4.4.2 Generating Accounts during Cloud Investigations by European Data Protection Authorities

In this subsection, we analyse how various accounts are produced during a specific regulatory process, namely, when European data protection authorities (EU DPAs) exercise their regulatory power of investigation in the context of the cloud. EU DPAs are the statutory independent public regulatory bodies which have various functions including applying and enforcing data protection laws in European member states. Investigations refer to the one of the enforcement powers of EU DPAs, namely, their power to investigate data controllers, such as companies which offer cloud computing services or technologies (Cloud Providers), in specific circumstances (e.g. when an individual complains). This analysis is generated from the qualitative socio-legal research as part of WP D4 within A4Cloud project, where we interviewed fifteen respondents including EU DPAs which have investigated cloud providers, and cloud providers which have been investigated by EU DPAs.

Our data analysis suggests that multiple accounts are generated by various actors during the different stages of an investigation of a cloud provider by an EU DPA ('Cloud Investigation'). Cloud investigation can be approached as a three-stage process which consists of the pre-investigative, investigative and post-investigative stage. The pre-investigative stage includes a plethora of circumstances, practices, and routines which lead to the investigative stage (e.g. email exchanges and conference calls between the EU DPA and the cloud provider). The investigative stage starts when the EU DPA initiates the cloud investigation (e.g. by sending a letter of intention to audit to the cloud provider) and ends when the investigation report is finalised and/or published (depending on whether the report is published). The post-investigative stage refers to the stage following the publication (whether internal or external) of the investigation report.

During the pre-investigative stage, multiple accounts of compliance can be generated by different actors depending on the investigation in question. For example, a EU DPA that is unfamiliar with the data processing operations and business model of a cloud provider may engage in substantial discussions with various teams of the cloud provider (e.g. management, engineering, and legal) to know more about the entity it will regulate later on. Such requests for information also generate multiple accounts from the cloud provider such as account of compliance through internal and external policies. Here the types of account take various form such as exchanging relevant information through conversation or email or documents.

During the investigative stage, other accounts of compliance are generated by various actors. As with the pre-investigative stage, such accounts and the actors involved in generating these accounts are context-dependent. For example, subject to several factors such as financial pressures faced by EU DPAs, scope and aim of cloud investigations, different forms of accounts may be sought such as an account of how different technical functions operate in practice. Here the cloud provider often has to provide the EU DPA either with access to the algorithmic codes which implement these technical functions so that the EU DPA can test whether the algorithmic codes operate in the manner set out by the cloud provider in its policies (e.g. a cookie is deleted within a period of time specified in the cookie policy or the encryption methods used by the cloud provider operates in the manner specified in its privacy policy). Technical testing here often include other actors such as sub-contractors employed by EU DPAs that face financial constraints. Here, the account of compliance generated by the sub-contractor when s/he tests the relevant data processing operation of the cloud provider has to be compiled with other accounts of compliance generated by other employees of the EU DPAs (e.g. through analysis of privacy policies etc.).

Other compliance accounts can also be sought and produced such as accounts of compliance with the relevant data protection laws by providing the EU DPA with access to specific computer terminals when it inspects the premises of the cloud provider. Such accounts emanate from various sources and have to be managed at the cloud provider level before being passed on to the EU DPA for its review to ensure that these multiple accounts do not provide conflicting views of the compliance of the cloud provider with existing data protection laws. Here the generated accounts are questioned by the EU DPAs and can often be clarified by the cloud provider in cases of confusion.

These multiple accounts are examined by the EU DPA at the end of the investigation to determine to what extent the cloud provider complies with the relevant data protection laws. Here, there is evidently a very close link between the accounts produced during the Cloud Investigation and the outcome of the cloud investigation (e.g. the recommendations of the EU DPA to bring the operations of the cloud provider in line with the relevant data protection laws). This does not mean that accounts of compliance cannot be constructed in specific ways so that a particular version of compliance is generated especially when the report produced at the end of the cloud investigation is published. We have explored this point further in the deliverable D: D-4.11.

Finally at the post-investigative stage, other accounts of compliance are sought and generated by specific actors. For example, the EU DPA seeks account of how the cloud provider is implementing its recommendations. Additionally, the cloud provider can also seek advice from the EU DPA about the compliance of its proposed future innovations with existing data protection laws. Here accounts of compliance are generated through informal interactions such as face-to-face meetings.