On July 1, 2012, the Article 29 Working Party (the “Working Party”) adopted WP196 (the “Opinion”) setting out an analysis of the legal framework associated with cloud computing, as well as recommendations directed at both data controllers and data processors in the European Economic Area (the “EEA”). The Opinion identifies two data protection risks associated with the deployment of cloud computing services, namely: (1) lack of control over the data and (2) lack of information on data processing. Cloud computing and the range and geographical dispersion of the various parties involved also have raised significant uncertainty in terms of applicable law, which the Working Party previously analyzed in its Opinion 8/2010. Below is an overview of the different topics covered in the Opinion issued on July 1.
Cloud Computing Duties and Responsibilities
- Cloud clients (as data controllers): Cloud clients are expected to be responsible for compliance with applicable data protection legislation and fulfillment of related duties. A cloud client must therefore choose cloud providers that will guarantee compliance with the applicable law(s).
- Cloud providers (as data processors): Cloud providers must ensure the confidentiality of the personal data they handle, and they must comply with the requirements of Article 17 of the EU Data Protection Directive 95/46/EC (the “Data Protection Directive”) when providing the cloud services. According to the Opinion, they also must adopt security measures in line with the laws of both the controller’s jurisdiction and the processor’s. Finally, cloud providers must assist cloud clients with addressing data subjects’ claims and the exercise of data subjects’ rights.
- Subcontractors: According to the Working Party, cloud providers can only subcontract certain services after having obtained the client’s consent (which may be given in a general form at the beginning of the service). Information on the subcontracting of processing services by the cloud provider must be made available to the cloud client, detailing the category of service subcontracted, the subcontractor’s characteristics and the measures or guarantees implemented by the subcontractor to ensure an adequate level of data protection. All the provider’s obligations to the client must be reflected in an agreement between the provider and the subcontractor to allocate responsibility clearly.
Cloud Services Contracts
Cloud services require a formal contract, according to Article 17(3) of the Data Protection Directive. The contracts between cloud providers and clients must, at a minimum, detail the controller’s instructions to the processor and include the obligation to implement adequate technical and organizational measures to ensure data security. They also should include certain standardized data protection safeguards, including the 14 points outlined by the Working Party in the Opinion (e.g. specification of security measures to be complied with, specification of the conditions for destroying or returning the data once the service is completed, obligation to provide a list of locations in which the data may be processed), as well as measures facilitating accountability, such as third-party audits and certification.
The Opinion further highlights that even in complex arrangements involving different levels of processing and cloud providers, the utmost attention must be given to the allocation of responsibility for data protection. Importantly, the Working Party reiterates a point it made in its Opinion 1/2010 on the concepts of controller and processor, namely that “the imbalance in the contractual power of a small controller with respect to big service providers should not be considered as a justification for the controller to accept clauses and terms of contracts which are not in compliance with data protection law.”
General Data Protection Principles
The Opinion further outlines the general data protection principles that should govern the client-provider relationship, including transparency, purpose specification and limitation, erasure of data, the implementation of technical and organizational data protection measures, the provision of timely and reliable access to data, the preservation of the integrity of data, confidentiality, isolation of data, “intervenability,” portability and accountability.
International Data Transfers
The Opinion highlights the limitations of the legal mechanisms traditionally used to ensure an adequate level of protection in the event personal data is transferred outside the EEA. The Working Party advises companies exporting data and relying on a Safe Harbor self-certification to conduct further investigations into the implementation in practice of the Safe Harbor principles by the chosen processor, a recommendation previously issued by the German data protection authorities. At the same time, however, the Working Party believes that cloud computing raises concerns which currently are not addressed under the Safe Harbor framework (i.e. loss of governance, incomplete data deletion, unsatisfactory audit records, etc.), such that additional safeguards must be deployed. The Working Party endorses the use of the 2010 controller to processor standard contractual clauses as a solid basis for ensuring that personal data is given adequate protection when transferred outside the EEA, and recommends that they be used between cloud providers and subcontractors as well as between providers and clients.
Risk Analysis and Checklist
Finally, the Working Party recommends that any business or administration that intends to use cloud services conduct a thorough risk analysis to identify and address the risks associated with processing specific types of data in the cloud. The processing of sensitive data in the cloud will require additional safeguards. The Working Party further provides a checklist, which offers guidance to cloud clients and cloud providers for complying with the current and future EU data protection framework. It also endorses third-party data protection certifications as potentially acceptable means of proving compliance with the guidelines issued in the Opinion.
Future Developments
The Working Party welcomes the provisions contained in the proposed Data Protection Regulation concerning a clearer distribution of responsibilities between data controllers and data processors, and details other future developments which may help to define a better framework for data protection in the cloud.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code