With the increased use of cloud computing services, concerns related to the protection of users’ privacy in the cloud are being pressed to the utmost importance. In fact, cloud computing services are able to store in various servers and process, even by means of the interaction between providers (e.g. Dropbox is based on Amazon’s servers!), a huge amount of data and information to be used for the most various purposes. Due to such peculiarities, the processing of personal data in the cloud represents a great risk in terms of data breach and at the same time poses challenges from a regulatory perspective.
In the absence of a specific regulation on cloud computing, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “DPA”) has recently issued the guidance CLOUD COMPUTING – Proteggere i dati per non cadere dalle nuvole (“Guidance”) addressed to cloud clients so as to bring their attention to the potential risks of the cloud and advise them on how to safely use cloud services providing them the “Decalogue for an informed choice”.
As an essential background, the DPA Guidance investigates the roles played by cloud clients and cloud providers pursuant to the categorization of the subjects involved in data processing according to the Italian Privacy Code. Cloud clients are generally considered as data controller, since they are the ones who determine the ultimate purpose of the processing and decide on the outsourcing of such processing and its delegation to an external entity. However, the tasks generally assigned to data controllers by the Italian Privacy Code – such as the autonomous definition of the processing’s purposes and methods, including security aspects, as well as the task of periodical control over the performance of the data processor – could be difficultly handled by the sole cloud client. Therefore, depending on the concrete circumstances the cloud provider might also vest the role of either joint or autonomous data controller, with significant consequences in terms of liability.
This situation, which represents a fundamental departure from traditional models based on a clear distinction between roles, determines a concrete risk of “negligent conflict of competence” among the various controllers and urges cloud clients to adopt specific precautions in their relationship with cloud providers. For this reason, the Guidance suggests cloud clients to perform a comprehensive and thorough risk analysisis on the cloud service chosen and is very clear in stressing the importance to appoint a trustworthy cloud provider and to make sure thatthe compliance with data protection rules is ensured and liabilities for possible breaches are clearly allocated.
However, in practice cloud clients’ control over data processing tends to be very poor, since generally they are provided with insufficient information on how, by whom and especially where the data is being processed, due to the redundancy and duplication of data on different servers at different locations which is typical of cloud services. In this regards, the Guidance specifically recommends to cloud clients to control where the data collected are physically stored and the type of service provided, i.e. whether the cloud provider itself will hold the data or he is a services intermediary or he relies on technologies made available by a third party. The location of the data is important not only to establish the jurisdiction and the law applicable in the case of disputes, but also to assess whether the level of protection offered is adequate as required by the European and national data protection regulations. This is particularly hot topic at the moment, since the “Safe Harbor” for data transfers has been declared void (see our previous posts on the topic here and here).
In light of the above, despite the very useful advices of the Italian DPA, it is a general remark that the current regulations on data protection are obsolete under certain aspect and may risk to tackle innovation and the development potential of the cloud. Therefore, it is desirable that up-to-date rules are implemented at a national and European level so as to grasp the peculiarities of the cloud, in particular by providing for a better balance of the liabilities between data controller and data processor and a regulation that is more focused on data security rather than on data location.