Hyperscaler migrations from a legal perspective

The challenge

From a legal standpoint, the first question you must answer when migrating data to a hyperscaler is whether, and how, this relates to your legal and contractual obligations vis-à-vis business partners, such as customers or suppliers. In other words: Can you just “go for it” or will a smooth and legally safe migration depend on you informing – or even obtaining prior consent from – the business partners. Unfortunately, those pressing legal questions often come to mind after the decision to “go for it” has already been made and the legal department must find a way to get it done. This article highlights legal issues to be aware of in the context of hyperscaler migrations and outlines a best practice approach Deloitte Legal developed by successfully supporting clients in such a transformation.

Contractual obligations

The starting point is to assess whether the contracts between you and your business partners contain clauses that are relevant for the migration. As guidance, the most common clauses to look for in this context are:

• Subcontracting restrictions | Are you obligated to host the data by yourself or through a specified hosting provider, or may you subcontract data hosting to any third party? Will switching hosting providers trigger an approval or auditing process on the side of your contract partner?
• Notice and consent requirements | Are you obligated to notify, or obtain consent from, the business partner in case of, e.g., certain data being moved to a different hosting provider?
• Geolocation | Are you obligated to store the data in a certain geographical location?
• Compliance obligations and regulatory restrictions | Are you or your business partner obligated to observe certain compliance obligations or subject to certain (sector-specific) regulatory restrictions, e.g., specific legal requirements or processes in the financial or health industry, when hosting the data?
• Security requirements and audits | Are you obligated to observe certain standards of data security or data encryption when hosting or transferring data? Or are you obligated to perform security audits for your data hosting, or even allow your contract party to perform such audits? If so, it would be necessary to evaluate whether the chosen hyperscaler will comply.
• Incident response | Are you obligated to observe certain procedures, e.g., response times, or in case of security incidents occurring? If so, it is important to ascertain that the hyperscaler enables you to continue observing these procedures.

Data protection topics

Besides these contractual obligations, data protection requirements must be closely analyzed when planning to transfer personal data to a hyperscaler. These requirements often reach far beyond what is contractually agreed between the parties. For European companies or companies established outside the EU that are offering goods/services (paid or for free) or are monitoring the behavior of individuals in the EU, the General Data Protection Regulation (GDPR) is the key legislation to keep an eye on. Although the GDPR provides for several legal bases which can legitimate the transfer the data processing of the data to a hyperscaler, in many cases (e.g. obtaining consent) this will require at least some relevant effort on your side.

Therefore, data processing agreements (DPA) are the most common and practical way to legalize the transfer of your data to a hyperscaler within the EU. However, even when it is possible to standardize such agreements in many ways, the efforts to create and agree on a DPA should not be underestimated. Among other things, it requires the definition of the subject matter, duration of data processing, type and purpose of processing, scope of authorization, ensuring adequate technical and organizational measures, involvement of subcontractors, as well as control and audit rights.

Even more challenges arise when hyperscalers are located outside of the EU/EEA. Even if the data transfer meets the general requirements as outlined before, in a second step, you must ensure that transfer to the third country outside of the EU/EEA is permitted. Therefore, you must differentiate between secure and unsecure third countries. Secure third countries are those for which the European Commission has confirmed a suitable level of data protection on the basis of an adequacy decision.

If there is no adequacy decision for the target country, you must ensure by other means that the personal data can and will be sufficiently protected by the hyperscaler. One way to do so is using so-called Standard Contractual Clauses (SCCs) adapted by the European Commission. They have a modular structure and offer significant individual customization options to cover the different data transfer scenarios. However, like the DPA, creating and completing these documents may cause more effort than anticipated.

To make things even more of a challenge, even when using SCCs the legal landscape for data protection in the hyperscaler’s country must be analyzed and you must determine which additional technical and organizational measures (encryption, anonymization, pseudonymization) are required for the specific case. Such data transfer impact assessments require a highly efficient approach due to the broad scope of the task. Moreover, it is of paramount importance that the assessment is carried out correctly, as with all the regulatory requirements, it is not advisable to escape the bear and fall to the lion: Authorities have recently issued large scale audits across all sectors to detect and prohibit incompliant data transfers – not to mention those looming GDPR fines that are designed to make non-compliance a very costly mistake. Therefore, it may make sense to rely on the experience of experts who have conducted such assessments in the past.

Depending on the industry sector you operate in, further legal requirements may need to be considered before transferring the data. For example, in the banking and insurance industry, certain minimum requirements established by European supervisory authorities must be complied with. For the health care sector and health data, the GDPR already foresees tight restrictions which are often accompanied by further regulations on a member state level. Identifying those requirements earlier on is key, as being in violation of such requirements may lead to serve consequences for you as well as your business partner.

Implementation approach

As outlined, migration of business data to a hyperscaler will typically require the review, and potentially amendment, of contracts with business partners. Depending on your business model, the number of contracts to be reviewed can be substantial. The categories of People – Process – Technology will help structure your thinking around this project and make it easier to grasp.

People

The first step is to clarify is who has to be involved in the project. While at the core a legal exercise, input from many departments such as Operations/Business, IT/Security, Compliance, the Data Protection Officer, Finance, Tax, etc. are crucial. A dedicated project manager will help you stay on top of things and coordinate the project. You must make sure that the relevant stakeholders understand the importance of the project and that sufficient capacities are reserved for the review. If your internal resources are already at top capacity, you may consider retaining external support with the diverse skillset needed for such a task.

Process

To keep the review efficient and transparent, it is imperative to define and track adequate processes and workflows. Elements from the agile working methodology, such as sprints, dailies or retrospectives, can be a great help to keep the project moving forward. Draw up a detailed review guidance document to ensure consistent results (and to enable lower-cost resources), set milestones to track progress, and develop a negotiation playbook on how to approach business partners whose contracts need to be changed. Plan for reviewing and updating these documents, as well as the processes and workflows, as the project evolves.

As a starting point, the following example shows key elements of a contract review workflow:

1. Collect | Collect all relevant documents for a given case (e.g., a contract or a client), upload to review platform.
2. Digitalize | Digitalize & OCR paper documents and upload to review platform.
3. Categorize | Categorize the cases for relevance (e.g., if the document in a case only uses standard language it may not need an individual review; if it has no relation to the data migration it may need no further review at all).
4. Legal review | The remaining cases are reviewed by a paralegal or lawyer and, if deemed necessary, sent to specialists for additional review.
5. Specialist review | Special reviewers from operations, data protection office, IT department, etc. review the assigned clauses from their perspective and provide input.
6. Summarize | The outcome of all the review is consolidated into a list of suggested actions to resolve any identified issues (e.g., amend the contract, provide notice).
7. Resolve | The responsible key account manager, or a central team, implements the suggested actions (which is of course a separate set of processes and workflows and should be defined and tracked accordingly).

Technology

In addition to properly managing the project with its many review stages and multiple specialists, setting up an appropriate collaboration, workflow and reporting platform will dramatically increase efficiency and transparency. Your processes should be designed to route as much of the project’s activity and communication through this platform as possible. A pre-existing contract lifecycle management (CLM) system can be a good data source and, depending on the system’s capabilities, can even be the platform to manage the project from. Especially systems allowing for transparency into the individual contract clauses may help filter out the problematic cases quickly. Alternatively, standard office environments such as Microsoft 365, Google Workspace or collaboration platforms such as HighQ can be leveraged to manage the project.

Specialized e-discovery and data extraction tools can help automatically identify and extract problematic contracts or clauses. Advanced CLM systems may provide you with such capabilities as well. Most in-house legal departments do not have access to these AI-powered tools, so if you are planning to retain external support, make sure to assess your advisor’s technology capabilities before deciding who to work with.