On July 1, 2012, the Article 29 Working Party (the “Working Party”) adopted WP196 (the “Opinion”) setting out an analysis of the legal framework associated with cloud computing, as well as recommendations directed at both data controllers and data processors in the European Economic Area (the “EEA”). The Opinion identifies two data protection risks associated with the deployment of cloud computing services, namely: (1) lack of control over the data and (2) lack of information on data processing. Cloud computing and the range and geographical dispersion of the various parties involved also have raised significant uncertainty in terms of applicable law, which the Working Party previously analyzed in its Opinion 8/2010. Below is an overview of the different topics covered in the Opinion issued on July 1.
Cloud Computing Duties and Responsibilities
- Cloud clients (as data controllers): Cloud clients are expected to be responsible for compliance with applicable data protection legislation and fulfillment of related duties. A cloud client must therefore choose cloud providers that will guarantee compliance with the applicable law(s).
- Cloud providers (as data processors): Cloud providers must ensure the confidentiality of the personal data they handle, and they must comply with the requirements of Article 17 of the EU Data Protection Directive 95/46/EC (the “Data Protection Directive”) when providing the cloud services. According to the Opinion, they also must adopt security measures in line with the laws of both the controller’s jurisdiction and the processor’s. Finally, cloud providers must assist cloud clients with addressing data subjects’ claims and the exercise of data subjects’ rights.
- Subcontractors: According to the Working Party, cloud providers can only subcontract certain services after having obtained the client’s consent (which may be given in a general form at the beginning of the service). Information on the subcontracting of processing services by the cloud provider must be made available to the cloud client, detailing the category of service subcontracted, the subcontractor’s characteristics and the measures or guarantees implemented by the subcontractor to ensure an adequate level of data protection. All the provider’s obligations to the client must be reflected in an agreement between the provider and the subcontractor to allocate responsibility clearly.
Cloud Services Contracts
Cloud services require a formal contract, according to Article 17(3) of the Data Protection Directive. The contracts between cloud providers and clients must, at a minimum, detail the controller’s instructions to the processor and include the obligation to implement adequate technical and organizational measures to ensure data security. They also should include certain standardized data protection safeguards, including the 14 points outlined by the Working Party in the Opinion (e.g. specification of security measures to be complied with, specification of the conditions for destroying or returning the data once the service is completed, obligation to provide a list of locations in which the data may be processed), as well as measures facilitating accountability, such as third-party audits and certification.
The Opinion further highlights that even in complex arrangements involving different levels of processing and cloud providers, the utmost attention must be given to the allocation of responsibility for data protection. Importantly, the Working Party reiterates a point it made in its Opinion 1/2010 on the concepts of controller and processor, namely that “the imbalance in the contractual power of a small controller with respect to big service providers should not be considered as a justification for the controller to accept clauses and terms of contracts which are not in compliance with data protection law.”
General Data Protection Principles
The Opinion further outlines the general data protection principles that should govern the client-provider relationship, including transparency, purpose specification and limitation, erasure of data, the implementation of technical and organizational data protection measures, the provision of timely and reliable access to data, the preservation of the integrity of data, confidentiality, isolation of data, “intervenability,” portability and accountability.
International Data Transfers
The Opinion highlights the limitations of the legal mechanisms traditionally used to ensure an adequate level of protection in the event personal data is transferred outside the EEA. The Working Party advises companies exporting data and relying on a Safe Harbor self-certification to conduct further investigations into the implementation in practice of the Safe Harbor principles by the chosen processor, a recommendation previously issued by the German data protection authorities. At the same time, however, the Working Party believes that cloud computing raises concerns which currently are not addressed under the Safe Harbor framework (i.e. loss of governance, incomplete data deletion, unsatisfactory audit records, etc.), such that additional safeguards must be deployed. The Working Party endorses the use of the 2010 controller to processor standard contractual clauses as a solid basis for ensuring that personal data is given adequate protection when transferred outside the EEA, and recommends that they be used between cloud providers and subcontractors as well as between providers and clients.
Risk Analysis and Checklist
Finally, the Working Party recommends that any business or administration that intends to use cloud services conduct a thorough risk analysis to identify and address the risks associated with processing specific types of data in the cloud. The processing of sensitive data in the cloud will require additional safeguards. The Working Party further provides a checklist, which offers guidance to cloud clients and cloud providers for complying with the current and future EU data protection framework. It also endorses third-party data protection certifications as potentially acceptable means of proving compliance with the guidelines issued in the Opinion.
The Working Party welcomes the provisions contained in the proposed Data Protection Regulation concerning a clearer distribution of responsibilities between data controllers and data processors, and details other future developments which may help to define a better framework for data protection in the cloud.