New European A29 Guidance on “Privacy in the Cloud”

Privacy debates in connection with cloud computing often generate more heat than light!  Some regulators (not in the UK!) have even said that use of the public cloud is illegal. Well, if it is, then many EU companies are in trouble as the cloud covers a multitude of types of virtualised processing, much of which has been used for years. Don’t let’s forget that “cloud” is partly a brand name as opposed to something wholly new.

But there are new components that cloud computing has introduced: mass market access to global processing operations where data can travel seamlessly cross-border. So it is timely that the EU’s Article 29 Working Party has, this week, published an Opinion (05/2012) as a useful summary of the EU data privacy rules on use of the cloud.

Question: Does the new guidance iron out all the legal issues?

Answer: No, but it is an interesting indication as to the “direction of travel” for privacy regulation of cloud customers and providers.

The first point is that the Opinion accepts that Cloud can bring benefits: access to top class technology and improvements in security, better access for SMEs (and a general stimulant for economic growth) and “pay and you use” pricing models.

So what gems are there in the new guidance?

Here is my reading of some of the more interesting points in the Opinion. What is particularly interesting is that many of the recommendations in the Opinion map to the requirements in the draft EU Data Protection Regulation rather than the current Directive. So, some of what follows is current practice; but some is new:

  • Primary obligations: the controller (ie. the customer) bears the regulatory risk and so is incentivised to ensure compliance (note that the new draft Regulation will, for the first time, extend the compliance risk to processors too, such as cloud providers)
  • Risk analysis: customer to conduct a comprehensive and thorough risk analysis at the outset and select a cloud provider that guarantees compliance with the data privacy rules
  • Two main risks: beware of data security and international data transfers; seen as the most important privacy issues for cloud
  • Contractual links: there should be a contractual link between the customers and the cloud provider and, separately, between cloud provider and any sub-contractors; we know this already. But the Opinion says that the customer should be able to terminate the contract if the provider changes sub-contractors and the customer does not agree.
  • Transparency: customers should be informed about sub-contractors, locations of processing and “meaningful information” as to security measures; data subjects should also be notified of sub-contractors and locations.
  • Safeguards: the contract should provide “sufficient guarantees” as to security and specify the customer’s instructions and service levels and penalties.
  • Confidentiality: the cloud provider and staff should be subject to confidentiality obligations
  • Co-operation: cloud provider to assist the customer to comply with applicable data subject rights and notify of any data breaches; this reads more like the terms of the new draft Regulation
  • International data transfers: the Opinion flags the introduction of Processor BCRs as being particularly relevant to cloud providers
  • Logging and auditing of processing operations: the customer should request that the provider does this.
  • Independent Certifications: the Opinion backs the use of third party certifications as a means for cloud providers to demonstrate compliance; we have yet to see this area develop but it is a sign of things to come. Certainly individual audits by multiple customers isn’t practicable and can compromise security.
  • Disclosures to law enforcement bodies: the Opinion wants to re-instate the original proposal in the new Regulation that you can only disclose data to another country’s law enforcement bodies pursuant to international agreement or mutual legal assistance treaties. So a requirement under the Patriot Act would not be enough. More work is needed here to develop a workable solution (given almost every country’s data surveillance and access powers to fight crime and terrorism).
  • European Cloud: the Opinion supports the European Cloud Partnership and the idea of promoting European clouds “sovereignly governed by European data protection law”.

Much to think about for privacy regulation in the cloud.

Nick Graham

About Nick Graham

Nick Graham is the Global Co-Chair of Dentons' Privacy and Cybersecurity Group. He specialises in data privacy, cybersecurity, information governance. Nick advises across all sectors including retail, telecoms, energy, manufacturing, banking, insurance, transport, technology and digital media.

Full bio