Office 365 v. Google Apps: A data protection perspective

This article lists the requirements of European data protection law as regards the contents of a contract between cloud provider and cloud client. Based on these requirements the contracts for the provision of Google Apps for Work and Microsoft Office 365 for small and medium enterprises are evaluated and compared from the data protection perspective. The article also discusses the shortcomings of the current legal framework for data protection with regard to cloud computing, and analyses the possible improvements made by the General Data Protection Regulation.A cloud client usually plays the role of a data controller, while the provider may be a data controller, data processor or he may not fall under the scope of data protection law. The relationship between the client and cloud provider, as a data processor, must be governed by a contract stating that the provider is bound by the instructions of the client as well as describing the security measures.The contract for Microsoft Office 365 was found to be compliant with data protection law. The contract for Google Apps for Work suffers from several deficiencies that may cause a breach of data protection law.The current data protection framework lacks unification, clarity and scalability. With the exception of unification, the General Data Protection Regulation is not expected to bring a substantial improvement if it is adopted using the proposed wording. To cope with the current law, cloud clients and providers may use the Cloud Service Level Agreement Standardisation Guidelines.