The Irish Data Protection Commissioner recently issued guidance in relation to data protection issues to be considered when contracting for cloud computing services. The primary focus of the Commissioner is on the security of data processed in the cloud. The Commissioner references the recently published opinion of the Article 29 Working Party in relation to cloud computing (Opinion 05/2012) which also provides useful guidance on this topic.
Ultimately responsibility for security of personal data rests with the data controller under Irish data protection legislation. The data controller is obliged to ensure that it meets the security requirements set out in the legislation in the event that responsibility for data processing is outsourced to any service provider, including a cloud provider.
The guidance from the Commissioner states that security standards of a “very high level” must be in place where personal data is being processed by a cloud provider. As the legislation is drafted in a technology neutral manner, there is no specificity provided in the legislation, or in the Commissioner’s guidance, in relation to the type of security measures required to meet this high standard.
In line with the recommendation of the Article 29 Working Party opinion, the guidance recommends that when engaging a cloud service provider assurances must be obtained in relation to issues such maintaining the integrity of the data (including back-up and disaster recovery mechanisms), prevention of unauthorised access to data, adequate oversight of any sub-processors used, procedures in the event of a data breach and the right of the data controller to remove, erase or transfer data.
The Commissioner and the Article 29 Working Party both recognise that auditing a cloud provider may not always be the most practical option for a data controller. The Commissioner advises that where there is a multi-tenanted cloud structure, a third-party certification to approved international standards may be more appropriate than a direct right to audit.
The Article 29 Working Party also advises that, in certain circumstances, individual audits of cloud providers may be impractical and independent verification or certification by a reputable third party can be a credible means for cloud providers to demonstrate compliance with their obligations.
Transfers of personal data are permitted within the EEA on the basis that personal data processed within the EEA will benefit from the common data protection standards derived from Directive 95/46/EC. However, given the nature of certain cloud services, it is possible that the data will be transferred outside the EEA during the course of the provision of the services.
According to the Commissioner’s guidance and Irish data protection legislation, the cloud customer (as data controller) will have to ensure prior to any proposed transfer of data outside of the EEA, that an “adequate” level of protection is in place. The EU Commission has deemed Switzerland, Guernsey, Argentina, Isle of Man, Canada, Faroe Islands, Jersey, Andorra and Israel to be countries which provide an adequate level of data protection.
Irish data protection legislation also provides that, in the event an adequate level of protection is not in place, personal data may be transferred outside the EEA in accordance with the US Safe Harbor programme, EU model contracts or Binding Corporate Rules.
Data protection legislation stipulates that, in cases where personal data is being processed for a data controller by a data processor, a written contract must be in place between the data controller and data processor. The contract must provide that the data processor will only process personal data in accordance with the instructions of the data controller and that the data processor will implement appropriate technical and organisational security measures to protect such personal data.
The Article 29 Working Party emphasises that applicable cloud contracts must include a set of standardised data protection safeguards (ie, security assurances) as well as additional mechanisms that can prove suitable for facilitating due diligence and accountability (such as audits or third party certification).
Certain contracts for cloud services will be concluded online on the basis of the cloud provider’s standard terms and conditions. It is important that data controllers read such terms and conditions to ensure that they contain the provisions required by data protection legislation as discussed above.
Implications for the Cloud
The Article 29 Working Party opinion and the Commissioner’s guidance advise businesses to conduct comprehensive risk assessments of any prospective cloud provider. The same data protection concerns exist for a data controller when outsourcing data processing to a cloud provider as to any other provider of data processing services. The guidance, however, places particular emphasis on the necessity for a high level of security when contracting for data processing services in the cloud space.
It is critical that a data controller assess the service offering of the cloud services provider and the terms and conditions of the contract to ensure that, as a data controller, it will be in compliance with its obligations under data protection legislation in the event that the data processing is outsourced to the cloud services provider.
The Commissioner notes that the technology surrounding cloud computing is constantly evolving. It is likely, therefore, that further guidance will be needed in the future to keep pace with the developing technology.