Originally published July 11, 2012
The Article 29 Working Party established under the EU data privacy legislation published an opinion on 1 July 2012 addressing the data privacy compliance concerns associated with the use of cloud computing solutions.
The working party identifies the concerns as falling into two categories:-
lack of control; cloud clients lose control of the technical and organisational measures necessary to ensure the availability, integrity, confidentiality, transparency, isolation and portability of data; lack of information processing; insufficient information about a cloud services processing operations poses a risk to controllers as well as to data subjects because they might not be aware of potential threats and risks and therefore cannot take measures they deem appropriate. The opinion is a reminder of the key contractual safeguards that must be put in place between the controller and the cloud service provider. The cloud service provider must agree to follow the instructions to the controller and must implement technical and organisational measures which are adequate to protect the personal data being put into the cloud based solution. Amongst the particular provisions specified by the Working Party are:
an obligation on the cloud provider to supply a list of the locations in which the data may be processed; a general obligation on the provider to give assurance that its internal organisational and data processing arrangements (and those of sub-processors) are compliant with applicable national and international legal requirements and standards. These two requirements are sometimes problematic for the customer and the fact that they are specifically referred to in the opinion will strengthen the negotiating position of controllers wishing to put in place arrangements for the processing of personal data by cloud service providers.
Working Party recommendations
a controller should select a cloud service provider which guarantees compliance with the EU data privacy regime by agreeing to the specific contractual protections referred to below; where (as is almost inevitably the case) a cloud service provider sub-contracts processing to sub-processors, this should only be permitted where the identity of the sub-processor is disclosed to the data controller and the cloud service provider flows down its contractual obligations to the data controller to its sub-processors so that the controller has some contractual recourse...