The Article 29 Data Protection Working Party Opinion 05/12 on Cloud Computing (the 'Opinion') is aimed at assisting those who choose to engage a cloud computing service provider to comply with the requirements of the Data Protection Directive (95/46/EC) (the 'Directive'). Cloud computing solutions, notably in the form of third party processing services, have dramatically increased in popularity over the last few years. While the continuing adoption of cloud computing is to be welcomed, it does present certain legal challenges and risks.

In issuing the Opinion, it seems the Working Party are encouraging organisations that are planning to engage cloud providers to ensure they understand how and where their data are stored and, importantly, which parties can access such data.

Risk assessment and management

The Opinion recommends that any party which intends to use cloud computing services should conduct a thorough risk analysis to identify and address the perils associated with processing specific types of data in the cloud.

Risk management is a key consideration in any commercial relationship that brings the potential for liability. The Opinion highlights several data protection risks that arise from the use of cloud computing, including:

lack of transparency about how the service provider processes personal data, thereby preventing the controller from taking proper measures to ensure data protection compliance;

  • lack of interoperability and data portability;
  • lack of integrity, caused by sharing of cloud resources;
  • lack of confidentiality arising from disclosure of data to law enforcement agencies outside the EU;
  • lack of ability for the customer to intervene in processing owing to the complex chain of processors;
  • inability of the cloud provider to help the controller respond to data subjects' access requests; and
  • possibility that the cloud provider might link personal data from different clients (or a 'lack of isolation' of data).

Risks may be augmented if the cloud service involves:

  • a chain of processors (several tiers of sub-contractors);
  • processing in different countries (and the applicable law in the event of a dispute); and/or
  • the transfer of data to countries outside the European Economic Area ('EEA').

The Opinion suggests that the key to ensuring compliance with data protection law lies in managing the risks identified by a risk analysis. To this end, the Opinion sets out a number of recommendations for organisations engaging cloud providers, some of which are discussed further below.

Identifying roles and recording obligations in the contract

The processing of personal data in a cloud relationship will usually involve a data controller and a data processor. Clients will typically act as data controllers with the providers being the data processors, although it is noted in the Opinion that there will sometimes be circumstances which can also render the provider a data controller as well (e.g. if the provider is engaged in legitimate processing for their own purposes as opposed to those of the client). As responsibilities differ depending on what role a party has, they should be clearly identified in the contract.

The Opinion highlights that the ultimate responsibility for compliance with data protection law remains with the controller, whether or not they choose to delegate the processing of data.

Article 17(3) of the Directive requires there to be a contract or other binding legal act to govern the relationship between the cloud computing client (the 'client' or the 'controller') and the cloud computing service provider (the 'service provider' or the 'processor'). It is recommended in the Opinion that this agreement be in the form of a written contract which is negotiated between the two parties, as opposed to standard terms and conditions of the service provider (for the reasons discussed further below).

The Opinion discusses at length the need to identify and allocate the fundamental aspects of data protection compliance that apply to a cloud computing relationship, and to deal with them fully in the agreement between the parties. This is in order that the data controller is enabled to comply with its responsibilities under data protection law, and has recourse to contractual remedies where necessitated by acts or omissions of the process in respect of its data processing activities.

Hence before concluding a contract, it is imperative that the parties identify their roles in the relationship and allocate the responsibilities and requirements that need to be covered by the agreement accordingly.

Other suggested inclusions for the contract are discussed below.

Compliance with fundamental data protection principles

The Opinion explains that the basic principles of data protection law do not change simply because those controlling and managing the data do so through different media. Such fundamental principles include:

  • the guarantee of transparency vis-a-vis the data subject;
  • compliance with the principle of purpose specification;
  • limitation, personal data erasure once retention is no longer necessary; and
  • the physical security of data.

Transparency and security

Cloud computing brings with it different transparency and security issues to consider. For example, applying the transparency requirement in the Directive, it is necessary for a client to be made aware of all subcontractors contributing to the processing of data as part of the cloud solution, as well as the location of all data centres. This also feeds into the requirement in the Directive of ensuring that personal data are only processed in a way that is compatible with the purposes for which they were collected.

In order to ensure that the transparency obligation of the controller is adequately complied with, clients are required to choose a service provider which gives sufficient guarantees in respect of the technical security and organisational measures governing the processing to be carried out.

For this reason, the Opinion advises that the contract between the service provider and the client should state the technical and organisational measures to be deployed to ensure transparency. The contract should also contain assurances regarding the logging and auditing of relevant processing operations that are performed by any sub-contractors or employees of the service provider.

Arguably, the steps recommended in the Opinion for a data controller to take in order to diminish the risks associated with cloud services go beyond the strict obligations on the data controller under the Directive. The Opinion calls for the contract with the cloud provider to include comprehensive provisions regarding security measures addressing, amongst other things:

  • (as above) auditing and logging processing of personal data undertaken by employees of the service provider or its sub-processors;
  • service levels to reflect the standard of expected processing, with specific contractual remedies for the controller applicable in circumstances where the cloud processor fails to realise such service levels; and
  • provision of a list of all locations at which the data will be processed by the processor to the controller.

Standard terms and conditions

The Opinion warns organisations against accepting standard terms and conditions of the service provider. According to the Working Party, "in many cases, cloud service providers offer standard services and contracts to be signed by controllers, which set forth a standard format for processing personal data. This imbalance in the contractual power of a small controller with respect to large service providers should not be considered as a justification for the controllers to accept clauses and terms of contracts which are not in compliance with data protection law."

In practice, it will be challenging for all but those large customers with significant negotiating leverage to effect significant changes to the standard terms of the majority of cloud service providers.

Use of sub-processors

The nature of cloud computing services means that contracted parties may be used as sub-processors by the service provider. In so doing, the sub-processor may gain access to personal data.

The Opinion provides that controllers should investigate, and processors should inform their clients, where the processor sub-contracts services out to sub processors. Controllers should discover the type of service sub-contracted, the characteristics of current or potential sub-contractors and the guarantees that these entities offer to the service provider.

The Opinion recommends that a client should include terms in their contract with the service provider to the effect that sub-processing is permitted only with the prior written consent of the client, and on the same terms as are imposed on the sub-contracting service provider.

It seems that the intended structure of such agreements is such that the client has meaningful contractual recourse possibilities in the event of any breach or problems with the service provider or sub-contractor.

International transfers and Safe Harbor

Specific safeguards must be put in place by the parties to a cloud computing agreement where the data are being transferred to countries outside the EEA and that have not been adjudged to provide an adequate level of data protection. (Currently, the following countries are considered as having adequate protection: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey and Switzerland).

The Opinion specifically discusses the US Safe Harbor regime and, for the first time, indicates that compliance with the Safe Harbor principles may not be sufficient to address the security risks that arise in relation to transfers of personal data to the US and which take place in the context of cloud computing.

The Working Party states that "sole self-certification with Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment". This is because, the Opinion suggests, data security in a cloud computing context raises several cloud-specific security risks which are not sufficiently addressed by the existing Safe Harbor principles on data security. For this reason, the Opinion suggests that additional safeguards for data security, taking into account the specific nature of the cloud, may need to be deployed to complement the commitment of the data importer to Safe Harbor.

Further, the Working Party considers that companies exporting data should not merely rely on the statement of the data importer claiming that he has a Safe Harbor certification. "On the contrary, the company exporting the data should obtain evidence that the Safe Harbour self-certification exists and request evidence demonstrating that their principles are complied with".

Contractual safeguards

Contractual safeguards are discussed at length in the Opinion. In this context, the Opinion contains a list of suggested issues that should be addressed in the cloud computing contract, including:

  • description of instruction from client to service provider;
  • specification of security measures, bearing in mind the possible additional obligations of domestic legal requirements;
  • time frame, extent, manner, purpose and type of processing to be done;
  • procedure for extraction, removal or returning of data;
  • confidentiality clause binding on service provider, employees and sub-contractors;
  • obligations of service provider to assist the client in facilitating the exercise of data subjects rights;
  • provisions in relation to subcontracting of services or other communication of data to third parties;
  • obligation to notify the client of any data breach which affects the client's data;
  • obligation of the service provider to provide a list of locations in which the data may be processed;
  • the controller's rights to monitor and obligation of service provider to cooperate;
  • notification to client where there are changes to functions or implementation of the cloud computing service;
  • provision for logging and auditing of relevant processing operations on personal data that are performed by the service provider or sub-contractors;
  • notification (where legally possible) to the client about any legally binding request for disclosure of the personal data by a law enforcement authority;
  • general obligation for the service provider to give assurances that its internal organisation and data processing arrangements are compliant with the applicable national and international legal requirements and standards; and
  • any relevant penalties.

Third party certificates

The Opinion identifies independent verification or certification by a reputable third party as a credible means for cloud providers to demonstrate to the client their compliance with their data protection obligations. This could involve certification indicating that data protection controls have been audited or reviewed to a recognised standard. Ideally, such certificates would address the processes and technical measures used by service providers that guarantee data protection. The client could thereafter take into account the provision of such certifications when deciding whether to enter into an agreement with a cloud computing service provider.

New Regulation

The Working Party welcomes parts of the proposed Regulation, in particular:

  • Article 26, to the extent it would increase the accountability of processors to controllers; and
  • Article 30, which would oblige processors to implement appropriate technical and organisational measures.

The Opinion suggests that the Working Party regards these proposed measures as potentially beneficial in the context of cloud computing, given that they assist the client in exercising more control over how the service provider processes the client's data in the context of delivery of its cloud service.

End user licenses

The Opinion addresses the issue of unfavourable user licence agreements for cloud services (although not in a fashion that will provide much comfort for small businesses). The Working Party has stressed that a disparity in negotiating clout does not justify a data controller entering into a contract which is deficient in terms of compliance with data protection obligations.

DPC's guidance

In close succession to the publications of Opinion, the Office of the Data Protection Commissioner issued guidance entitled 'Data Protection in the Cloud'. This guidance highlights the prominence that should be accorded to data security in a cloud context, identifying in particular the necessity for controllers to consider issues such as:

  • back-up or disaster recovery measures;
  • processing oversight;
  • data breach management procedures; and
  • data extraction from a cloud solution.

The guidance restates a key theme of the Opinion that the core compliance responsibility sits the data controller, even where the processing of data is contracted to cloud service provider; hence the requirement for an agreement in writing to be in place between a cloud user and the cloud service provider.

Conclusions

The key recommendations in the Opinion will be of little surprise to those following developments in this area.

In the first instance, the Opinion places the onus squarely on organisations who wish to take advantage of cloud services to conduct their own thorough risk analysis from a data protection point of view.

The Opinion reminds controllers that ultimate responsibility for compliance with data protection obligations remains with the data controller, whether or not they choose to delegate the processing of data to a third party. Further, in order to ensure that this obligation is adequately complied with, data controllers are required to choose a service provider which will give them sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out.

This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.