This entry was authored by Conor Ward in London and Gonzago Gallego and Pablo Rivas in Madrid.
On the 1st July, the Article 29 data Protection Working Party adopted an opinion on cloud computing. The full opinion can be found here.
The Working Party Opinion analyses the "hot topics" on data protection arising from cloud computing services from the perspective of the EU Data Protection Directive (95/46/EC) and the e-privacy Directive 2002/58/EC (as revised by 2009/136/EC). It also provides guidelines for providers of cloud computing services and their clients.
The opinion considers that the risks associated with deployment of cloud computing solutions fall within two broad categories namely
(i) lack of control over personal data and
(ii) lack of information with regard to how, where and by whom the data is being processed/sub-processed.
Whilst the Working Party’s concerns over lack of control predictably covers the client’s potential inability to control the technical and organisational measures required to protect personal data, it also is concerned about the potential effect of vendor lock-in and difficulties associated with data portability and interoperability. The risk of data being disclosed to foreign law enforcement agencies without a valid EU legal basis (and thus in breach of EU data protection law) also is highlighted. Where the cloud services were made up of, or depended upon, the services of multiple parties, the risk of dynamic changes during the client’s was also considered to be a concern.
Lack of transparency has been an issue highlighted by many commentators in the context of cloud computing, and so to by the Working Party. Processing of data in different geographically locations, even where all were in the EU, impacts directly on the law applicable to any data protection disputes. There also should be transparency in the processors and subcontractors used not to mention in relation to transfers to jurisdictions outside the EU for storage or processing.
The Working Party clarifies that, in general terms, the relationship between the cloud provider and the client must be construed as a relationship between a data controller (client) and a data processor (provider). However, the Working Party also explains that in certain circumstances, the cloud computing service provider could be considered to be a joint controller of personal data provided by its client and hence it would be subject to the rigours of the EU data protection regime in its own right. The Working Party also noted that clients of cloud computing services often had to contract on standard terms with no room for negotiation. However, this was no excuse to accept contract terms which were not in compliance with EU law.
The Working Party acknowledge the complexities of cloud computing services and the fact that the market is still evolving. The opinion attempts to give practical advice on how to avoid falling foul of data protection legislation, including a list of 14 issues (such as the integrity of the data, the availability of the service, portability of the data, etc.) that ought to be addressed in any cloud computing services contract as well as a number of guidelines for suppliers and their clients. A key conclusion of the Working Party is that entities wishing to use cloud computing should, as a first step, conduct "a comprehensive and thorough risk analysis". In addition clients should only appoint cloud computing providers "that guarantee compliance with EU data protection legislation". The suggestion of third-party certification of Cloud providers and regular audits inserts an issue of burden and cost into the issue of ensuring legal compliance in the use of the Cloud.
With respect to thea framework to regulate data transfers to non-EU third countries not providing adequate protection, have limitations. In particular, as regards the Standard Contractual Clauses 2010/87/EC (model clauses for processors) the Working Party considers that they require certain adaptations to the cloud environment (to prevent having separate per-client contracts between a provider and its sub-processors) which imply the need for prior authorization from the competent Data Protection Authority. Thus, it seems that the Working Party backs initiatives as the one carried out by the Spanish Data Protection Agency.
The Working Party considered the potential impact of the Commission’s draft EU General Data Protection Regulation. In particular the Working Party welcomed the proposals aimed at making processors more accountable towards controllers.
The Commissioners felt that it was "of the utmost importance" to add to the future Regulation a prohibition on controllers who operate in the EU from disclosing personal data to a third country if merely requested by a third country’s judicial or administrative authority unless this is expressly authorised by an international agreement or provided for by mutual legal assistance treaties or approved by a supervisory authority. Whilst clearly intended to address access to personal data for national security and law enforcement purposes, such a provision was adopted, it could have widespread and unintended consequences in particular in relation the disclosure of documents as part of general commercial disputes with a cross border element. Moreover, law enforcement and national security officials can be expect to object to overly-burdensome restrictions on access to data in the cloud.