The French Data Protection Authority (the Commission Nationale de l’Informatique et des Libertés or CNIL) opened a public consultation on cloud computing, citing the growing significance of the cloud computing market: "already €6 billion at the European level, with a yearly growth of approximately 20%". The CNIL believes that the opacity inherent in cloud computing raises data protection concerns.
The CNIL’s consultation focuses on five areas: definition of cloud computing, role of the parties, applicable law, international transfers of data outside the European Union and data security.
The consultation process opened on 17 October 2011 and input is sought from the public.
Turning specifically to the five areas of focus:
(i) definition of cloud computing: the CNIL suggests a definitional approach based on the main functional characteristics of various cloud computing services ;
(ii) role of the parties: the CNIL analyzes the role of the customer and service provider as data controller and data processor, respectively. According to the CNIL, the customer should always be regarded as a data controller. The role of the service provider might vary; the service provider could be a data processor or in some cases a co-controller.
(iii) applicable law: one of the stickiest issues relates to applicable law. If the controller (in most cases the cloud customer) is established in France, French law would apply. But the situation is more complex where the controller is located outside of France and uses a cloud service provider with servers in France. Note that in a March 2011 decision, the CNIL decided to exempt companies established outside the European Union and using processors based in France from notifying their processing when the processing relates the processing of human resources data or client and prospects data.
(iv) international transfers: most cloud services do not have a fixed location. Rules on international transfers of personal data are therefore difficult to apply. The CNIL suggests a two-fold approach, applying both legal and technical safeguards to international transfers. From a legal standpoint, the CNIL recommends the implementation of Standard Contractual Clauses in service providers’ agreements, but also launches the idea of developing "Processor Binding Corporate Rules" or "Processor BCRs". Technically, service providers should apply security measures and data minimization (e.g. through the use of metadata) before data are transferred internationally;
(v) data security: the CNIL recommends the inclusion of security requirements in cloud computing agreements, while noting that customers are not always in a position to impose these requirements.
Interested parties have until November 17 to submit their comments. This consultation is an excellent way to enhance the French DPA’s understanding of cloud computing and propose technical solutions that may mitigate data protection risks.
The public consultation paper can be found (in French) here.