Concurrent with the European Commission’s recent release of a new strategy to “unleash the potential of cloud computing in Europe,” the French Data Protection Agency (CNIL) issued 7 recommendations to assist companies to comply with French law when using cloud computing services.
According to the European Commission, cloud computing can be understood as the storing, processing and use of data on remotely located computers accessed over the Internet.
Cloud computing is an important evolution in the management of IT services for companies. Specifically, it offers several advantages, including cost savings. Among the benefits of cloud computing is its ability to create economies of scale. According to statistics released by the European Commission, 80% of companies that adopt cloud computing achieve cost savings of at least 10% – 20%. However, the decision by companies to utilize cloud computing services raises several legal and data security concerns.
Based on a survey on cloud computing conducted by the French Data Protection Agency at the end of 2011, the Agency issued 7 recommendations to help companies define an appropriate legal framework when using cloud computing services.
Recommendation #1: The Agency recommends clearly identifying data and data processing to be hosted in the cloud (e.g. personal data, sensitive data, or strategic data).
Recommendation #2: According to the Agency, companies need to define their own security and legal framework requirements, which may present challenges as most cloud services providers utilize form contracts from which they rarely deviate. Nonetheless, companies must ascertain that their providers have the highest legal and security standards. The Agency recommends that companies consider the following:
- legal constraints (e.g., localization of data, level of security and confidentiality, and specific regulations applicable to certain type of data);
- practical constraints (e.g., availability and reversibility); and
- technical constraints (e.g., interoperability with existing IT systems).
Recommendation #3: The Agency recommends assessing risks to identify security measures appropriate to the company (e.g., cost of governance of databases, technological dependency vis-à-vis the cloud computing service provider, risks of modification or disclosure of the data hosted in the cloud, legal summons by foreign authorities, risks linked to the possibility that the provider subcontracts the service, security failures, breach of duration of storage limitations, issues related to the management of access right for data subjects if the provider does not dedicate sufficient means to the service, acquisition of the provider by a third party, absence of compliance regarding international transfers, and closing down of the cloud computing service).According to the Agency, most of these issues can be avoided or strictly regulated by contractual provisions, including provisions that provide for penalties to be assessed upon the service provider or by technical measures that enable back up of the data.
Recommendation #4: The Agency recommends identifying the relevant cloud for the contemplated service (e.g., “Saas”: Software as a Service, “PaaS”: Platform as a Service, and “IaaS”: Infrastructure as a Service). The cloud can also be public or private.
Recommendation #5: The Agency recommends choosing a service provider offering sufficient guarantees. In considering a service provider, according to the Agency, one should consider the following:
- What is the legal qualification of the service provider (i.e., is it a subcontractor or a co-data controller)? If the customer, who is the data controller, must adhere to a standard cloud-computing service contract, the French Agency considers the service provider to be a co-data controller (as defined in Article 2 of the 95/46/CE Directive).
In this situation, the Agency recommends the following allocation of responsibilities:
- notifications to local authorities: customer.
- notice to data subjects: customer.
- duty of security and confidentiality: customer and provider.
- access and modification rights: customer with the support of the provider.
- What level of security should the data be given by the provider? Whether the service provider is a co-data controller or subcontractor, it is incumbent upon the customer to ascertain that the provider offers a sufficient level of security to the data. The Agency has listed the key points related to the security of data to be addressed in a cloud computing service agreement.
Recommendation #6: The Agency recommends that companies who utilize cloud computing services reinforce their internal security policy to account for the new risks that arise from cloud computing.
Recommendation #7: The Agency recommends that companies regularly access the cloud computing service provided. The Agency recommends updating the risk assessment each time there is a significant evolution in the service provided to ascertain that all necessary security measures are taken.
To further assist companies using cloud computing services, the Agency proposed model contractual clauses that companies should use when drafting and negotiating cloud computing contracts. We will continue to report on the Agency’s monitoring of the cloud computing space.