Out-Law / Your Daily Need-To-Know

Businesses need more guidance on how to verify cloud providers' data protection compliance, says EU watchdog

Out-Law News | 16 Nov 2012 | 5:09 pm | 3 min. read

Organisations need to be provided with further guidance over how to ensure that the cloud computing providers they wish to contract with deal with personal data in a manner that complies with EU data protection laws, a privacy watchdog has said.

Under proposed new EU data protection rules 'data controllers' would be required, among other things, to be able to verify that the mechanisms cloud providers put in place to protect personal data are suitably strong to ensure that the information is processed and stored in accordance with the rules.

However, the European Data Protection Supervisor (EDPS) has said that further guidance is required to explain how this verification can be achieved.

"Especially in the context of cloud computing, more specific guidance is required to clarify which mechanisms should be put in place to ensure verification of the effectiveness of data protection measures in practice," Peter Hustinx, EDPS, said in a new opinion. (30-page / 132KB PDF) "Unless this happens, these verification exercises risk measuring compliance only on 'paper' but not in 'reality'."

"The EDPS takes note that the current text of the [European Commission's] proposed [General Data Protection] Regulation ... provides for the Commission to adopt delegated acts to specify ... the conditions for the verification and auditing mechanisms referred to in [the Regulation]. Irrespective of whether such provision on delegated acts will be maintained in the final text, cloud computing specific codes of conduct drawn up by the industry and approved by the relevant data protection authorities could be a useful tool to enhance compliance as well as trust among the various players," Hustinx said.

The nature of cloud computing means that data is often stored on servers based across the world, rather than in one physical location. However, current EU data protection laws prevent companies transferring personal data outside of the European Economic Area (EEA) except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection.

When a company wants to send personal data to those other non-EEA countries, that company must ensure that adequate protections are in place, even when the transfer is from one group company to another.

Similar provisions have been drafted by the European Commission in its proposed General Data Protection Regulation, published in January. However, the EDPS said that the Regulation should contain a "clear definition ... of the notion of 'transfer' of personal data" in the finalised text, currently subject to negotiation by EU member states, which he said is currently absent from the proposed text.

Hustinx said that the definition was needed in order to address problems relating to the nature of cloud computing where information is transferred but also "made available to a number of recipients located in various countries (often unknown to the cloud customer/end user)."

In addition, the definition is needed because whilst the "international data transfer rules" are "usually based on an assessment of whether there is an adequate level of protection in the country/ies where the data are to be transferred," it may be the case that cloud companies "do not have any stable location of the data and personal data may not remain permanently in a given location", whilst other providers "may refuse to inform where the cloud servers are located," he said.

The notion of 'transfer' also needs to be defined for the reason that it can be difficult for a cloud user to "adduce adequate safeguards for the international transfer of his data since he has little knowledge and/or control over the design of the cloud architecture of his cloud services provider and the places where the latter and any other processors or subprocessors are processing the data," the EDPS said.

Hustinx welcomed European Commission plans to draw up new model contract terms that businesses could use in forming contracts and service level agreements with cloud computing providers. The Commission announced its plans to do so in September in a 'communication' titled 'Unleashing the Potential of Cloud Computing in Europe'.

Hustinx said that the new contracts should contain terms that prevent cloud providers from denouncing their responsibility for data confidentiality and security, or their liability for data loss or corruption. Among the other terms he said the new model contracts should include were provisions that would force cloud providers to tell clients whether it is possible to store data in a single country or region, and other terms that require providers to obtain the consent of clients before changing the terms of their cloud service contracts.

Other information cloud providers should be forced to provide under the terms of the model contracts include information about the personal data processing activities, such as "where the data may be processed, compliance with certification scheme/standards, guarantees that there are appropriate safeguards in place at all levels of the infrastructure and wherever the data are transmitted or stored, specific safeguards for sensitive data, identification of the relevant supervisory body," Hustinx said.

The watchdog also said that new standards around "security, interoperability, data portability and reversibility ... could be a critical success factor to enable governance and supervision models at international level." However, he said that internationally developed standards must be formed with data protection by design and by default at their heart and must be in line with EU "requirements".

Earlier this year the Article 29 Working Party, which is a committee made up of representatives from the 27 data protection authorities in EU member states, said that businesses that wish to use cloud services to store and process personal data must use providers that can "guarantee" compliance with EU data protection laws.