Keywords: article 29, cloud computing, solutions, EU data privacy

The Article 29 Working Party established under the EU data privacy legislation published an opinion on 1 July 2012 addressing the data privacy compliance concerns associated with the use of cloud computing solutions.

The Working Party identified the concerns as falling into two categories:

  • Lack of Control: Cloud clients lose control of the technical and organisational measures necessary to ensure the availability, integrity, confidentiality, transparency, isolation and portability of data;
  • Lack of Information Processing: Insufficient information about a cloud services processing operation poses a risk to controllers as well as to data subjects, because they might not be aware of potential threats and risks and, therefore, cannot take measures they deem appropriate.

The opinion is a reminder of the key contractual safeguards that must be put in place between the controller and the cloud service provider. The cloud service provider must agree to follow the instructions to the controller and must implement technical and organisational measures that are adequate to protect the personal data being put into the cloud-based solution. Among the particular provisions specified by the Working Party are:

  • an obligation by the cloud provider to supply a list of the locations in which the data may be processed;
  • a general obligation by the provider to give assurance that its internal organisational and data processing arrangements (and those of subprocessors) are compliant with applicable national and international legal requirements and standards.

These two requirements are sometimes problematic for the customer, and the fact that they are specifically referred to in the opinion will strengthen the negotiating position of controllers wishing to put in place arrangements for the processing of personal data by cloud service providers.

Working Party recommendations include:

  • a controller should select a cloud service provider that guarantees compliance with the EU data privacy regime by agreeing to the specific contractual protections referred to below;
  • where (as is almost inevitably the case) a cloud service provider subcontracts processing to subprocessors, this should only be permitted where the identity of the subprocessor is disclosed to the data controller and the cloud service provider flows down its contractual obligations to the data controller to its sub-processors so that the controller has some contractual recourse in the event of breaches by subprocessors.

The specific contractual protections include:

  • only authorised personnel to have access to the data;
  • subcontractors must be identified and the controller must have a right to terminate the contract in the event of changes;
  • cross-border transfers of data shall only be permitted where lawful—for example, because the recipient has executed the EU model terms—and the cloud provider must guarantee the lawfulness of cross-border transfers;
  • the controller must have the right to audit the processing activities.

The opinion also raises the possibility that independent verification or certification of compliance with the requirements specified in the opinion could be provided by an independent third party, such as ISO, the IAASB or the Auditing Standards Board of the American Institute of Certified Public Accountants.

Action

Data controllers who deploy or plan to deploy cloud computing solutions should review the Working Party recommendations and treat them as a checklist of the issues to cover in any cloud services contractual arrangement.

Originally published 19 December 2012

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2012. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.