Privacy & Information Security Law Blog

On September 29, 2011, the German federal and state data protection authorities (“DPAs”) issued a resolution on cloud computing and compliance with data protection law. The publication was released in conjunction with the DPAs’ 82nd annual conference.

In the resolution, the DPAs ask that cloud service providers ensure their services comply with data protection law, and cloud service customers are urged to use cloud services only if they are in a position to fulfill their obligations as data controllers and have verified that the appropriate data protection and information security requirements are in place. The DPAs state that, in addition to ensuring the confidentiality, integrity and availability of data, data controllers must take into account the difficult-to-implement requirements concerning control, transparency and influence over data processing. According to the DPAs, deploying cloud computing solutions should not relieve data controllers, particularly management, of their responsibilities with respect to their data processing operations.

The DPAs’ minimum requirements outlined in the resolution include the following:

• Open, transparent and detailed information about the cloud service provider’s technical, organizational and legal framework requirements regarding the services they offer, including information regarding data security concepts, so that cloud service customers can evaluate whether or not they should use cloud computing services, and also have sufficient information to choose between various cloud service providers
• Transparent, detailed and unambiguous contractual provisions regarding the processing of data in the cloud, in particular regarding the location of data processing and notification about possible changes to the locations where cloud data may be processed
• Implementation of the agreed upon data security and data protection measures by both cloud service providers and cloud service customers
• Current and meaningful information (for instance certificates issued by recognized, independent auditors) about the information security, portability and interoperability infrastructure to be used in the performance of the contract

In addition, the DPA working groups for technology and media have released a guidance paper on cloud computing that provides more detail on data protection compliance. The 26-page guidance paper was developed by six state DPAs and covers the following topics:

• Definitions for types of clouds and cloud services such as IaaS, PaaS and SaaS
• Data controller responsibilities
• Control of the cloud service providers
• Rights of data subjects
• Requirements for international data transfers within and outside Europe, including statements on the use of EU standard contractual clauses and Safe Harbor
• Technical and organizational aspects
• Objectives and risks, including general and cloud-specific risk related to certain types of cloud services