The Article 29 Working Party on 1 July 2012 adopted Opinion 05/2012 on cloud computing (WP 196) in which it reviewed the rights and obligations placed on various parties when processing personal data in the cloud. The Opinion considers the applicable principles for both controllers and processors from the Data Protection Directive (95/46/EC) and the e- Privacy Directive (2002/58/EC as amended).
The key issues considered by the Working Party included the scope of purpose for data processing, the deletion of personal
data, international transfer and technical and organisational measures relating to the security of personal data. The Opinion also details certain requirements of the contractual arrangements used to regulate the relationship between client and the cloud provider.
The key risks arising from the use of personal data in cloud computing fall into two broad categories: lack of control over the data and lack of transparency regarding the processing operation itself. The Opinion makes clear that it remains the controller’s responsibility to appoint a cloud provider that guarantees compliance with data protection legislation, especially with regard to technical and organisational measures, cross-border data flows and accountability. The Article 29 Working Party pays little attention to the argument that cloud providers often rely on standard terms and leave little room for negotiation of bespoke terms.
EU law requires that a data controller and data processor relationship be recorded by contract. The Opinion states that, as a minimum, any such contract must establish that the processor is to follow the instructions of the controller, and that the processor must implement technical and organisational measures to adequately protect personal data.
The Working Party also suggests a number of other issues that should be addressed in the contract, including explicit service levels and penalties; the specification of locations of processing; security measures, including auditing and logging, taking into account types of data and risk; the extent, manner and purpose of the processing of personal data by the provider; specification of the returning or deletion of personal data; confidentiality; restrictions on the appointment of subprocessors; obligations and responsibilities with regard to data breaches; and obligations to notify changes to the services or legally binding requests for disclosure of the personal data. It should also be made expressly clear that where a processor breaches the agreement and uses personal data for its own purposes, the processor shall be deemed a controller and bear sole liability for any non-compliance.
The Opinion supports the use of the European Commission’s standard contractual clauses where appropriate, for example where a company based in the European Economic Area (EEA) appoints a non-EEA cloud provider to act as a data processor. Although the standard clauses do not cover all complexities arising from the processing of personal data in the cloud, the parties are encouraged to add additional clauses to the standard contractual clauses to address specific issues. Care should be taken when adding such clauses to ensure they do not conflict with the standard contractual clauses or prejudice the fundamental rights and freedoms of any data subject. It should also be noted that where additional clauses are incorporated, some jurisdictions may require the contract to be approved by the local Data Protection Authority prior to it being used.
With regard to transfers to the United States—the location of many cloud providers—the Working Party is concerned that the Safe Harbor self-certification process may not provide sufficient protection for personal data, especially in the area of data security.
Data protection legislation should not be a bar to using cloud services, provided sufficient analysis is undertaken prior to contracting. The Opinion does not have all the answers, but it does highlight the issues to be considered and some potential solutions to ensure that cloud computing is data protection-compliant.
It is clear that the Working Party believes it is imperative that a risk analysis is undertaken to ensure that the personal data placed in the cloud is protected adequately and that the cloud service provider is able to fulfil its obligations regarding transparency, accountability and retention to enable the client to meet its obligations as data controller. How easy and cost effective it will be for smaller companies to negotiate these points against large network providers is unclear, but that is a concern for the company and not, it appears, for the Article 29 Working Party.