There is a general assumption that adopting innovative technology will help improve efficiency and generate cost savings. Unfortunately, new technology is very often considered only from a business and IT point of view, despite it clearly triggering critical issues in terms of legal compliance. Efficiency and cost savings, the key elements of new technology, might imply hidden costs in terms of exposure to risk of non-compliance and data vulnerability.
Cloud computing allows companies to access data and documents, including confidential information, from any computer at any site in the world. To address some of the pitfalls inherent in cloud computing, the Italian Data Protection Authority (IDPA) has released a simple but comprehensive guide for businesses, “How to Protect Your Data Without Falling From a Cloud” (the guidelines), available at www.garanteprivacy.it/ garante/doc.jsp?ID=1894503. Although aimed specifically at Italian businesses, the guidelines are useful to any organisation that is considering, or that already uses, cloud computing services.
Types of Cloud Computing
The guidelines define cloud computing as a set of technologies that enable the storage and processing of information by means of the services of a third-party cloud provider. The guidelines also separate cloud computing into private and public systems:
- A private cloud is defined as an IT infrastructure based on a network of computers providing services to a company that hosts the infrastructure on its own premises. Alternatively, management of the network and supply of services may be outsourced by means of a more traditional server hosting agreement, although data is still under the supervision and control of the company user that qualifies as Data Controller.
- A public cloud is defined as an IT infrastructure owned by a service provider that makes its systems available to client users by sharing and offering via the internet certain IT applications, data processing features and data storage services. The services may involve simply a transfer of data to the service provider’s systems or both the storage and processing of data by the service provider. The service provider therefore assumes a key role in ensuring the effectiveness of the measures adopted to protect data stored and/or processed. Even under this definition, however, the client company is recognised as the Data Controller as it is responsible for ensuring the cloud service provider has in place adequate data security.
Regulatory Framework: Roles and Responsibilities
According to the guidelines, the current laws may need to be updated in order to apply adequately to cloud computing. In particular, certain key legal issues—allocation of liabilities, data security, jurisdiction and notification of breaches to the supervisory authority, as already proposed at the EU level—are highlighted as arising from the adoption of data processing and storage services outsourced via the internet.
Nonetheless, the existing rules still apply to cloud services. In particular, by entrusting an external provider with databases and processing operations, the client user (which qualifies as Data Controller), must appoint the cloud service provider as external Data Processor, formally and in writing as required by the Italian Personal Data Protection Code.
The selection and appointment of the cloud service provider as a Data Processor means the client will need to obtain information on the reliability and business reputation of the provider, its experience in the sector, professional and technical skills, the quality and levels of services it provides, and procedures and policies that will be adopted to protect the integrity and confidentiality of the data processed and stored via the cloud services. The Data Controller is still, however, in principle liable for violations if it is found to have a lack of control or be negligent in entrusting its data processing to third parties and in supervising the Data Processor’s activities.
The guidelines also warn that some services offered by the cloud provider are actually purchased from other service providers, which could pose significant issues as to availability and access to the data. Accessibility is key to being able to provide personal data to data subjects on demand. In this case, the Data Controller must obtain in advance detailed information on each participant company involved at each level (particularly in relation to storage and transfer of the data), in order to make a thorough and considered decision.
The guidelines recommend that adequate insurance coverage for damages is granted by the cloud service provider and indicated expressly in the service agreement. Alternative dispute resolution clauses and penalties should also be outlined clearly.
Server Location and Transfer of Data
Despite cloud computing’s image as an amorphous, “virtual” storage system that does not exist physically in any jurisdiction, data entrusted to a cloud service provider is still subject to the laws of the Data Controller’s home jurisdiction.
The location of the server used for data storage/ processing purposes also has a crucial impact on the jurisdiction applicable to data processing and storage security, and the jurisdiction for disputes. As part of the service agreement, therefore, the cloud service provider must state clearly the primary and ancillary location/s of its server/s and business operations. The client will need this information to ensure that transfer of data outside the European Union is compliant with data protection rules.
Because EU rules prohibit the movement of data through or to countries that don’t have adequate levels of protection, many cloud service providers that have facilities located in different countries may not be compliant with the rules on international transfer of data. This means the client company, as Data Controller, may also not be compliant. The guidelines confirm that the IDPA will be strict in this respect, and urge companies to check with their providers to ensure the transfer of data will be legal.
To ensure the movement of data is protected, the guidelines recommend that data is encrypted.
Theoretically, one advantage of cloud services is that a professional cloud provider may adopt a higher level of protection against viruses, hackers or other third-party attacks than that used by a Data Controller. The client cannot, however, make this assumption. The security principles that apply under normal circumstances also apply to cloud computing. Regardless of whether data is held internally or in a cloud, the Data Controller is required to ensure adequate technical and organisational measures are in place to minimise the risk that data may be destroyed, lost or accessed by third parties. The guidelines recommend clients check that necessary measures are in place and that the cloud service provider, particularly in the case of non-EU based providers, holds certifications (such as the International Organization for Standardization security standards) or has in place adequate policies in relation to its security measures and data processing procedures.
Immediate Access to Data and Disaster Recovery
A sensible Data Controller will have in place contingency and backup plans in case of a system breakdown. The same applies to cloud service providers, which must keep a copy of the data by way of a copy database or via a mirror server, as required legally or for tax purposes. This is particularly important in relation to the legal requirement of making data available to data subjects. Any such request (which may include rectification or even deletion of data stored), must be fulfilled within a certain timeframe, and the fact that the system has crashed will not be considered an adequate reason for delay.