Article 29 Working Party opinion on cloud computing | Practical Law

Article 29 Working Party opinion on cloud computing | Practical Law

The Article 29 Data Protection Working Party has adopted an opinion setting out the data protection risks and concerns associated with cloud computing and making a series of recommendations on how to mitigate them.

Article 29 Working Party opinion on cloud computing

Practical Law Legal Update 3-520-2020 (Approx. 6 pages)

Article 29 Working Party opinion on cloud computing

by PLC IPIT & Communications
Published on 05 Jul 2012European Union
The Article 29 Data Protection Working Party has adopted an opinion setting out the data protection risks and concerns associated with cloud computing and making a series of recommendations on how to mitigate them.
Speedread

Speedread

The Article 29 Data Protection Working Party has adopted an opinion on cloud computing which includes a series of recommendations, described by the Working Party describes as "a checklist for data protection compliance by cloud clients and cloud providers". Many of the recommendations are intended to mitigate any data protection risk arising from a perceived lack of control and transparency in computing arrangements. The Working Party describes the contractual controls that purchasers of cloud computing services should try to impose, and suggests that any new data protection legislation should prohibit controllers who are operating within the EU from disclosing personal data in response to a request from the authorities of another country that does not have an adequate data protection regime in place. One gap clearly acknowledged by the opinion is the situation where the cloud client transfers personal data to an EU provider, but where that provider transfers them to non-EU sub-contractors. The standard model clauses do not cover this situation, as they apply only to the transfer of data from a EU controller to a non-EU processor, and not to transfers from an EU processor to a non-EU processor. Despite the fact that standard contractual clauses have been criticised in the past for being unwieldy, it might provide more legal certainty if the European Commission were to adopt a set of processor-to-processor standard contractual clauses.

Background

Cloud computing is the delivery of IT as services over the internet. The user of such services is relieved of the need to purchase or install software, nor does it have to run its own application and data servers. The provider hosts applications and provides the computing power from its data centre, benefiting from economies of scale so that it can reduce the cost to its clients. Its most recent form, Infrastructure as a Service (IaaS), concerns the delivery of computing resources over the internet such as servers, network equipment, memory, CPUs, disk space and data-centre facilities. Users of IaaS often transfer significant amounts of data, including personal data, to the cloud, where it may be stored on servers outside the EEA. For more information, see Practice note, Data protection aspects of cloud computing.
The EU's data protection regime is currently set out in Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Directive), with which all EU member states must comply (see Practice note, Overview of EU data protection regime).
The Directive imposes broad obligations on those on whose behalf personal data is processed (data controllers), as well as conferring broad rights on individuals about whom data is collected (data subjects). Data processors, who process personal data under the control of a data controller, are subject to less stringent legal obligations. Cloud clients will normally be considered data controllers. Cloud providers may be data controllers as well as data processors; if the provider also has the status of a controller because, for example, it is re-processing data for its own purposes, it will have full joint responsibility for processing and must comply with all the relevant obligations. For more information on the distinction between data controllers and data processors, see Checklist, Concepts of data controller and data processor.
In the EU, Article 25(1) of the Directive includes a general prohibition on the transfer of personal data to a country outside the EEA unless that country ensures an "adequate level of protection" for the data (see Practice note, Cross-border transfers of personal data). Once a data controller has established that the way in which he processes the data constitutes a transfer of personal data to a third country, he must decide whether or not the third country ensures an adequate level of protection of that personal data. Where he can not establish the adequacy of the country to which the data is to be transferred, he may be able to comply with this requirement by putting in place adequate safeguards to protect the data. These include the use of standard contractual clauses (see Standard contractual clauses for the transfer of personal data from the European Union to processors established in third countries (controller-to-processor transfers) and unofficial drafting notes) and binding corporate rules (BCRs).
In January 2012, the European Commission published a proposal for a new EU data protection framework, including a draft Regulation on the protection of individuals with regard to processing of personal data and on the free movement of such data (Regulation). For a detailed explanation of the Regulation, see Legal update, European Commission proposes new data protection framework.
The Article 29 Data Protection Working Party (Working Party) was set up under the Directive to act as an independent European advisory body on data protection and privacy issues. In June 2012, the Article 29 Working Party adopted a new working document providing guidance on binding corporate rules (BCRs) for data processors (see Legal update, Article 29 Working Party adopts guidance on binding corporate rules for data processors). BCRs for processors aim to frame international transfers of personal data that are originally processed by the company as data processors according to the external instructions of data controllers (including outsourcing activities).

Facts

The Working Party has adopted an opinion on cloud computing, which includes a series of recommendations. Set out below is a summary of the key points of interest in the opinion.
The opinion is directed at cloud computing service providers and their clients and prospective clients. There are various different models for the provision of such services, and these are set out in an annex to the opinion.
As a rule, the clients will be acting as data controllers and the providers as data processors, although the Working Party notes that there will sometimes be circumstances which make the providers a data controller as well (for example, where they are re-processing personal data for their own purposes).

Data protection risks arising from cloud computing

The opinion highlights the data protection risks that arise from the use of cloud computing. These arise primarily from the fact that clients relinquish exclusive control of their data, which can lead to:
  • Lack of portability and interoperability.
  • Loss of integrity of the data due to sharing of cloud resources.
  • Disclosure of data to law enforcement agencies outside the EU in contravention of EU data protection principles.
  • Loss of ability to intervene owing to the complex chain of outsourcing.
  • Inability of the cloud provider to help the controller respond to data subjects' requests.
  • Possibility that the cloud provider might link personal data from different clients.
  • Lack of transparency about how the cloud service intends to process data, so that the controller cannot take proper measures to ensure data protection compliance.
The danger is increased if the client remains unaware that the cloud service involves a chain of processors (each subcontracting to the next), that processing is being conducted in different countries (which will determine the applicable law in the event of a dispute), or that the service will result in the transfer of data to countries outside the EEA.

Recommendations

The Working Party makes the following recommendations, which it describes as "a checklist for data protection compliance by cloud clients and cloud providers".

Choice of provider

The client will have full responsibility as a data controller, and should therefore choose a provider who guarantees compliance with the Directive.

Contractual terms

The contractual safeguards that the client should seek are set out at paragraph 3.4.2 of the opinion, and should address the risks identified earlier in the opinion. They should therefore provide for full prior disclosure of third parties (such as subcontractors) to whom the provider will communicate the data, locations where the data will be sent, and a duty to notify the controller if a law enforcement authority requires disclosure of data, or if there are any changes in the cloud service. The opinion sets out a full list of the matters that should be covered, grouping them in relation to the risks outlined above.

Subcontracting

All cloud computing contracts should contain provisions on subcontracting, which is an inevitable feature of such services. The provider must keep the client informed at all times of the identity of all relevant subcontractors and give the client the opportunity to terminate the contract if it is unhappy with the prospect of a particular subcontractor being commissioned. The provider should ensure that its subcontracts reflect the terms of its agreement with the client, and the client should make sure that the agreement gives it recourse against the provider if a subcontractor commits a breach of the subcontract

Third-party certification

Providers should consider seeking independent verification of their data protection compliance. Clients should ask for this and should also, ideally, look at the audit report on which the independent party's verification is based. Such an arrangement would especially suitable for auditing of data that is hosted in a multi-party, virtualised server environment, as individual client audits of these might not only be impractical, but also present a risk to network security. Privacy-specific standards and certifications (addressing technical measures as well as the provider's policies and procedures) have an important role to play in building trust between providers, clients and data subjects.

Future developments

The opinion discusses the following issues, which it says will need to be tackled in the short to medium term:
  • The Working Party welcomes certain measures contained in the Regulation: Article 26 (which would increase the accountability of processors to controllers); and Article 30, which would oblige processors to implement appropriate technical and organisational measures. It says that these measures would be particularly helpful in a cloud computing context, as they would go some way towards remedying the client's difficulty in exercising full control over how the provider delivers its service. The opinion goes on to recommend that consumer and trade bodies take a pro-active role in negotiating with big cloud computing providers on behalf of data subjects and client SMEs.
  • It considers that any new data protection legislation should prohibit controllers who are operating within the EU from disclosing personal data in response to a request from the authorities of another country that does not have an adequate data protection regime in place. The Working Party believes that the absence of such a provision is a gap in the current proposal, and stresses the need to include in the Regulation the obligatory use of mutual legal assistance treaties for this purpose.
  • The opinion stresses that public sector entities should always assess whether the communication, processing and storage of data outside the UK might present an unacceptable risk to individual and national security: for example, where sensitive personal data is concerned (such as that contained in health or census databases). National governments and EU institutions should consider investigating whether it would be viable to create a "European governmental cloud" in which a harmonised set of rules could be applied.
  • Transferring personal data to a European cloud provider could foster the adoption of common standards and improve legal certainty, and the Working Party therefore supports the European Cloud Partnership strategy presented by Neelie Kroes in January 2012.

Comment

While the opinion raises some interesting issues, it is difficult exactly to place it within the context of existing rules on cross-border data transfers. In practice, the majority of personal data transfers are likely to be to a small group cloud providers almost all of which are situated in the US. Given that transfers to such entities are already possible on the basis of standard contractual clauses (which include provisions for onward transfers to sub-processors) and with plans for new BCRs for data processors, it is not immediately evident just what kind of regulatory gap the opinion is designed to close. The Working Party is clearly conscious of this and other problems. In particular, it identifies the current need for cloud providers to put in place contractual arrangements with sub-processors in respect of every single cloud client as a potential commercial obstacle. With this in mind it ponders the need for a prior authorisation scheme involving national data protection authorities. However, seen side-by-side with the existing options for facilitating cross-border transfers of personal data, there is a danger that the opinion may create more confusion than enlightenment.
One gap clearly acknowledged by the opinion is the situation where the cloud client transfers personal data to an EU provider, but where that provider transfers them to non-EU sub-contractors. This situation is more complex since the model clauses apply only to the transfer of data from a EU controller to a non-EU processor but not to transfers from an EU processor to a non-EU processor. It is likely that the opinion should be seen in this context, although EU cloud providers may find it insufficient to provide them with the necessary legal certainty given the strict adequacy requirements set out in the Directive. Despite the fact that standard contractual clauses have been criticised in the past for being unwieldy, it might provide more legal certainty if the European Commission were to adopt a set of processor-to-processor standard contractual clauses.

Source

Working Party Opinion 05/2012, 1 July 2012.