Tackling Data Protection In The Cloud

The Article 29 Data Protection Working Party Opinion 05/12 on Cloud Computing (the 'Opinion') is aimed at assisting those who choose to engage a cloud computing service provider to comply with the requirements of the Data Protection Directive (95/46/EC) (the 'Directive'). Cloud computing solutions, notably in the form of third party processing services, have dramatically increased in popularity over the last few years. While the continuing adoption of cloud computing is to be welcomed, it does present certain legal challenges and risks.

In issuing the Opinion, it seems the Working Party are encouraging organisations that are planning to engage cloud providers to ensure they understand how and where their data are stored and, importantly, which parties can access such data.

Risk assessment and management

The Opinion recommends that any party which intends to use cloud computing services should conduct a thorough risk analysis to identify and address the perils associated with processing specific types of data in the cloud.

Risk management is a key consideration in any commercial relationship that brings the potential for liability. The Opinion highlights several data protection risks that arise from the use of cloud computing, including:

lack of transparency about how the service provider processes personal data, thereby preventing the controller from taking proper measures to ensure data protection compliance;

lack of interoperability and data portability; lack of integrity, caused by sharing of cloud resources; lack of confidentiality arising from disclosure of data to law enforcement agencies outside the EU; lack of ability for the customer to intervene in processing owing to the complex chain of processors; inability of the cloud provider to help the controller respond to data subjects' access requests; and possibility that the cloud provider might link personal data from different clients (or a 'lack of isolation' of data). Risks may be augmented if the cloud service involves:

a chain of processors (several tiers of sub-contractors); processing in different countries (and the applicable law in the event of a dispute); and/or the transfer of data to countries outside the European Economic Area ('EEA'). The Opinion suggests that the key to ensuring compliance with data protection law lies in managing the risks identified by a risk analysis. To this end, the Opinion sets out a number of recommendations for organisations engaging cloud providers, some of which are discussed further below.

Identifying roles and recording obligations in the contract

The processing of personal data in a cloud relationship will usually involve a data controller and a data processor. Clients will typically act as data controllers with the providers being the data processors, although it is noted in the Opinion that there will sometimes be circumstances which can also render the provider a data controller as well (e.g. if the provider is engaged in legitimate processing for their own purposes as opposed to those of the client). As responsibilities differ depending on what role a party has, they should be clearly identified in the contract.

The Opinion highlights that the ultimate responsibility for compliance with data protection law remains with the controller, whether or not they choose to delegate the processing of data.

Article 17(3) of the Directive requires there to be a contract or other binding legal act to...