Privacy & Cybersecurity Law Blog

On July 1, 2012, the Article 29 Working Party (the “Working Party”) adopted WP196 (the “Opinion”) setting out an analysis of the legal framework associated with cloud computing, as well as recommendations directed at both data controllers and data processors in the European Economic Area (the “EEA”). The Opinion identifies two data protection risks associated with the deployment of cloud computing services, namely: (1) lack of control over the data and (2) lack of information on data processing. Cloud computing and the range and geographical dispersion of the various parties involved also have raised significant uncertainty in terms of applicable law, which the Working Party previously analyzed in its Opinion 8/2010. Below is an overview of the different topics covered in the Opinion issued on July 1.

Cloud Computing Duties and Responsibilities

• Cloud clients (as data controllers): Cloud clients are expected to be responsible for compliance with applicable data protection legislation and fulfillment of related duties. A cloud client must therefore choose cloud providers that will guarantee compliance with the applicable law(s).
• Cloud providers (as data processors): Cloud providers must ensure the confidentiality of the personal data they handle, and they must comply with the requirements of Article 17 of the EU Data Protection Directive 95/46/EC (the “Data Protection Directive”) when providing the cloud services. According to the Opinion, they also must adopt security measures in line with the laws of both the controller’s jurisdiction and the processor’s. Finally, cloud providers must assist cloud clients with addressing data subjects’ claims and the exercise of data subjects’ rights.
• Subcontractors: According to the Working Party, cloud providers can only subcontract certain services after having obtained the client’s consent (which may be given in a general form at the beginning of the service). Information on the subcontracting of processing services by the cloud provider must be made available to the cloud client, detailing the category of service subcontracted, the subcontractor’s characteristics and the measures or guarantees implemented by the subcontractor to ensure an adequate level of data protection. All the provider’s obligations to the client must be reflected in an agreement between the provider and the subcontractor to allocate responsibility clearly.

Cloud Services Contracts 

Cloud services require a formal contract, according to Article 17(3) of the Data Protection Directive. The contracts between cloud providers and clients must, at a minimum, detail the controller’s instructions to the processor and include the obligation to implement adequate technical and organizational measures to ensure data security. They also should include certain standardized data protection safeguards, including the 14 points outlined by the Working Party in the Opinion (e.g. specification of security measures to be complied with, specification of the conditions for destroying or returning the data once the service is completed, obligation to provide a list of locations in which the data may be processed), as well as measures facilitating accountability, such as third-party audits and certification.

The Opinion further highlights that even in complex arrangements involving different levels of processing and cloud providers, the utmost attention must be given to the allocation of responsibility for data protection. Importantly, the Working Party reiterates a point it made in its Opinion 1/2010 on the concepts of controller and processor, namely that “the imbalance in the contractual power of a small controller with respect to big service providers should not be considered as a justification for the controller to accept clauses and terms of contracts which are not in compliance with data protection law.”

General Data Protection Principles

The Opinion further outlines the general data protection principles that should govern the client-provider relationship, including transparency, purpose specification and limitation, erasure of data, the implementation of technical and organizational data protection measures, the provision of timely and reliable access to data, the preservation of the integrity of data, confidentiality, isolation of data, “intervenability,” portability and accountability.

International Data Transfers 

The Opinion highlights the limitations of the legal mechanisms traditionally used to ensure an adequate level of protection in the event personal data is transferred outside the EEA. The Working Party advises companies exporting data and relying on a Safe Harbor self-certification to conduct further investigations into the implementation in practice of the Safe Harbor principles by the chosen processor, a recommendation previously issued by the i.e. loss of governance, incomplete data deletion, unsatisfactory audit records, etc.), such that additional safeguards must be deployed. The Working Party endorses the use of the proposed Data Protection Regulation concerning a clearer distribution of responsibilities between data controllers and data processors, and details other future developments which may help to define a better framework for data protection in the cloud.