On 3 July 2012 the Irish Data Protection Commissioner published a guidance note on the application of Irish data protection law to cloud computing. The Guidance Note is intended to assist entities, who are considering availing of cloud computing solutions to hold or manage data, to identify and address potential data protection issues. The Commissioner published this Guidance Note on foot of the publication by the EU Article 29 Data Protection Working Party of Opinion 05/2012 on Cloud Computing (“WP 196”).
According to the Guidance Note, three key data protection issues must be considered by a data controller who is considering using cloud computing services to host or manage personal data for which the data controller is responsible, namely: (i) the security of the data; (ii) the location of the data; and (iii) the requirement to ensure that there is a written contract in place between data controller and the cloud provider.
Under Section 2C(3) of the Irish Data Protection Acts 1988 and 2003 (the “DPA”), where data processing is carried out by a data processor (in this case, a cloud provider) on behalf of a data controller, the data controller must ensure that the processing is carried out pursuant to a written contract, which provides: (i) that the processing will be carried out only on and subject to the instructions of the data controller; and (ii) that the data processor will comply with security obligations which are equivalent to those which apply to the data controller under Section 2(1) (d). The Commissioner has indicated in the Guidance Note that, in the case of cloud computing, a data controller would need to be satisfied that the cloud provider maintained security standards ‘of a very high level’. A cloud provider should be in a position to give assurances to a data controller on key issues, such as: backup and disaster recovery measures; prevention of unauthorised access to personal data; appropriate oversight of and contractual arrangements with any third party subprocessors; procedures for dealing with data security breaches; and the right for the data controller to remove or transfer the relevant personal data (either to in-source the storage of the data or to transfer it to a replacement cloud provider). Furthermore, a data controller should either ensure that it has a contractual right to carry out a security audit of the cloud provider, or at least include an obligation on the cloud provider to furnish it periodically with third party certification of adherence to internationally approved security standards.
Under Section 11 of the DPA, personal data may not be transferred outside the European Economic Area to a jurisdiction which is not recognised by the European Commission as having an adequate level of protection for personal data, unless the transfer is covered by one of the exceptions set out in Section 11(4). For the purpose of data protection legislation, data which is held in a cloud is regarded as being located in the territory where the servers which host the cloud are located. As such, cloud computing will often involve the transfer of data to various jurisdictions, since clouds tend to be hosted by multiple servers located in different countries. Where a cloud provider relies on servers located outside the EEA, the data controller will need to ensure that it is lawful for the relevant personal data to be transferred to such locations (i.e. that the locations are recognised as having adequate data protection laws or that the transfer is covered by one of the exceptions set out in Section 11(4). In the Guidance Note, the Commissioner indicated that of the various arrangements regarding transfers which are permitted under Section 11, those which are likely to be of greatest relevance in this context are (i) in the case of transfers to the United States of America, that the cloud provider adheres to the Safe Harbor principles; or (ii) where appropriate contractual protections are put in place (either through the use of EU-approved ‘model contracts’ or the use of ‘Binding Corporate Rules’ which have been approved by the Data Protection Commissioner or another national data protection authority in the EU).
As mentioned above, under Section 2C(3) of the DPA a data controller must ensure that there is a written contract in place with a data processor, such as a cloud provider. The Guidance Note also clarifies that, to the extent that a cloud provider uses any sub-processors, the data controller should ensure that its contract with the cloud provider includes an obligation on the cloud provider to include in its agreement with each sub-processor the same data protection obligations that are to be included in the contract between the data controller and the cloud provider.
The Guidance Note also includes references to further guidance materials regarding cloud computing that have been published recently, namely (i) WP 196; (ii) a document which was published by the National Standards Authority of Ireland entitled “SWiFT 10:2012 Adopting the Cloud - decision support for cloud computing” (“SWiFT 10:2012”); and (iii) guidance materials published by the European Network and Information Security Agency (ENISA). Each of these materials contains a more detailed analysis of data protection issues which may arise in relation to cloud computing.
One of the key recommendations set out in WP 196 is that, prior to entering into a cloud computing arrangement, a data controller should carry out a comprehensive and thorough risk analysis. In this regard, it is worth noting that for Irish data controllers, the ‘decision support matrix’ set out in SWiFT 10:2012 may provide a useful framework for, among other things, carrying out such a risk analysis.
WP 196 provides a more detailed description of data protection risks in relation to cloud computing than is set out in the Guidance Note. It is notable that the steps which the Working Party recommends that a data controller should take to mitigate against these risks would appear in certain cases to go beyond the current understanding of a data controller’s obligations under the EU Data Protection Directive (95/46/EC), as implemented in EU member states. For example, the Working Party has indicated that while a data controller must, as a minimum, ensure that a contract with a cloud provider includes express obligations on the cloud provider to follow the instructions of the data controller and to implement appropriate security measures to protect personal data, a data controller should seek to include much more detailed provisions in the contract regarding security measures and cross-border transfers of personal data. According to the Working Party, such provisions should include, amongst other things:
- an obligation on the cloud provider to provide a list of all locations (not only those outside the EEA) at which the data will be processed;
- an obligation to log and audit any processing operations on personal data that are carried out by employees of the service provider or any sub-processors;
- service levels regarding processing activities and express remedies for the data controller where the cloud provider fails to achieve such service levels; and
- specific procedures regarding the secure erasure of personal data.
In addition, regarding transfers of personal data to the US, the Working Party has indicated that compliance with the Safe Harbor principles may not be sufficient to address the security risks that arise in relation to cloud computing. On this basis, the Working Party has opined that even where a cloud provider holds a Safe Harbor certification, it may be advisable for a data controller to require the cloud provider to include in the contract between the parties additional security obligations which go beyond the Safe Harbor security requirements. The Working Party has also emphasised that, in its view, an imbalance in contractual negotiating power (which would often arise between a data controller and a multi-national cloud provider) should not be considered as a justification for the data controller to enter into a contract which does not include provisions which the data controller is obliged to ensure are included under applicable data protection legislation.
The references in the Guidance Note to WP 196, SWiFT 10:2012 and the ENISA guidance materials would seem to indicate that the Commissioner generally agrees with the interpretations of data protection principles and their application to cloud computing which are set out in these materials. It remains to be seen, however, whether the Commissioner will apply, in particular, any of the more expansive interpretations of data protection law which have been proposed by the Working Party in WP 196 when considering the application of the DPA to cloud computing arrangements.