Cloud computing raises difficult data protection issues. In this article we highlight just three of these issues which are relevant for businesses looking to use cloud computing: responsibility for data protection compliance; data security and data location. There will be many other commercial issues such as the risk of lock-in to the service, the service levels offered and long term viability of the service offering.
What is Cloud Computing and how is it regulated?
Cloud computing is a way of providing services over the internet. Service providers make available web servers that can accept and store data from users to provide the services. Users access the services using their web browsers. Some services are free; others are provided on a pay-as-you-use or subscription basis.
The social networking site Facebook implements cloud computing. A user can log on to the Facebook site through a web browser in order to send messages, chat and share files. Microsoft Hotmail is widely accessible email service which operates as a cloud computing facility.
Cloud computing is not just limited to consumer use, and can be attractive to SMEs or to larger organisations. The “cloud” can be an external, public cloud such as Facebook or Hotmail, or an internal, private cloud within one organisation. So, cloud computing is rapidly growing both on an individual basis and amongst commercial entities. It offers a flexible and easily accessible alternative to conventional IT outsourcing and has the potential to offer vast cost savings in the provision of IT infrastructures.
There is currently little regulation specific to cloud computing. Data protection regulation will be relevant where the services are used to handle personal data.
The “Open Cloud Manifesto” (available at www.opencloudmanifesto.org published in Spring 2009) provides high level principles that providers should adhere to. The Manifesto was created by IBM, Cisco, SAP, EMC and a number of other leading technology companies. This document is not intended to form formal guidance, but rather initiate debate on what such a guidance document should, or indeed could, contain while cloud computing and its practices are still very much in evolution. Interestingly, Microsoft, Amazon.com, Google and Salesforce.com declined to take part in the Manifesto, indicating that industry agreement may not be close.
Responsibility for data protection compliance
Where a business is located in the UK, it will be subject to the Data Protection Act 1998 (the Act) when handling personal data. As a result if that business decides to use cloud computing it will need to ensure that the cloud computing services comply with the Act. Most cloud computing relationships are complex and involve the transfer of data across multiple jurisdictions. As the data controller, the customer is solely responsible for compliance with the Act. This includes the obligation to ensure that the customer retains close control over its personal data, even when the data is being processed by a third party on the customer’s behalf. It is likely that the cloud computing service provider will consider itself to be a data processor for the purposes of the Act. The relationship envisaged by the Act between data controller and data processor, is a simpler and cleaner one. Not the type of relationship which is likely to exist in a cloud computing service, where the customer is very unlikely to know if and when the data is moved, how it is stored, who has access and the security measures in place. It is quite possible therefore that the basic decision on who is responsible for data protection compliance will be in dispute, with customers or data protection regulators believing that service providers are at least partly responsible and acting as data controllers.
Whatever the decision on the status of the service provider, prevention is better than cure. So using services which do not suffer data losses or unauthorised disclosures will reduce the risk of individual complaint and investigation by the data protection regulators. Therefore it is essential that customers choose reputable and effective service providers who are able to offer the necessary assurances that their services will meet the requirements of the Act. Contracts for cloud computing services should address compliance with the Act (covering the obligation to process in accordance with the customer’s instructions and ensure adequate technical and organisational security measures) and identify the extent to which a service provider will recover lost data or cover the cost of re-imputing data. While obtaining such assurances may increase the service costs, this will be money well spent as it will improve the security of the data and the protection available to the customer in the event of data losses or unauthorised disclosures.
When negotiating the contract for cloud computing services, customers should particularly consider the following:
- Customers should gain as much information as possible about the likely third parties that may potentially access the data in order to ensure that they are fulfilling their obligations as data controller. The nature of cloud computing means that many third parties may access the data across a number of jurisdictions;
- Customers should obtain warranties from the service provider as to the treatment of personal data processed within the cloud
- Customers should seek an independent security audit of the service provider and ensure adequate ongoing audit rights;
- Customers should aim to set out their own security policy surrounding data and have the service provider agree to that where possible;
- Customers should ensure that the service provider is willing and able to comply with any relevant sector-specific regulation, for example within the healthcare industry;
- Customers should consider whether they wish their applications to be hosted on hardware that is specific to them, however this may significantly limit the financial benefits of cloud computing;
- Customers should ensure that there is continuous physical security at the service provider’s premises and that physical entry to those premises is limited to authorised personnel only;
- Customers should ensure that they have rights to change the way their data is treated should new legislation or circumstances require it; and
- Customers should ensure that all of the service provider’s personnel with access to the data have been security vetted; and ensure that there is a sufficient and effective system of back-ups should there be a security breach.
Location of the data
Customers will need to be aware that local laws may apply to the data held on servers within the cloud. This raises, for example, concerns about access to data in the US under the Patriot Act or US litigation. However the more obvious data protection issue relates to the distributed nature of the data within the cloud computing service.
In order to benefit from optimised use of infrastructure and resources, cloud computing assumes that data will be moved geographically. Therefore it would be rare to see a contract for cloud computing where the customer is guaranteed that their data would not be transferred outside a specified country or region. (Although we may start to see cloud computing services which are restricted to a specified geographic location, see, for example, Amazon Web Service’s Availability Zones).
Under the Act, transfers of personal data outside the European Economic Area (the EEA) are prohibited, unless adequate protection is shown. (The EEA includes all countries in the European Union, together with Iceland, Liechtenstein and Norway). Therefore, where a cloud computing service is provided within the EEA there will be no issue. Equally, if the service is provided within the approved jurisdictions only there will be no data protection issue (i.e. within Argentina, Guernsey, Isle of Man, Jersey and Switzerland together with Canada and the USA in certain circumstances). However these scenarios are unlikely. In reality, the customer will need to address a situation where the personal data may be sent to any number of servers in any number of jurisdictions worldwide.
As a data controller, the customer again has responsibility to ensure that this part of the Act is complied with and that adequate protection is given to the data which held within the cloud computing service. Without knowing the jurisdictions where the data may be sent, it will be difficult to do this. In practice, unless the service provider will commit to using a specific geographic region, the customer will take some risk.
Customers may consider using the consent of individuals to permit the transfer outside the EEA. However, using consent is difficult. (How to show freely given, specific and informed consent? What if consent is withdrawn?)
In practice therefore customers are likely to look to a contractual situation, using the EU approved standard contractual clauses for data processors established in third countries (both the EU drafted and approved clauses (Commission Decision 2002/16/EC) and the ICC version, once the ICC version is approved by the EU). Under these clauses the data processor (the service provider) commits to comply with EU-equivalent data protection standards. In many jurisdictions (but not the UK) there are notification or registration requirements whereby the contracts once completed must be sent to the local data protection regulator. In addition, amendments to the contracts can negate the protection and therefore result in the contract not fulfilling its purpose of showing adequate protection. Therefore this solution can be restrictive and time-consuming.
Many business users are looking for ways to increase efficiency and reduce the costs of their operation. Cloud computing is recognised by businesses, particularly SMEs, as a cost-effective way to gain access to complex IT and communications facilities. The challenge for businesses and service providers is to ensure data protection responsibilities are not forgotten.
This article was first published in the May 2009 edition of the World Data Protection Report.