The Regulatory Environment for Cloud Services in Poland
Implementing cloud computing services in Poland has become as much technology transition as regulatory project, generating plenty of work for data protection and cybersecurity lawyers, as discussed by Maciej Gawroński and Michał Ćwiakowski of Gawronski & Partners.
Michał Ćwiakowski
Banking cloud hesitancy
Traditionally, Komisja Nadzoru Finansowego (KNF), the Polish Financial Supervising Commission, was hesitant to allow financial institutions to adopt cloud computing, for three reasons:
- the unlimited liability for direct outsourcees combined with a ban on sub-outsourcing of core activities (the ban on “shell outsourcing”);
- the fear of breaching financial secrecy by (initially all non-Polish) third countries’ enforcement agencies; and
- the limited control over outsourced processes.
GDPR
The GDPR created a seemingly more level playing field with its extensive list of requirements for data processing agreements as well as for vetting data processors themselves for “sufficient guarantees” (Article 28). The GDPR also introduced liability for sub-processors (Article 82), something originally proposed “only” for non-EEA data processors by Maciej Gawroński in 2014, working simultaneously for the European Commission and the Article 29 Working Party. The centre of gravity for regulatory requirements subsequently moved to data protection and became general rather than sector-specific.
The nature of cloud services creates numerous challenges for cloud clients with regard to implementation of adequate technical and organisational measures. Regardless of the cloud deployment model in question, a considerable portion of responsibility for cybersecurity lies with the provider. Software as a service deployments push the ability to impact data security even further away from the client. Cloud service clients become dependent on the provider not only for data confidentiality and integrity but also availability. It has become the technology lawyer’s role to audit particular cloud services and their conditions to produce an assessment of their GDPR and overall compliance. For data transfers the market traditionally relied on the EU and US Privacy Shield arrangement and Standard Contractual Clauses (also known as EU Model Clauses).
Schrems II
However, the famous “Schrems II” (2020) judgment of the European Court of Justice invalidating the Privacy Shield and questioning the effectiveness of the Standard Contractual Clauses mechanism made things more complicated. The European Data Protection Board’s Recommendations 01/2020 on data transfer supplemental measures practically negated the risk-based principle around which the GDPR was designed. It left the market in an even more quantum non-dualistic universe of compliant-non-compliant cloud computing, creating a huge amount of work for lawyers to verify the way particular cloud services are designed, quantify risks for data subjects resulting from non-EU processing and even, occasionally, negotiate cloud computing contracts. All that under the new term of “transfer impact assessment”, which became, at least in Poland, an essential type of report validating (to the extent possible) the legality of implementing a specific cloud computing service involving non-EU data processing.
Some EU data protection authorities have already issued decisions declaring the illegality of data transfers within cloud services provided by some big-tech operators. However, the Polish data protection authority (Prezes Urzędu Ochrony Danych Osobowych – PUODO) did not act hastily in its portion of “101 NOYB data export complaints”. Being involved in those proceedings, the authors believe PUODO adopted a no-nonsense approach, differing significantly from certain of their more hawkish colleagues from German-speaking countries.
New regulations
Now, the market faces a further tsunami of regulatory challenges resulting mostly from existing and upcoming EU regulations such as the draft AI Act, Digital Services Act, Digital Market Act and the NIS2 Directive, supplemented by curiosities such as Biden’s Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities and local regulations such as the draft Polish Act on Protection of Freedom of Expression in Online Social Networks.
Local insight
The Polish market has its own idiosyncrasies with regard to cloud implementations. Significant demand from the business community to apply cloud technology to boost innovation and achieve savings coexists with regulatory uncertainty and reservations from the most heavily regulated and supervised industries (such as the financial sector or key service operators in network and information systems).
- As mentioned, PUODO is currently conducting several proceedings related to data transfers following the NOYB complaints; PUODO is not very hawkish here and does not seem to be aiming for a rapid conclusion.
- At the same time, PUODO has issued decisions focusing on due diligence and supervision by data controllers over their processors (in practice, particularly challenging in cloud services).
- Cloud challenges and issues are strongly recognised by the regulators – this results in extensive local specific regulations and guidelines such the KNF’s recommendations for cloud computing for financial sector or the Cybersecurity Standards for Cloud Computing issued by the former Polish Ministry of Digitalisation
- Public sector and strongly regulated industries, such as the financial sector as well as key service and key infrastructure operators, remain cautious in procuring cloud services – while the market is growing, there is often a preference for on-premises solutions, regardless of pricing (regulatory concerns usually play a decisive role here and professional legal support, also from the provider’s side, can improve client confidence).
- Financial institutions Implementing cloud computing have to comply with the KNF’s extensive cloud computing recommendations (soon to be partly derogated by DORA’s specific provisions – see below); KNF’s cloud computing recommendations explain the regulator’s approach to the cloud and guidelines on threats and risk assessment as well as minimal security requirements.
- The Digital Operation Resilience Act (DORA) – an upcoming EU regulation aiming to comprehensively regulate cybersecurity in the European financial sector – does not address any direct requirements towards cloud services but there is no doubt its implementation will be particularly challenging for both cloud clients and cloud providers; for instance, a big chunk of DORA requirements will be dedicated to IT testing, including direct participation of external service providers and some of the key IT providers (measured by industry concentration) will fall directly under regulatory supervision. Cloud providers seem natural candidates here.
***
As a result of the changing regulatory environment and increasingly in-depth insight into the nature of cloud services, regulators and cloud adopters are engaged in an endless dance of shadows, where a detailed tech-legal memo provides a reasonable level of comfort until a regulator responds with a deeper x-ray review of the service, or a new law, decision or judgment is issued in Poland, in the EU or beyond the Atlantic Ocean. For some reason, little is being heard about Asia, unless on a cybersecurity level for civil defence or key infrastructure. But that would be for another story.
Gawronski & Partners
