Contributed By Hellström Law
The data privacy regulation applicable to cloud computing is the General Data Protection Regulation (EU) 2016/679 (GDPR), supplemented by the Swedish Data Protection Act (2018:218) and the Swedish Ordinance (2018:219).
In Sweden, there is no specific legislation concerning cloud computing. However, in July 2023, legislative changes were introduced in the Public Access to Information and Secrecy Act (2009:400) to simplify the process of outsourcing services, such as some types of cloud computing services, for the public sector. In Sweden, a specific Act that handles confidentiality for service providers regarding information from the public sector when they outsource to, for example, cloud providers has been enacted recently.
It should be noted that there is sector-specific legislation that can be applicable to cloud computing. Also, Swedish confidentiality provisions always need to be considered. As an example, according to Chapter 25, Section 1 of the Public Access to Information and Secrecy Act, there is a strict obligation to protect information about patients in public health and medical care.
The Swedish National Board of Health and Welfare's regulations and general advice (HSLF-FS 2016:40) on record-keeping and the processing of personal healthcare data should also be considered for care providers before storing data in any cloud environment.
Personal data is defined as any information that can be associated with a now-living natural person, either directly or through association (Article 4 of the GDPR). Examples include the name, address and personal identification number of an individual, but the phone number, email address, IP number and photo can also be considered as personal data. However, a company registration number is not seen as personal data if it does not relate to a sole proprietor (in such case, the personal identification number is the identification number).
According to Article 9 of the GDPR, the following types of data are special categories of personal data:
The processing of such data can only be done if one of the exemptions in Article 9 is fulfilled; otherwise, processing is prohibited. There are other types of personal data that may require a higher level of protection than “harmless” personal data. Such data is also relevant to the risk assessment that should be made when performing an impact assessment, and may determine whether a personal data breach should be reported. The Swedish Authority for Privacy Protection (IMY) has listed examples of such personal data, including:
Personal identification numbers and so-called co-ordination numbers may be processed if the data subject has given her/his consent in accordance with Article 6.1(a) of the GDPR. The condition for such consent is laid out in Article 7 of the GDPR (freely given, clearly stated, can be withdrawn at any time, etc). Without such consent, processing can only be done if there is a specific law allowing such processing or if it is important for secure identification or another legitimate interest (see Chapter 3, Section 10 of the Swedish Data Protection Act).
Since there is no specific legislation regarding cloud computing, the legal requirements for processing personal data are the same as those for processing personal data outside of a cloud environment. Organisations and cloud service providers need to provide appropriate safeguards to protect private individuals’ fundamental rights and freedoms.
The processing of personal data can only be done if there is a legal basis in accordance with Article 6 of the GDPR. There are six very important principles in Article 5 of the GDPR that also always need to be complied with. For example, personal data can only be collected for specified, explicit and legitimate purposes, and only in a manner compatible with those purposes. Personal data should also be accurate at all times and should only be processed when there is a purpose therefor. It should be noted that, as regards sensitive personal data, in addition to having a legal basis according to Article 6 of the GDPR, the processing of such personal data must be covered by one of the exemptions in Article 9 of the GDPR.
The rights of data subjects always need to be considered and complied with, even in a cloud environment. Such rights are outlined in Chapter 3 (Articles 12–23) of the GDPR:
When designing and/or working with IT systems in general, and specifically when using cloud computing services, data protection – by design and default – must be complied with in accordance with Article 25 of the GDPR. Implementation of data protection focusing on protection by design and default can benefit the data controller, data processor and data subjects. Data protection by design implies that requirements concerning personal data are met, and that data subjects’ rights are protected, when a cloud computing system is designed. Data protection by default means that the personal data, as a standard, is not processed unnecessarily.
The specific obligations for data controllers and processors in the cloud environment are also related to the regulation of the GDPR and the supplementary Swedish provisions mentioned in the foregoing (see also Chapter 4 of the GDPR). The responsibilities and obligations are specifically mentioned in Article 24 for data controllers and in Article 28 for data processors, while some obligations apply to both parties (for an example, see Article 31).
The cloud service provider (processor) should not do anything with the data unless the data controller has instructed it to do so. The processor shall not engage another processor without the prior specific or general written authorisation of the controller. In Article 28, it is stipulated that a data processing agreement has to be concluded between a controller and a processor (see 4.2 Data Protection in Cloud Service Agreements and 4.3 Data Processing Agreements and the Cloud).
The rules regarding cross-border data transfers are regulated in the GDPR with the aim of guaranteeing the same level of protection to personal data being transferred to non-EU/EEA-countries, so-called third countries, as that which they have if processed inside the EU/EEA. The GDPR does not provide a definition of a transfer of data in the context of data being transferred to third countries, but the European Data Protection Board (EDPB) has defined three cumulative criteria to apply when a transfer outside the EU/EEA occurs. Firstly, a controller or a processor needs to be subject to the GDPR for the processing in question; secondly, the same controller or processor needs to make personal data available in the same way to another organisation; and lastly, the receiving organisation needs to be a in a country outside the EU/EEA or an international organisation.
As a general rule, the GDPR prohibits the transfer of data outside the EU/EEA if certain conditions are not complied with (Article 44 of the GDPR). Such conditions are laid out in Chapter 5 of the GDPR, in Articles 45–49. However, the GDPR does not address the transfer of personal data to third countries specifically in the context of cloud computing, although these rules also apply to cloud computing. The requirements and rules regarding data transfers are described in greater detail in 6. International Data Transfers.
There are no specific penalties for non-compliance with data privacy regulations in the cloud.
Data subjects have the right to receive compensation if processing is contrary to their rights; this includes both non-material and material damages. According to Swedish case law, the non-material damage for a mid-serious breach of GDPR is around EUR300 per data subject. Remedies, liabilities and penalties are outlined in Articles 77–84 of the GDPR. Depending on the infringement, administrative fines up to EUR10 million can be imposed, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. If the infringement is more serious, administrative fines up to EUR20 million can be imposed, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. In Sweden, it has been decided that authorities can also be fined. For authorities, the maximum administrative fine for serious breaches is SEK10 million (approximately EUR885,500), and for less serious breaches, the maximum amount is SEK5 million (approximately EUR442,750).
No specific measures regarding data security are required in accordance with local law specifically for data stored in the cloud. However, as regards data security in the cloud, it is very important to comply with personal data regulations as well as other relevant regulations, such as confidentiality regulations, in accordance with the Public Access to Information and Secrecy Act.
The Act on Secrecy in Public Sector Outsourcing of Technical Processing or Storage of Data (2020:914) governs confidentiality when public authorities are outsourcing technical processing or storage of information. According to the Act, any person who engages in a service provider’s business with the aim of processing or storing technical data has a confidentiality obligation and must not disclose or use any information without authorisation.
The GDPR requires appropriate security measures that provide an adequate level of security, and that organisations comply with all the basic principles of the GDPR and have a legal basis for personal data processing operations. Strategies, choices and practices should also be documented. It is not stipulated in detail in the GDPR which security measures have to be implemented.
In Sweden, there have been cases where the Parliamentary Ombudsman has levied serious criticism against public health providers that have entered into a contract with a cloud service provider that led to unauthorised people accessing sensitive information, in violation of the regulatory framework regarding secrecy for healthcare. These cases show the importance of good security measures and compliance with the specific legislation that may apply to the organisation. For example, public actors must always comply with the Swedish Act on Public Access to Information and Secrecy.
The Swedish Protective Security Act (2018:585) and the Swedish Act on Information Security for Essential and Digital Services (2018:1174) contain legal requirements concerning information security. NIS Directive (EU) 2016/1148 is an EU Directive aiming to ensure overall cybersecurity inside the EU that was implemented mainly through the Swedish Act on Information Security for Essential and Digital Services. The Swedish Protective Security Act contains legal requirements for both private and public actors who conduct activities classified as security sensitive.
To protect sensitive information, security measures are required, but there is no regulation stating what specific measures should be used. Both data in transit (ie, any data moving from one location to another) and the rest of the data in the cloud, such as data at rest (eg, data stored on a server, backup or database) are vulnerable to security risks or threats. All data should be encrypted, but the process and standards usually differ depending on whether the data is in transit or at rest.
For data in transit, a secure communication protocol is needed. The most common protocol is called SSL/TLS, standing for Secure Sockets Layer/Transport Layer Security. TLS is the modern version of the SSL protocol. However, because SSL is a common term, it is still referred to together with TLS. If someone were to look at data (eg, an authorised person) while the SSL/TLS protocol is being used, that data would be encrypted.
SSL/TSL is used in combination with HTTP, standing for Hypertext Transfer Protocol. HTTP is often seen when looking at a website’s name while browsing. If the website’s name starts with HTTPS instead of HTTP, then SSL/TLS is being used; the “S” stands for safety. The HTTP is used for transferring data, and the SSL/TSL protocol ensures the safety of the transfer.
For data at rest, two main encryption algorithms are used: symmetric and asymmetric. The difference lies in the number of keys used for encrypting and decrypting the data. Symmetric encryption uses the same key for encryption and decryption, and is faster and simpler to implement, while asymmetric encryption uses several keys, being a safer but more complex option.
Access controls in the cloud are often managed with the so-called keys described in the foregoing, along with other authentication methods such as two- or three-factor authentication. It is important for an organisation to be able to regulate and monitor access to information in the cloud in a secure and smooth way. The policies of the organisation should match the technical solutions of the cloud.
Security measures such as access controls, encryption and strategies for crisis response are used to prevent security accidents and breaches. Cloud service providers should also seek to become certified as compliant with certain International Organization for Standardization (ISO) certifications. The ISO 27017 and ISO 27018 Certifications ensure a certain level of security for the cloud environment. The handling of security accidents and breaches is further described in 5. Data Breach Notification.
In Article 32 of the GDPR, it is outlined that certain technical and organisational measures need to be taken into account when processing personal data. These measures include:
It is important for a data controller to retain ownership and control over its own data. Data ownership is usually integrated into both the main agreement (cloud service agreement) and the data processing agreement.
Data subjects need to be able to exercise all their rights in accordance with the GDPR (see 1.1 Data Privacy and Cloud Computing). It is important for organisations to have a clear overview regarding how data is stored and transferred in the cloud to be able to ensure the rights of the data subjects, for example when a data subject requests a copy of the data that the organisation is processing regarding her/himself (such request needs to be responded to within 30 days). Generally, data subjects exercise their rights by contacting the organisation where the personal data is stored, or IMY.
Data portability is the ability to easily transfer, access and retrieve data between and from cloud service providers. Standard formats, application programming interfaces (APIs) and data migration tools are essential for ensuring technical portability. Vendor lock-in is a major concern in cloud environments, and data portability provisions in contracts help reduce this risk. Multicloud and hybrid cloud strategies benefit from enhanced data portability, allowing organisations to change to another cloud provider more easily. Emerging technologies are improving data portability in cloud environments.
Ensuring data portability in the cloud requires a combination of technical preparedness, legal safeguards and strategic planning to prevent vendor lock-in and facilitate seamless transitions between different cloud service providers.
Data portability in the context of the GDPR is usually integrated into the cloud service agreement for the provider to ensure that technical capabilities are in place allowing organisations to respond to – and fulfil – data subjects’ right to retrieve their data in a structured, commonly used and machine-readable format, where such data can be moved and provided to the data subject or another data controller.
Data retention and deletion policies are very important for organisations, especially to comply with data protection legislation. Generally, personal data can only be processed when there is a specific purpose and a legal basis that supports the processing. Also, public actors, such as authorities, need to consider specific rules connected with data retention.
However, in the cloud environment, data can be stored in different locations, which can be a problem. Retention periods must be implemented and respond to the organisation’s national requirements (especially if a Swedish company uses a multinational cloud service provider).
To comply with legislation, data must be deleted completely. Therefore, backups must also be taken into consideration. The organisation must have a clear overview of how backups are secured and how retention is managed by cloud service providers.
When selecting a cloud service provider, there are a lot of different aspects to consider.
Before data is transferred to a cloud service provider, it may be necessary to perform a data protection impact assessment (DPIA) in accordance with Article 35 of the GDPR, as an important part of due diligence. Such assessment must be conducted if the planned processing is likely to lead to a high risk of infringement of the rights and freedoms of individuals. A risk assessment should be done first to determine whether a DPIA should be made in accordance with the GDPR. In Article 35.3, there are specific criteria for determining when a DPIA is required.
IMY has listed nine criteria to help organisations determine whether a DPIA is needed; if two or more criteria are met, a DPIA should be conducted. For cloud computing, a few criteria of special relevance can be mentioned:
Before selecting a cloud service provider, where the data processing takes place, including where the data is being stored, should be investigated. If the data is shared with other companies or organisations, the risk of leakage is higher. Since data only can be transferred from Sweden to a jurisdiction inside the EU/EEA (except for countries for which there is an adequacy decision decided by the European Commission), it is important to determine where the data is stored and what type of sharing mechanisms are being used.
If a cloud service provider plans on transferring data to countries outside the EU/EEA, a so-called transfer impact assessment (TIA) should also be made (see also 6. International Data Transfers. During a due diligence, when selecting a cloud service provider, the provider’s data transfer strategy and safety must be considered. When using a cloud service provider, it is harder to relate data to a geographical location, and it is not always clear where data is being stored – especially since many of the popular cloud service providers are multinational companies.
Other questions that should be addressed during a due diligence include the following.
Lastly, when engaging a cloud service provider, it is important for the data controller to understand the underlying technology of the cloud service, which is not always easy, to be able to determine how the data will be processed and secured. As already mentioned, the public sector in Sweden must consider issues relating to information subject to statutory obligations of secrecy.
Data protection requirements are regulated in data processing agreements. The data processing agreement is usually attached to a main agreement (cloud service agreement), wherein the main contractual framework is outlined (eg, termination, duration of contract, prices). A data processing agreement specifically states the relevant obligations concerning personal data.
Data processing agreements are essentially the best way to ensure that cloud service providers comply with data privacy regulations.
As mentioned in 4.1 Due Diligence, it is of great importance to review the privacy policy of the provider to get a sense of how the provider processes and deals with data privacy matters.
When concluding a cloud service agreement, it should be tailored to fit the organisation and existing obligations of the data controller. The cloud service provider (data processor) often uses their own standard form contracts and a predetermined approach to handling data, which can present problems with respect to tailoring the agreement. It should be remembered that many cloud service providers are huge multinational companies, which makes it much harder to make specific demands when concluding a cloud service agreement. These multinational companies are responsible for the majority of the cloud services used by Swedish organisations.
Cloud service providers also process data for organisations, authorities and companies in different sectors, businesses and parts of the world, which means that it can be difficult to conclude a cloud service agreement tailored to a specific data controller. Privacy commitments that a company has towards its customers or data subjects must continue to apply when that company starts to use a cloud service to store and process data relating to their business.
To ensure that cloud service providers comply with data privacy regulations, the data processing agreement is of great importance (see 4.3 Data Processing Agreements and the Cloud).
Data processing agreements for the cloud environment are designed in a similar way to standardised data processing agreement not used specifically for a cloud environment. Article 28.3 of the GDPR stipulates when such agreement needs to be concluded, as well as the content of the agreement. A company, organisation or authority that uses a cloud service provider to store their data is seen as a data controller, and the cloud service provider is seen as a data processor. If any processing of personal data is to be carried out on behalf of a data controller, the controller shall only engage processors that provide sufficient guarantees regarding appropriate technical and organisational measures meeting the requirements of the GDPR. Article 28.4 stipulates that a data processing agreement needs to be concluded between a processor and a sub-processor.
In Article 28.3 of the GDPR, there are minimum requirements for the content of a data processing agreement:
When the data processor is a multinational cloud service provider, it can be hard to negotiate the data processing agreement to fit with all of the organisation’s preferences. If a data processing instruction is already in place, having been proposed by the cloud service provider, this should be carefully reviewed by the organisation/data controller. It is also important to review any list of sub-processors and the procedure when the cloud service provider/data processor wants to hire a new sub-processor.
Termination and exit strategies for cloud service agreements are important to consider before entering into an agreement with a cloud service provider, and before changing to another cloud service provider.
Organisations should also note that cloud service providers can either be bought by another entity, forced to go out of business or forced to “switch off” their services for an undefined period. Therefore, it is important to find out what applies to the specific organisation’s data in such scenarios. Cloud service providers should be able to inform the organisation regarding their strategies to handle such issues. Multinational cloud service providers usually have a well-integrated step-by-step process for such inquires. Such strategies and information should be integrated into cloud service agreements and adapted to the needs of the business.
Typical termination and exit strategies in such agreements involve clauses regarding, for example:
For both parties – ie, the customer/organisation and the vendor/cloud service provider – it is important to adopt an exit strategy, even before negotiations starts. As part of the due diligence process, termination and exit strategies should be reviewed and compared. An effective exit strategy is also an important factor when it comes to keeping and securing irreplaceable data, such that the strategy should be reviewed regularly. Employees should also be educated in cloud exit planning and how the organisation’s strategy is designed.
It is important for any organisation to take a strategic decision and be prepared, as there is a high probability that the EU-US Data Privacy Framework (where the European Commission has taken an adequacy decision concluding that the United States ensures an adequate level of protection – compared to that of the EU - for personal data transferred from EU to US companies participating in the EU-US Data Privacy Framework) will in future be declared invalid. Therefore, it is important that organisations have so-called standard contractual clauses in place if such clauses will be needed. However, it should be noted that it may not be sufficient to have standard contractual clauses in place if the EU-US Data Privacy Framework ceases to apply.
Data migration is the process of moving data from one location (on-site) to the server of a cloud provider or between different clouds. Most of the cloud service providers have certain procedures and policies for such migration, which are incorporated into the cloud service agreement. Organisations should try to make sure that any such process or service does not come with an additional cost. This may sometimes be difficult to achieve.
The requirements for reporting data breaches in the cloud do not differ from how a data breach should be handled outside a cloud environment. If, while processing personal data, an incident occurs resulting in a breach of confidentiality, availability or integrity, it is likely that such breach poses a risk to a data subject’s rights and freedoms. In such case, a report must be made to IMY. In Articles 4(12), 33 and 34 of the GDPR, as well as in Recitals (85)–(88), the requirements for handling a data breach are described.
Data breaches are investigated and remedied in the same way in the cloud as breaches occurring outside a cloud environment. If a data breach has occurred, it is important to remedy it and take action to make sure it does not occur again. Organisations and cloud service providers should have routines for handling such breaches, which should be outlined in the data processing agreement. With good security measures and systematic work to accomplish appropriate data processing, the risk of a data breach occurring is reduced.
In the GDPR, there is an obligation for organisations to report a data breach. If an organisation believes that there has been a data breach, such breach must be reported to IMY not later than 72 hours after the organisation has become aware of it. Data subjects shall be informed about the personal data breach without undue delay if there is a high risk to the data subjects. If there is a cross-border situation (which is likely when it comes to cloud computing), the data protection authority that the organisation defines as responsible should be notified. If the breach affects the processing of personal data in several countries inside the EU/EEA, and if the breach substantially affects or is likely to substantially affect data subjects in more than one country inside the EU/EEA, the responsible supervisory authority should be notified either way. The responsible supervisory authority is where the main part of a business is based.
When reporting a personal data breach to IMY, it is important to do so within 72 hours; however, such a report can be changed or supplemented with more information at a later stage. Such changes or amendments should be made as soon as possible. If no amendments or changes have reached IMY within four weeks, a decision by said authority will be taken (which may involve the issue of a reprimand, fine, etc).
A well-written report provides as much information as possible regarding the data breach, affected persons and type of personal data that is affected. Data breach notifications are co-ordinated with cloud service providers through the obligations stated in the data processing agreement. As stated in 4. Vendor Management, such agreement must contain information regarding how the data processor (and/or sub-processor) shall assist the data controller. The legal responsibility to notify IMY of the personal data breach lies with the data controller; therefore, it is important that the data processor notifies the data controller (which is an obligation of the processor according to the GDPR) if an incident has occurred to their knowledge.
.
International data transfers are often regulated as an integrated part of a data processing agreement, which is an important annex to the main cloud service agreement. If data is being transferred outside of the jurisdiction (EU/EEA), it should be stated in the data processing agreement.
As already mentioned in 1.2 Data Privacy and Cross-Border Transfers, transfers to third countries outside the EU/EEA are prohibited in accordance with Article 44 of the GDPR. However, there are exceptions in Articles 45–49 of the GDPR where such transfers can be lawful. The three most common exceptions relate to the following.
Data protection requirements must still be considered and complied with in the same way as when a data processor (cloud service provider) processes data on behalf of a data controller (organisation) inside the EU/EEA. For example, the principles and legal basis described in the GDPR must be considered.
The GDPR does not have specific data localisation requirements, but as stated in 6.1 Cross-Border Transfer Regulation, there are clear prerequisites for transferring data to a jurisdiction outside the EU/EEA.
Generally, in Sweden, all bookkeeping data necessary to fulfil the documentation requirements under the Swedish Bookkeeping Act (1999:1078) shall be stored in Sweden. However, the Act exempts certain organisations from the obligation, namely:
The Swedish Bookkeeping Act does not address the permissibility of cross-border transfers of locally stored data. As previously described, it is harder to track and locate data in a cloud environment (especially for an organisation/data controller with less knowledge/insight), which can lead to issues relating to cross-border transfers and data localisation requirements.
An organisation that has accounting obligations under the Bookkeeping Act may however temporarily store verification documents outside of Sweden if special reasons consistent with good accounting practices exist – for example, if a bank needs to store certain information in another country to comply with the book-keeping rules of that country. Also, an organisation may store machine-readable media and make machine equipment and systems available in another country within the EU, or a country that is party to a so-called mutual assistance agreement, if the organisation:
Conflicts of law in cross-border data transfers are usually not addressed specifically. Instead, such conflicts have been addressed by the different mechanisms used for cross-border data transfers (see 6.1 Cross-Border Transfer Regulation).
There are many risks and challenges associated with international data transfers in the cloud. The main risk/challenge is that the level of security for personal data is not seen as sufficiently adequate in countries outside the EU/EEA (or countries with an adequacy decision from the European Commission). Poor security in relation to personal data can lead to data breaches and unauthorised persons getting access to sensitive personal data. For organisations, there is also the risk of administrative fines from IMY if data is being transferred to countries that do not have an adequate level of protection for personal data.
In accordance with Article 28 of the GDPR, the data controller has a right to all information that is needed to:
In accordance with Article 32 of the GDPR, a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the data processing is also needed.
To ensure the integrity and accuracy of audit reports, third-party audits by an independent actor may take place. If that takes place, it is important to consider the possible consequences for data privacy and to prevent access that the data controller has not approved of. Audit findings and recommendations are usually put in a report. Conducting audits regularly can help cloud computing providers to stand out from other providers when offering their services to new customers.
Encryptions and overall cloud computing services should be tested on a regular basis through unit testing, compliance testing, integration testing and penetration tests. Such tests should also be used to determine whether the cloud computing environment meets the required standard. There are no statutory penalties for failing to comply with audit requirements pertaining specifically to the cloud.
Every audit should be trailed and logged to show compliance with the applicable data protection regulation. It is in the interests of the cloud service provider to ensure a safe cloud environment, which reinforces that audits should take place and that such audits should be trailed and logged.
Failure to comply with contractual matters is seen as a contractual matter in Sweden, and there are no specific statutory penalties for failure to comply with audit requirements relating to the cloud. As stated previously, many cloud service providers use their own standard form contracts. Generally, providers have a limited liability for errors, defects, damages and losses (direct or indirect) in such contracts. Cloud services are normally standard services, and it seems reasonable to have a relatively far-reaching limitation of liability. There is no market standard cap, but in cloud services contracts, the cloud service provider often caps the liability to an amount corresponding to the monthly fees in a 12-month period for the services.
Kungsgatan 33
Box 7305
103 90 Stockholm
Sweden
+46 8 22 09 00
info@hellstromlaw.com www.hellstromlaw.com