On October 17, 2011, the French Data Protection Authority (the “CNIL”) launched a public consultation on cloud computing (the “Consultation”). The Consultation seeks to gather opinions from stakeholders (clients, providers, consultants) regarding cloud computing services for businesses, to identify legal and technical solutions that address data protection concerns while taking into account the economic interests involved.

The Consultation addresses several specific topics about personal data protection in the cloud computing context, including:

  • The definition of cloud computing
  • Cloud computing providers as data processors
  • Applicable law (i.e., what law applies to cloud computing stakeholders?)
  • Regulation of data transfers (e.g., what legal instruments are best suited to regulate cloud computing? Would binding corporate rules for data processors be an appropriate legal mechanism for transferring personal data to cloud computing service providers?)
  • Data security (e.g., cloud-specific risks and proposed security measures)

Stakeholders may submit their contributions to the CNIL until November 17, 2011. The Consultation will then be used to draft specific guidelines that will be published on the CNIL’s website.