Cloud computing has revolutionised the way in which businesses store and process data. More and more businesses are turning away from the traditional IT model of owning and maintaining hardware and software in favour of utilising on-demand IT facilities and services offered remotely, or “in the Cloud”, from third party vendors.
Moving to the cloud does not alter the legal obligations imposed on those who hold and process personal information or the risks and liabilities they face if they misuse or fail to adequately protect that data. This has been highlighted by the Data Protection Commissioner, with the publication of new guidance in this area this month. Some of the key areas of concern for businesses utilising cloud computing services for storing personal data are discussed below.
Security and integrity of data
Any business entrusting its data to a third party needs to ensure that it receives sufficient assurances in respect of the technical security and organisational measures governing the processing of the data. In practical terms this means ensuring, prior to the handover of data, that the service provider has sufficient disaster recovery and back-up processes, adequate encryption procedures for when data is “in transit”, appropriate employee access controls, appropriate authentication procedures and audit trails of access. It is important to bear in mind that in the event of a data security breach it will be the data controller (and not the third party) that will be the subject of the Data Protection Commissioner’s investigations and the target of consumer complaints. Service providers’ contracts should reflect this risk and consideration should be given to the Data Protection Commissioner’s guidance on these areas.
Jurisdictional issues and transfer of data
It is generally prohibited to transfer personal data outside of Ireland to any non-EEA1 jurisdiction that does not have an adequate level of protection, subject to certain exceptions. Businesses outsourcing to the cloud must therefore be certain as to where within the cloud the data could be stored, or agree with the service provider as to the specific jurisdictions in which the data can be processed, if it is to comply with its obligations. This can be difficult in practice given that many service providers process data across multiple jurisdictions through federated clouds. If such certainty cannot be guaranteed, businesses may need to explore alternative means of complying with its obligations, such as utilising the EU-approved Model Contracts as the basis for the agreement, or else the US “Safe Harbor” arrangement.
The contract: control, risk and flexibility
Any business looking to outsource the processing of personal data is obliged to put in place a formal written contract with the service provider. Frequently, the standardised contracts offered by the larger service providers can impose unreasonable terms and conditions absolving the service provider of even the most reasonable liability and allowing for unilateral termination of the contract in short periods.
Businesses must ensure any agreements entered into:
- provide the necessary assurances that the service provider will comply with applicable data protection legislation and with its instructions;
- sufficiently limit their exposure in the event of a data security breach on the part of the service provider;
- guarantee minimum service levels and standards on the part of the service provider (and prescribe appropriate remedies for failure to do so); and
- provide for appropriate termination triggers in the event of repeated, unreasonable downtime or significant system failures.
If you are currently utilising cloud computing services, or are contemplating making the transition from conventional IT systems to the cloud, you should consider carefully your extensive obligations under data protection law and the areas of exposure identified above, either when reviewing your existing contracts or before entering into any new agreement.