The Article 29 Working Party established under the EU data privacy legislation published an opinion on 1 July 2012 addressing the data privacy compliance concerns associated with the use of cloud computing solutions.
The Working Party identified the concerns as falling into two categories:
- Lack of Control: Cloud clients lose control of the technical and organisational measures necessary to ensure the availability, integrity, confidentiality, transparency, isolation and portability of data;
- Lack of Information Processing: Insufficient information about a cloud services processing operation poses a risk to controllers as well as to data subjects, because they might not be aware of potential threats and risks and, therefore, cannot take measures they deem appropriate.
The opinion is a reminder of the key contractual safeguards that must be put in place between the controller and the cloud service provider. The cloud service provider must agree to follow the instructions to the controller and must implement technical and organisational measures that are adequate to protect the personal data being put into the cloud-based solution. Among the particular provisions specified by the Working Party are:
- an obligation by the cloud provider to supply a list of the locations in which the data may be processed;
- a general obligation by the provider to give assurance that its internal organisational and data processing arrangements (and those of subprocessors) are compliant with applicable national and international legal requirements and standards.
These two requirements are sometimes problematic for the customer, and the fact that they are specifically referred to in the opinion will strengthen the negotiating position of controllers wishing to put in place arrangements for the processing of personal data by cloud service providers.
Working Party recommendations include:
- a controller should select a cloud service provider that guarantees compliance with the EU data privacy regime by agreeing to the specific contractual protections referred to below;
- where (as is almost inevitably the case) a cloud service provider subcontracts processing to subprocessors, this should only be permitted where the identity of the subprocessor is disclosed to the data controller and the cloud service provider flows down its contractual obligations to the data controller to its sub-processors so that the controller has some contractual recourse in the event of breaches by subprocessors.
The specific contractual protections include:
- only authorised personnel to have access to the data;
- subcontractors must be identified and the controller must have a right to terminate the contract in the event of changes;
- cross-border transfers of data shall only be permitted where lawful—for example, because the recipient has executed the EU model terms—and the cloud provider must guarantee the lawfulness of cross-border transfers;
- the controller must have the right to audit the processing activities.
The opinion also raises the possibility that independent verification or certification of compliance with the requirements specified in the opinion could be provided by an independent third party, such as ISO, the IAASB or the Auditing Standards Board of the American Institute of Certified Public Accountants.
Data controllers who deploy or plan to deploy cloud computing solutions should review the Working Party recommendations and treat them as a checklist of the issues to cover in any cloud services contractual arrangement.