The EU's Article 29 Working Party has published its latest Opinion, setting out its views on the key data protection issues and challenges of 'Cloud Computing' – a term which not only invokes debate
The EU's Article 29 Working Party has published its latest Opinion, setting out its views on the key data protection issues and challenges of 'Cloud Computing' – a term which not only invokes debate in data privacy circles about what it is (it's essentially the use of technologies which focus on efficient internet-based delivery of IT applications, processing services and memory space) but also the risks of such technology. The truth is, cloud services are here to stay, delivering efficiencies to a huge number of public authorities and global organisations – witness the City of Los Angeles who signed a deal with Google for the use of its cloud services to deliver more efficient public services and store data; or more recently Apple's 'iCloud' service which allows its army of users to purchase, store and access media content and personal documents across their Apple devices.
Whilst acknowledging the economic and societal advantages that cloud technologies can bring, the Opinion is very keen to express the privacy risks facing public and private sector organisations when deploying cloud services and the actions they should therefore take. Indeed, the Opinion begins by highlighting those risks, emphasising the lack of control experienced by 'cloud clients' as they surrender their personal data to the 'cloud providers' and therefore their control of technical and organisational measures to ensure the availability, confidentiality and transparency of that data. (At this point, we should highlight that the Working Party generally refers to 'cloud clients' as data controllers – on the basis that they generally determine the purpose and outsourcing of the processing and 'cloud providers' as 'data processors' on the basis that they provide the cloud services - based on the instructions of their clients.)
The Opinion also highlights a lack of 'transparency' as another risk, whereby insufficient information on a cloud provider's operations poses a risk to clients and data subjects; on the basis that they may not be aware of potential threats to their data and therefore cannot take appropriate actions. Therefore, the Working Party highlights the need for such 'cloud clients' to carry out adequate risk assessments of potential cloud providers before implementation of any project.
The Opinion emphasises that even in complex cloud data processing arrangements, where parties play different roles in processing personal data, compliance with relevant data protection rules and responsibilities must be clearly allocated. The Opinion recognises that many cloud clients 'may not have room for manoeuvre' with regard to contractual terms when negotiating with cloud providers – particularly many of the larger providers who offer 'standardised' services. Nevertheless the Opinion emphasises that it is still the cloud client who assumes the role of 'data controller' (regardless of how small they are) and must therefore ensure that appropriate guarantees are in place to ensure compliance with data protection legislation for the duration of the agreement.
In addition to identifying compliance with the basic principles of data protection (such as transparency; purpose specification and limitation; security and erasure/anonymisation issues) the Opinion stipulates the standard provisions that the Working Party would expect to see in any contract for cloud services, including:
- the technical and/organisational measures to be implemented by the cloud provider, including clarification of the responsibilities of the cloud provider to notify the cloud client in the event of a data breach.
- relevant details of the instructions issued by the client to the cloud provider, with particular regard to applicable SLAs and penalties.
- subject and time frame of the services to be provided by the cloud provider; including the extent, manner and purpose of the personal data processing by the cloud provider.
- inclusion of a confidentiality clause, binding on both the cloud provider and its employees who may have access to the data.
- the inclusion of express provisions that the cloud provider may not communicate the personal data to third parties, even for preservation purposes, unless it is provided for in the contract that subcontractors will be used. The contract should also stipulate that sub-processors should not be utilised without the consent of the client, in line with a clear duty for the provider to inform the client of any intended changes in this regard - with the client retaining the power to object to such changes and/or terminate the contract.
- an obligation on the cloud provider to provide a list of locations where the personal data may be processed.
Finally, the Opinion recognises the need to regulate data transfers to so-called 'third countries' in the context of cloud services but acknowledges that, owing to the lack of a stable understanding of where data is going to be at any given time, some of the current mechanisms in place to ensure the 'adequacy' of such transfers are somewhat limited. In this regard, the opinion starts by rejecting the Safe Harbor mechanism as a transfer solution (on the basis that Safe Harbor certification alone cannot substitute for the relevant contractual arrangements and guarantees which may be required by Data Protection Authorities at the national level – particularly on the data security issues applicable to cloud computing – the Working Party emphasises that it does not consider the relevant Safe Harbor data security provisions to be effective in this regard).
Therefore, the Opinion leans towards the use of the 2010 Model Clauses (with its applicable sub-processor provisions) but more importantly recognises the suitability of the BCR framework; and specifically the ongoing development of Binding Safe Processor Rules (BSPR) which would allow the client to entrust their data to the cloud service provider while being assured that onward transfers for sub-processing purposes would receive an adequate level of protection.
In conclusion, whilst acknowledging the significant growth in this area and consequently the need for flexible mechanisms, the Working Party Opinion suggests a belt and braces approach which today puts European customers of cloud service providers in an awkward position. Time will tell if the Working Party's expectations are realistic but in the meantime, the specific acknowledgement of BSPR as the future model to ensure compliance whilst allowing for the flexibilities presented by cloud computing can be seen as a step in the right direction.
Whilst acknowledging the economic and societal advantages that cloud technologies can bring, the Opinion is very keen to express the privacy risks facing public and private sector organisations when deploying cloud services and the actions they should therefore take. Indeed, the Opinion begins by highlighting those risks, emphasising the lack of control experienced by 'cloud clients' as they surrender their personal data to the 'cloud providers' and therefore their control of technical and organisational measures to ensure the availability, confidentiality and transparency of that data. (At this point, we should highlight that the Working Party generally refers to 'cloud clients' as data controllers – on the basis that they generally determine the purpose and outsourcing of the processing and 'cloud providers' as 'data processors' on the basis that they provide the cloud services - based on the instructions of their clients.)
The Opinion also highlights a lack of 'transparency' as another risk, whereby insufficient information on a cloud provider's operations poses a risk to clients and data subjects; on the basis that they may not be aware of potential threats to their data and therefore cannot take appropriate actions. Therefore, the Working Party highlights the need for such 'cloud clients' to carry out adequate risk assessments of potential cloud providers before implementation of any project.
The Opinion emphasises that even in complex cloud data processing arrangements, where parties play different roles in processing personal data, compliance with relevant data protection rules and responsibilities must be clearly allocated. The Opinion recognises that many cloud clients 'may not have room for manoeuvre' with regard to contractual terms when negotiating with cloud providers – particularly many of the larger providers who offer 'standardised' services. Nevertheless the Opinion emphasises that it is still the cloud client who assumes the role of 'data controller' (regardless of how small they are) and must therefore ensure that appropriate guarantees are in place to ensure compliance with data protection legislation for the duration of the agreement.
In addition to identifying compliance with the basic principles of data protection (such as transparency; purpose specification and limitation; security and erasure/anonymisation issues) the Opinion stipulates the standard provisions that the Working Party would expect to see in any contract for cloud services, including:
- the technical and/organisational measures to be implemented by the cloud provider, including clarification of the responsibilities of the cloud provider to notify the cloud client in the event of a data breach.
- relevant details of the instructions issued by the client to the cloud provider, with particular regard to applicable SLAs and penalties.
- subject and time frame of the services to be provided by the cloud provider; including the extent, manner and purpose of the personal data processing by the cloud provider.
- inclusion of a confidentiality clause, binding on both the cloud provider and its employees who may have access to the data.
- the inclusion of express provisions that the cloud provider may not communicate the personal data to third parties, even for preservation purposes, unless it is provided for in the contract that subcontractors will be used. The contract should also stipulate that sub-processors should not be utilised without the consent of the client, in line with a clear duty for the provider to inform the client of any intended changes in this regard - with the client retaining the power to object to such changes and/or terminate the contract.
- an obligation on the cloud provider to provide a list of locations where the personal data may be processed.
Finally, the Opinion recognises the need to regulate data transfers to so-called 'third countries' in the context of cloud services but acknowledges that, owing to the lack of a stable understanding of where data is going to be at any given time, some of the current mechanisms in place to ensure the 'adequacy' of such transfers are somewhat limited. In this regard, the opinion starts by rejecting the Safe Harbor mechanism as a transfer solution (on the basis that Safe Harbor certification alone cannot substitute for the relevant contractual arrangements and guarantees which may be required by Data Protection Authorities at the national level – particularly on the data security issues applicable to cloud computing – the Working Party emphasises that it does not consider the relevant Safe Harbor data security provisions to be effective in this regard).
Therefore, the Opinion leans towards the use of the 2010 Model Clauses (with its applicable sub-processor provisions) but more importantly recognises the suitability of the BCR framework; and specifically the ongoing development of Binding Safe Processor Rules (BSPR) which would allow the client to entrust their data to the cloud service provider while being assured that onward transfers for sub-processing purposes would receive an adequate level of protection.
In conclusion, whilst acknowledging the significant growth in this area and consequently the need for flexible mechanisms, the Working Party Opinion suggests a belt and braces approach which today puts European customers of cloud service providers in an awkward position. Time will tell if the Working Party's expectations are realistic but in the meantime, the specific acknowledgement of BSPR as the future model to ensure compliance whilst allowing for the flexibilities presented by cloud computing can be seen as a step in the right direction.