You should pay attention to this when it comes to data protection in the cloud: Interview with IT specialist Stephan Hansen-Oest

When it comes to cloud computing in general and health cloud in particular, many are concerned about data protection. We asked Stephan Hansen-Oest, specialist lawyer for IT law and data protection expert.

Since the ECJ ruling on the illegality of the Safe Harbor Agreement, US cloud providers have been building data centers in Germany. Is this measure sufficient? What should end customers pay particular attention to when using cloud computing?

The use of data centers in Germany is a first, good and important step. However, it is not the solution to all problems. Because even when the data is processed abroad, support and maintenance of the servers in the German data centers is often carried out by personnel in the USA. From a legal point of view, it will generally also be possible to gain knowledge of personal data on the servers. In this case, however, data protection law is based on the transfer of personal data from the German data center to the USA or another third country. In this case, there is again the initial problem that there can be no justification for this third country transfer.

Customers who nevertheless want to use cloud computing from a US provider in a German data center should conclude an order data processing contract with the provider. The question of maintenance from abroad must also be clarified. If maintenance e.g. from the USA, at least the EU standard contractual clauses should be agreed with regard to this maintenance. It remains to be seen whether these will be a reliable, legal alternative in the long term. Because it can currently be assumed that the EU standard contractual clauses may also be reviewed by the ECJ in the future. If we take the principles of the ECJ's Safe Harbor decision as a basis, there is some reason to believe that the EU standard contractual clauses may also be declared ineffective.

Do you also conduct training courses for company data protection officers? Which findings often surprise the participants the most?

In my training, I attach particular importance to a didactic approach. Data protection law is a very complex legal matter that can quickly overwhelm training participants. I work a lot with storytelling and modern "brain-friendly" learning methods. The result is that many participants are surprised that 80 percent of data protection law is fairly easy to handle once you understand the principles.

Data protection already plays an important role in product development. There are two approaches: Privacy by Design and Privacy by Default. Which approach would you prefer when using a health cloud and why?

With the General Data Protection Regulation (GDPR), which will apply in all EU member states from May 25, 2018, this is no longer a crucial question. Because then it is very clear that both principles have to be considered equally. And even now both approaches to the topic of cloud computing have to be taken into account at the same time. “Privacy by design” must be taken into account when developing a health cloud. This includes in particular data minimization and above all methods of anonymization and pseudonymization. When we talk about health data in the cloud, we're not just talking about data protection law, we're also talking above all about compliance with medical confidentiality. This stipulates that unauthorized access by third parties to health data must be prevented. Since medical confidentiality is very extensive and the group of authorized users is always very narrow, data encryption methods are essential for a health cloud. However, this is also not technically trivial.

For example, unencrypted storage on the servers of a data center is currently not permitted without effective patient consent. The legal situation could also change fundamentally in this regard in the medical field. In this regard, the legal professional code has e.g. only recently changed in favor of possibilities of using data centers and contract data processors. It is quite conceivable that medical professional law will also follow this path. This possibility already exists for hospitals in some federal states in which the hospital laws provide for corresponding regulations. The “Privacy by Design” principle also stipulates that a health cloud is operated in a standard configuration that guarantees the greatest possible data protection. That would e.g. mean that access rights are specified very restrictively. And encryption should also be standard and not just an optional “bonus function”.

https://www.datenschutz-guru.com

Cover picture: © flaticon.com / Freepik