Legal levels of Cloud Services in DECIDE explained

This blog post explains the concept of assigning legal levels to Cloud Services used in the DECIDE framework and how this helps the application developer to obtain the correct services for its application based on the compliance needs of the organization using the application. It also explains what the legal level covers and what it does not, as well as what additional services DECIDE may provide on the road to full legal compliance of multi-Cloud scenarios.

Legal levels: the concept

Within DECIDE, the legal level functions as a non-functional requirement of the application. It is an aspect which is relevant not for technical purposes, but to satisfy the business needs of the organizations which are the intended users of the multi-Cloud application, specifically the compliance needs of that organization.

Legal levels are assigned in ACSmI to each Cloud service endorsed in the ACSmI catalogue and therefore enable application developers to pre-select only those resources which match the legal level they have identified as necessary within the target organizations.

The purpose of the legal level is to facilitate the choice of the application developer, without having to go through all legal documents surrounding a Cloud service, namely:

  • The service contract and SLA
  • The Data processing agreement
  • Any other relevant contractual documents, e.g. general terms and conditions or an acceptable use policy

In theory, the application developer would have to have all these documents assessed and decide whether or not these contracts satisfy the legal and compliance needs of the intended user organization(s).

To make the developer’s life easier, DECIDE will already do a sizeable chunk of that work by assessing all the relevant contractual documents when a service is being endorsed into ACSmI and by assigning a legal level as a result of this assessment. Moreover, if the contracts are updated, the legal level will be updated as well. The legal level will be assigned by the ACSmI legal expert (a natural person specialized in law) on the basis of a questionnaire covering applicable legislation and relevant legal aspects for target user organizations subject to EU law. The assessment will be performed on the contractual documents provided by the CSP, where necessary enriched with additional information which may be requested from the CSP.

The legal level functionality will include recommendations on what legal level is suited for what type of organization, in this way helping the application developer to choose the right legal level from the start and thus excluding any Cloud services which do not meet this legal level, which indicates that the contracts offered for these Cloud services are not considered to provide sufficient assurances for the level of compliance sensitivity indicated by the application developer.

There will be three tiers of the legal level, and the legal level will cover various aspects, such as:

  • GDPR compliance (different aspects)
  • International transfers outside the EEA
  • Liability
  • conflict resolution
  • exit clauses and penalties
  • data portability/switching clauses
  • Etc.

To illustrate: assume that the legal level would only measure GDPR safeguards for transfers outside the EEA and GDPR compliance of the offered data processing agreement, and that the questionnaire leads to a score on either topic which could be either of the following:

  • No compliance
  • Low level of protection offered
  • Medium level of protection offered
  • High level of protection offered

If any instances of no compliance would be found, the Cloud service would not be endorsed into ACSmI.

If all aspects of the legal level at least measure some level of protection, then the composite score will lead to the service being assigned a tier. The result may look somewhat like this:

Legal level

GDPR safeguards for data transfers if relevant

GDPR compliance of the data processing agreeement

Legal level tier 3

Low protection

Low protection

Legal level tier 3

Low protection

Medium protection

Legal level tier 3

Medium protection

Low protection

Legal level tier 2

Medium protection

Medium protection

Legal level tier 2

High protection

Medium protection

Legal level tier 2

Medium protection

High protection

Legal level tier 1

High protection

High protection

 Then, on the basis of this, the legal levels would be linked to the compliance needs of certain organizations. This may then look as follows:

Legal level

GDPR safeguards for data transfers if relevant

GDPR safeguards for data transfers if relevant

Suited for which organizations or projects

Legal level tier 3

Low protection

Low protection

Suited for non-data driven organizations or projects with little or no sensitive data, low compliance risk or higher risk appetite and limited business complexity. Examples may include non-technical, non-data driven start-ups and SMEs.

Legal level tier 3

Low protection

Medium protection

Legal level tier 3

Medium protection

Low protection

Legal level tier 2

Medium protection

Medium protection

Suited for organizations or projects with average data processing activities and average risk appetite, which may process large amounts of data but not large amounts of sensitive data or special categories of data. Examples may include smaller data-driven companies or larger non-data driven companies. Non-sensitive governmental entities may also choose this level.

Legal level tier 2

High protection

Medium protection

Legal level tier 2

Medium protection

High protection

Legal level tier 1

High protection

High protection

Suited for organizations or projects which have a low risk appetite and higher compliance risks/burden because of the type of data processed (e.g. health data, financial data) or because of the sector in which they are active, adding regulatory requirements to the mix. Examples include health professionals and hospitals, banks and governmental organizations which also treat sensitive data.

 

Then, last but not least, every legal tier will be linked to some minimum assurances, so that organizations choosing this legal level may know what they can at least expect from a given legal level.

What assurances does the legal level provide?

The legal level is intended to cover the most important aspects of legal importance that are to be encountered in setting up a multi-Cloud scenario.

However, given the complexity of the assessment and the fact that many legal questions are to be dealt with ad hoc, on the basis of the specifics of the given case, the legal level can only provide guidelines and a useful assessment of the contractual framework offered by the Cloud service provider (further: CSP) for a given Cloud service, but it can never replace a full legal assessment done by a legal professional who is privy to all the confidential legal and other concerns which the user organization of the multi-cloud application in question may have. Therefore, the legal level is to be used “as is” as a tool to help the application developer pre-select certain Cloud based on the perceived legal needs of the target user organizations, and not as a replacement of any additional legal reflection by the user organizations altogether. Specifically the user organization will need to asses whether the aspects covered by the legal level are sufficient for its identified compliance needs in reality, especially with regards to the question whether additional national, regional or sectoral requirements apply.

This is explained in the assurance policy that will be written for the legal levels in ACSmI, which will be part of both the contract with DECIDE users and of the contractual relationship with CSPs looking to have their services endorsed into ACSmI. It will describe the onboarding process of any Cloud service and how the legal level is assigned. Specifically, this policy will set out how the questionnaire has been drafted which is used by the ACSmI legal expert to assign the level, how this is finalized and checked, how the legal levels work and how the CSP or the users may contact ACSmI to submit questions or complaints.

It is important to understand that the legal level will cover only those aspects that have been identified in the assurance policy.

Are there aspects not covered by the legal level? Does DECIDE not deal with those aspects?

The legal level deals with all relevant aspects to be derived from the contracts described above that govern the contractual relationship with the CSP. However, other elements may be relevant, such as the CSPs adherence to standards, codes of conduct or the number and type of certifications a CSP can present for itself or certain of its services. While those aspects are certainly of relevance when assessing the compliance needs of an organization, it is impossible to assign them a legal value and make them part of the legal level, because there is no clear (legal) standard to compare them to. Moreover, their value and relevance may depend on the target user organization of the multi-Cloud application and on the specific situation at hand.

While the legal level as such does not cover this, DECIDE aims to provide additional services in this respect as part of its business model. Thus, these aspects may be considered as part of a specific bespoke service for organizations with a high compliance burden.

In the same vein, DECIDE may deliver ad hoc legal services for clients for whom the legal level does not provide a full solution as a tool to select appropriate Cloud services to meet their compliance needs, e.g. because they are dealing with additional requirements which are not covered in standard contracts offered by CSPs and are therefore not considered in the legal level. Another reason may be that the sensitivity of the data processed or the applicability of sectoral legislation or requirements leads to the need for an assessment based on specific national/regional/sectoral requirements, which is not carried out for the legal level, the latter focussing on general legal requirements. Logically, DECIDE can not a priori deal with every legal specificity which may arise in practice and thus has to focus on generally applicable legislation.

Nonetheless, DECIDE aims to deal with additional legal requirements depending on county, region or sector as well, by offering bespoke legal services as an additional part of its exploitation plan.

Therefore, those legally relevant aspects not covered by the legal level as a general service part of the DECIDE software framework, may be made available to DECIDE users as bespoke ad hoc services should they opt for this.

Conclusion

The legal level will be a useful tool for application developers to facilitate their choice of Cloud services (and to exclude certain Cloud services) depending on the compliance needs of the intended user organization. It saves the developer the time and effort of having to assess the contractual reality of every Cloud service in the ACSmI offering, but instead reduces it to 3 tiers of legal level, accompanied with guidelines on what those levels guarantee and what organizations they may be suited for.

It is however important to remember that this a priori assessment of the contracts offered by the CSP may not fully replace and ad hoc legal assessment at the user organization’s side. They may have confidential information which would be relevant to make different choices or they may be subjected to a number of national, regional or sectoral requirements which have not been part of the assessment leading to the assignment of a legal level, the legal level being conceptualized to cover general legal requirements.

Therefore, DECIDE will offer a detailed assurance policy to enable the user to understand the legal level and what the value is in their final legal assessment.

Additionally, however, DECIDE will also offer bespoke services to do this for the user organizations which are interested in this, thus offering a one shop stop solution to legal compliance challenges in a multi-Cloud scenario.