What are data protection regulators looking for in cloud computing contracts?

Introduction
Background
Working party's concerns
Working party's suggested solutions
ICO guidance – key considerations
Comment

Introduction

The recent rise of cloud computing – both for businesses and at consumer level – is providing a decent challenge for the regulators tasked with applying established data protection principles to this new and fast-developing industry.

Until last year there had been little guidance at UK or EU level. However, in July 2012 the Article 29 Working Party – the independent advisory body made up of data protection regulators from across the EU member states – released its Opinion on Cloud Computing (05/2012). This was closely followed by guidance from the UK regulator, the Information Commissioner's Office (ICO). The ICO's Guidance on the Use of Cloud Computing was published in September 2012.

The working party and ICO have attempted to provide workable and commercial solutions for both cloud suppliers and their customers. Both regulators have concluded that data protection legislation should not be a bar to using cloud services, but that certain measures must be put in place, mainly by the customer, to ensure compliance with the data protection principles at each stage of the cloud chain. Helpfully, the ICO guidance includes a practical checklist of issues to consider when looking to put personal data in the cloud.

This update looks to these documents for the key considerations for both suppliers and customers looking to use cloud arrangements for personal data.

Background

Cloud computing services are now widely available both in the private cloud (where the cloud customer is the sole user of the service) and in the community, public or hybrid cloud (where the cloud is made available to more than one customer). The ICO defines 'cloud services' as "access to computing resources, on demand via a network". It is the linked network nature of such arrangements which has particular data protection risks – not least because there is usually a complex outsourcing chain which may span several jurisdictions (noting that many of the leading cloud providers are based in the United States).

The relevant legal framework in the European Union is the EU Data Protection Directive (95/46/EC), implemented in the United Kingdom as the Data Protection Act 1998.

Responsibility for the processing of personal data is divided into two categories: data controller and data processor. The data controller is the entity which alone or jointly determines the purpose and means of processing and the data processor is the entity which processes personal data on behalf of the data controller.

In the typical cloud computing scenario, the working party and the ICO agree that the customer is most likely to have the data controller role (as it determines the purposes of the processing), and therefore the primary responsibility for ensuring compliance with data protection legislation.

Working party's concerns

The working party highlighted the availability, integrity and confidentiality of data as the key principles to apply in relation to processing personal data in the cloud. Further, the more "specific data protection goals of transparency, isolation, intervenability, accountabilityand portability to substantiate the individual's right to data protection" also come into play.

The working party's opinion highlights the customer's lack of control and transparency as a matter of serious concern. A customer can take responsibility for data protection laws only if it is aware of the risks and threats. If a customer has insufficient information about the supplier's processing operations (eg, its use of any sub-processors or transfers outside the client's jurisdiction), this will prevent the customer from being able to assess the risks and take appropriate steps to mitigate them.

The working party believes that the key to protecting personal data in the cloud is the contractual document between the parties, not least because the law requires a written contract for data processing.

Working party's suggested solutions

The working party makes it clear that compliance with data protection rules and responsibilities (including in the event of a breach) must be clearly allocated between the parties in the contract. Although the customer, as data controller, has the main compliance burden, the supplier is not off the hook. The working party states that "cloud providers should provide documentary evidence of appropriate and effective measures that deliver the outcomes of the data protection principles".

The working party's opinion includes a list of issues that should be addressed in each contract, such as:

full details of the customer's instructions for processing personal data, including the extent, manner and purpose of processing and the nature of the data;
detailed specifications of the data security measures for processing personal data;
conditions for returning or destroying personal data on expiry or termination of the contract;
confidentiality;
obligations for the supplier to cooperate with the customer in any data subject access requests;
no right of disclosure to any third parties (including sub-processing) without the customer's consent; and
division of responsibilities in the event of a data breach – with contractual penalties and remedies (including proportionate and effective service credits).

The opinion also recommends including a list of locations where the data may be processed and appropriate clauses for transferring personal data outside the European Economic Area (EEA). The directive allows data controllers to transfer personal data only to countries outside the EEA that protect the data adequately or if the data controller has put in place certain approved safeguards. The European Commission's cloud strategy, "Unleashing the Potential of Cloud Computing in Europe" (September 2012), proposes to review the current standard contractual clauses for international data transfers and make them more cloud-friendly.

The working party recognises that cloud services (at both corporate and consumer level) are often offered on the basis of a supplier's standard terms for which there is not much room to manoeuvre. Having said that, the working party makes it clear that an imbalance in power "should not be considered as justification for the controllers to accept clauses and terms of contracts which are not in compliance with data protection law". Each cloud contract should therefore take note of the above.

ICO guidance – key considerations

In a similar manner to the working party, the ICO highlights and explains the new data protection risks that a customer must consider as a result of putting personal data in the cloud. The ICO spells out to companies that responsibility for data protection compliance generally remains with the customer (as data controller) even when data physically passes to the supplier. The division of responsibility will need to be considered on a case-by-case basis depending on the type of cloud arrangement, although the ICO states that "the cloud customer will generally be a data controller – and therefore ultimately liable for compliance".

Like the working party opinion, the guidance is based on the key principles of availability, confidentiality and integrity and explains what a customer should consider when looking to engage a supplier in relation to each of these principles. The ICO's checklist summarises the practical steps for business to consider to avoid falling foul of the rules. This starts with the ICO advising the customer to prepare a list of the personal data that it intends to place in the cloud and, from there, assess the processing risks. This broadly covers the same areas as the working party opinion and includes consideration of:

measures to prevent unauthorised access to data, including a system to create, update, suspend or delete user accounts;
policies to delete all copies of personal data as may be required by the customer;
procedures for dealing with personal data on expiry or termination of the contract;
policies to allow customers to have access to their personal data;
auditing processes for any authorised access, deletion or modification of personal data;
full details of where personal data will be processed and how it will be processed; and
details of back-up procedures.

Like the opinion, the guidance also reminds customers of their other legal obligations, such as to have written contractual measures for safeguarding the transfer of data to other countries and to protect the rights and freedoms of data subjects.

Once a customer has assessed the risks, it is then in a better position to introduce measures to mitigate them.

The ICO warns that this should not be seen as a static list. It recommends a continual cycle of monitoring, review and assessment to ensure that the service is being provided in accordance with the agreed contract.

The ICO recognises that many of the above considerations rely on disclosure of information from the supplier or from site audits on the premises where personal data will be processed. As a result, the ICO also suggests that a supplier arranges for an independent third party to conduct a detailed security audit of its service to check for appropriate technical and organisational measures (as is required by the directive). This report can then be provided to each of its customers and would avoid the need for each customer to conduct a separate review each time. The ICO also supports the introduction of an industry-recognised standard or kitemark to assist cloud customers (in particular, the consumer) in assessing the security offered.

Comment

Both the working party and the ICO place the burden of data protection compliance very much on the shoulders of the customer. On this basis, a supplier should be carefully selected for guarantees for data protection compliance. One message that is clear is that it will be no excuse to the regulators that a provider's non-compliant standard terms are the only contractual terms on the cards.

For new cloud services, the customer should conduct a full due diligence examination before entering into any arrangement. The results of this risk analysis should be captured in the contractual documents between the parties – the extent of the clauses will depend on the nature and risk of data being placed in the cloud.

For existing services, suppliers and their customers should carefully review their current contractual terms and conditions (including standard terms) and adapt their practices in line with this new guidance.

The regulators recognise that the complexities of the cloud computing arrangement cannot be wholly addressed using the measures identified in these documents. However, their guidance is welcomed to highlight the potential issues and provide practical tips for the processing of personal data by suppliers in the EEA. Neither the working party opinion nor the ICO guidance has the force of law, but the regulators will expect companies to comply with these rules and each party should now be better equipped to understand what the regulator wants from them. The onus now lies with the suppliers, customers and their advisers to put the theory into practice.

For further information on this topic please contact Oliver Bray or Fiona Wilson at RPC by telephone (+44 20 3060 6000), fax (+44 20 3060 7000) or email ([email protected] or [email protected]).

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.

Register now for your free, tailored, daily legal newsfeed service.

What are data protection regulators looking for in cloud computing contracts?

Filed under

Topics

Organisations

Popular articles from this firm

CJEU rules on what constitutes “automated decision-making” under the GDPR *

The new EU Digital Operational Resilience Act (DORA) *

Data dispatch - April 2024 *

New Development: EU Data Act published in Official Journal *

EDPB adopts opinion on “main establishment” of a controller in the EU *

Related practical resources PRO

Related research hubs