On 1 July 2012, the EU Article 29 Data Protection Working Party (WP 29) issued its long awaited Opinion 05/2012 on Cloud Computing (Opinion). In this document the WP 29 identifies a number of key data protection compliance issues that may arise in relation to the use and provision of cloud services. This Opinion is of importance to cloud providers and cloud customers as a guide to how to adopt cloud strategies in compliance with EU data protection laws. As a first step, the WP 29 advises cloud customers to carry out a data protection risk assessment prior to entering into any agreement with a cloud provider. The risks are described as falling into two main categories:
- a lack of control by the customer over any personal data processed by the provider (eg vendor lock-in and confidentiality risks arising from law enforcement requests)
- a lack of transparency as to where, by who (eg sub-processors) and how these data are processed
The Opinion stresses that control and transparency are key for ensuring the cloud customer, as data controller, can meet its obligations under data protection legislation. For example, the customer is responsible for duly informing the relevant data subjects and for verifying that the data are processed in a compliant manner. In particular, the customer must ensure lawful transfer of data outside the EEA and implementation of adequate security measures. In this respect, the WP 29 confirms that cloud providers should duly inform their customers about the sub-processors they use, including their location, and that any intended changes in sub-processors must be notified to cloud customers to enable them to object or to terminate the contract. The Opinion refers to public digital registers as a possible mechanism for achieving this notification requirement. The Opinion confirms the WP 29 view that sub-processing may only be commissioned on the basis of the cloud customers’ consent, although it does recognize that this consent can be general in nature. The Opinion contains a list of fourteen specific issues (such as audit rights and an obligation to notify of law enforcement data access request) that the cloud customer should include in its contract with the cloud provider to provide ‘legal certainty.’ The WP 29 recognizes that most cloud providers impose their own standard terms and conditions, and that the customer’s negotiation power may be limited (e.g., in case of SMEs). Accordingly, it will not always be workable in practice to provide for full compliance through the proposed contractual safeguards. The WP 29 nevertheless specifies that such imbalance in contractual power should not be an excuse to accept contractual clauses not in compliance with data protection law. The Opinion welcomes the provisions contained in the proposed EU Data Protection Regulation published in January of this year aimed at making processors more accountable towards controllers by including new statutory obligations for processors to assist controllers in ensuring compliance with security and related obligations, the WP 29 also states that where a processor acts beyond the scope of its instructions, or in breach of the contractual terms, it may be considered as controller in its own right and be held liable for such non-compliance. The WP 29 also stresses the importance of compliant international (extra-EEA) transfers of personal data in the framework of cloud services. In this respect, solutions such as US-EU Safe Harbor, the EU Model Clauses and BCR’s for processors are suggested, each subject to certain limitations and conditions discussed in the Opinion. In particular, the Opinion states that reliance on a cloud provider’s US-EU Safe Harbor status alone is not sufficient. It states that further ‘evidence of compliance’ should be obtained and recommends additional safeguards are put in place with the Safe Harbor provider to take account of the specific nature of the cloud. The Opinion also suggests that the use of controller-processor model clauses in the cloud environment may require prior approval by EU data protection authorities. Summary The WP 29’s message is very clear: cloud customers and cloud providers – in particular those based outside the EEA – should carefully review their current contractual terms and conditions, and adapt their practices to comply with the guidance set forth in the Opinion. It is likely that providers which do not recognize, and adapt to the WP 29’s Opinion may risk losing EU market share to compliant providers.