone who hosts his cloud application at a service provider and processes personal data – even if only the users' IP addresses – has the legal right to carry out on-site inspections at the service provider's premises and computer centres. This article describes how Amazon Web Services (AWS) attempts to avoid this without violating the GDPR.
Amazon Web Services is one of the big players in the cloud business. AWS operates large data centers in numerous so-called availability zones around the world. Here, customers can rent computer capacity and operate their cloud applications.
Cloud applications are typically processing personal data, including the users’ IP addresses. This means that cloud application operators who are subject to the European General Data Protection Regulation (GDPR) are controllers in terms of data protection legislation. In this case, AWS is a so-called processor and must allow for and contribute to audits conducted by the controller.
Not without my contract
The controller and the processor cannot simply start processing personal data, but have to conclude a contract beforehand. Article 28 paragraph 3 of the GDPR sets out the mandatory provisions to be included in this contract.
Even if the data processing takes place on the equipment of a processor, the controller – nomen est omen – remains being the one controlling it. Should the processor violate any data protection provisions, it is the controller who has to pay the fine. The GDPR therefore places great emphasis on the fact that the controller not only possesses his responsibility theoretically on paper, but can actually and effectively exercise it.
In particular, Article 28 paragraph 3 point h of the GDPR grants the controller comprehensive information rights with respect to its processors. This explicitly includes the right to carry out on-site inspections at the processor's premises and gain an impression.
AWS: inspections not desired
For AWS, that's pretty nasty. On the one hand, they don't want customers to traipse through their data centers. On the other hand, they want to do business with customers in the European Union (EU) or the European Economic Area (EEA) and must therefore comply with the GDPR. What to do?
AWS has come up with a contractual arrangement intended to keep customers out of the data centers while still being compatible with the GDPR. I will explain below how this works.
The contractual relationship between AWS and all their customers is governed by their standard AWS customer agreement. For AWS customers who are subject to the GDPR as controllers or processors, the AWS GDPR Data Processing Addendum (DPA) also applies. An essential part of the DPA are the standard contractual clauses approved by the EU Commission.
Standard contractual clauses enable data transfers to third countries
These clauses allow the transfer of personal data to a third country or to an international organisation, because they constitute so-called appropriate safeguards, pursuant to Article 46 paragraph 2 point (c) of the GDPR. They extend, so to speak, the provisions of the GDPR to processors even in those places where the European Union has no legislative power. If such a processor engages other processors, it must conclude contracts with them that are also GDPR-compliant and include the standard contractual clauses.
This is designed to ensure data protection across all processors. In order for this to work, the standard data protection clauses must not be changed, but must be incorporated into each specific contract as they stand.
Back to inspections. As we have seen, Article 28 paragraph 3 point (h) of the GDPR grants the controller the right to carry out inspections. And that is not the only thing: it also specifies who is to carry out these inspections, namely the controller himself or an auditor appointed by him. The GDPR directly obliges processors in the EU to allow for and contribute to such inspections.
The data exporter carries out the auditing or appoints the auditor
The standard data protection clauses pass this obligation on to processors in third countries in the form of a contractual arrangement, specifically in clause 5 point (f). Under this clause, the data importer (in this case: AWS) commits itself “at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority” (emphasis by me).
AWS prefers a different approach. The company describes their wishes in section 10 of the DPA: AWS would like to have carried out an audit of their own at least once per year. The result of such an inspection would be a report, which the customer could obtain under strict confidentiality.
AWS prefers self-auditing
However, that should really be enough. Any customers or their representatives within the data centers? Nope, rather not! Thus, AWS makes the following provision in section 11 of the DPA:
Customer Audits. Customer agrees to exercise any right it may have to conduct an audit or inspection, including under the Standard Contractual Clauses if they apply, by instructing AWS to carry out the audit described in Section 10. If Customer wishes to change this instruction regarding the audit, then Customer has the right to request a change to this instruction by sending AWS written notice as provided for in the Agreement. If AWS declines to follow any instruction requested by Customer regarding audits or inspections, Customer is entitled to terminate this DPA and the Agreement. If the Standard Contractual Clauses apply, nothing in this Section varies or modifies the Standard Contractual Clauses nor affects any supervisory authority’s or data subject’s rights under the Standard Contractual Clauses.”
Okay. We have to translate that into plain English and summarize a little. Now this reads:
- If you want to audit us or have us audited, then assign us with that task.
- If you don't like that, let us know in written form what you want instead.
- If we do not agree with your proposal, you may cancel your contract.
Point 1 is really hard to believe: AWS wants to inspect AWS! Seriously? What about the fox being in charge of the henhouse? Even if AWS does not carry out the inspection by their own personnel and instead commissions “independent safety experts” with the task, this would still represent a massive cut into the rights of the controller which the GDPR grants him.
For an inspection of any different kind, for example carried out by the customer himself, AWS raises the hurdles (point 2) and threatens to terminate the contract (point 3). Wait, no, that's not true! AWS does not threaten the customer with termination at all, but grants him a special right of termination. An important difference!
It's all just fun!
As we have seen, AWS suggests to the customer: “Nope, you cannot audit us or have others audit us. If that doesn't suit you, please leave!” However, that would mean that the controller would no longer have any real freedom of choice. He could not exercise his responsibilities according to Article 28 GDPR, and the protection of personal data processed by AWS on behalf of the controller would no longer be given. This would be inadmissible and a personal data breach.
However, the legal advisers of AWS are not stupid. They know that something like that would be inadmissible. That is why they won’t say such a thing. Rather, they try to convey the “appropriate” impression to the customer, so that he won't exercise his right to make inspections. And to avoid any legal ambiguities, AWS has added another sentence:
If the Standard Contractual Clauses apply, nothing in this Section varies or modifies the Standard Contractual Clauses nor affects any supervisory authority’s or data subject’s rights under the Standard Contractual Clauses.”
In plain English: “April fool! It was all just fun!” Let's take a closer look:
“If the standard contractual clauses apply,” AWS says. Well, what now? Do they apply or not? Yes, of course they do! They are part of the DPA. And the DPA in turn applies precisely and explicitly to AWS customers who are subject to the GDPR. There is no other way! In the relationship between the data exporter and AWS as the processor, the standard contractual clauses have to apply. After all, they are the appropriate safeguards for transferring personal data to AWS.
Controllers have every right to inspect AWS data centers
This is precisely what the last sentence of section 11 of the AWS DPA expressly states: “nothing in this Section varies or modifies the Standard Contractual Clauses”. No, of course not! So what does that mean? It means that the standard contractual clauses apply without any restrictions. And what is the consequence? The controller’s right to carry out on-site inspections is entirely unrestricted.
Well, one could be picky here and point out that the standard contractual clauses do not have to apply if controllers want to inspect data centers located in the EU or in a country for which the EU Commission has issued an adequacy decision pursuant to Article 45 GDPR. The result would be the same: the controller has every right to inspect the data center.
However, AWS does all it can to hide this fact as much as possible from the customer:
- There is their friendly offer not to use the AWS services any more. I suppose some people will be fooled. “Many thanks for the special right of termination,” the customer’s appropriate response should be. “However, I don't want to terminate my contract at all. And I still want to have a look at your data center.”
- The conditional sentence “if the standard contractual clauses apply …” confuses customers regarding the legal situation. In any case, it is more likely to cause irritation than clarity.
- Finally, AWS stresses that the rights of a supervisory authority or a data subject are not affected. This statement is as correct as it is superfluous. From AWS' point of view it is nevertheless useful, as it distracts from the crucial fact that the rights of the controller are also unaffected!
All of section 11 of the AWS DPA does not alter the legal situation created by the GDPR in any way, except for the customer's special right of termination. It contains hard-to-understand swollen words and, in my opinion, serves only a single purpose: to give the customer the impression that he has no right to carry out inspections, while in fact he does have this right. If you read it carefully, section 11 of the DPA imposes no restrictions on this right – cannot impose any restrictions on this right – and does state that. Thus, the entire clause has no consequences and could be dropped.
Overall, I believe that the AWS DPA is GDPR-compliant, but nevertheless serves the purpose of deterring controllers from inspections.