Does your company use free online services like DropBox or Google Docs to store personal data?
I’m not a lawyer, but you’re probably breaking the law now.
The thing with free plans is that they don’t tend to be protected by a GDPR-compliant data processing contract *, and yet there’s nothing to stop businesses using their products for purposes that require one.
* a highly specific contract is required under Article 28.3 if you use another service to process people’s personal data – See earlier post.
Imagine how many small companies are using free services to store customer contact details in spreadsheets and have no idea their agreement with the provider does not protect this data. It’s all very well saying it’s the company’s fault, but what about the obligations of the (much larger and wealthier) service provider?
After quizzing various firms about their position on personal data storage, it seems that the default stance is “don’t do anything illegal”. (See DropBox’s acceptable usage policy as an example). So if you’re using their free service to store personal data, they’re saying that breach of the law is entirely on you.
My question at this point is whether the cloud provider would also be breaking the law. Silicon Valley lawyers aren’t stupid, but the age-old excuse that “we’re not responsible for what you do on our site” doesn’t seem to have fared so well in recent years. With big tech firms under increasing pressure to behave like public utilities, you’d think they’d take a stronger position on avoiding “accidental” personal data handling.
Time will tell if the blind eye approach will work, but I suspect the bigger service providers are going to have to start offering data processing contacts to free customers. Until then they will probably enjoy an uptake in paid plans.