The Irish Data Protection Commissioner recently issued guidance
in relation to data protection issues to be considered when
contracting for cloud computing services. The primary focus of the
Commissioner is on the security of data processed in the cloud. The
Commissioner references the recently published opinion of the
Article 29 Working Party in relation to cloud computing (Opinion
05/2012) which also provides useful guidance on this
topic.
Cloud Security
Ultimately responsibility for security of personal data
rests with the data controller under Irish data protection
legislation. The data controller is obliged to ensure that it meets
the security requirements set out in the legislation in the event
that responsibility for data processing is outsourced to any
service provider, including a cloud provider.
The guidance from the Commissioner states that security standards
of a "very high level" must be in place where personal
data is being processed by a cloud provider. As the legislation is
drafted in a technology neutral manner, there is no specificity
provided in the legislation, or in the Commissioner's guidance,
in relation to the type of security measures required to meet this
high standard.
In line with the recommendation of the Article 29 Working Party
opinion, the guidance recommends that when engaging a cloud service
provider assurances must be obtained in relation to issues such
maintaining the integrity of the data (including back-up and
disaster recovery mechanisms), prevention of unauthorised access to
data, adequate oversight of any sub-processors used, procedures in
the event of a data breach and the right of the data controller to
remove, erase or transfer data.
The Commissioner and the Article 29 Working Party both recognise
that auditing a cloud provider may not always be the most practical
option for a data controller. The Commissioner advises that where
there is a multi-tenanted cloud structure, a third-party
certification to approved international standards may be more
appropriate than a direct right to audit.
The Article 29 Working Party also advises that, in certain
circumstances, individual audits of cloud providers may be
impractical and independent verification or certification by a
reputable third party can be a credible means for cloud providers
to demonstrate compliance with their obligations.
Cloud Location
Transfers of personal data are permitted within the EEA
on the basis that personal data processed within the EEA will
benefit from the common data protection standards derived from
Directive 95/46/EC. However, given the nature of certain cloud
services, it is possible that the data will be transferred outside
the EEA during the course of the provision of the services.
According to the Commissioner's guidance and Irish data
protection legislation, the cloud customer (as data controller)
will have to ensure prior to any proposed transfer of data outside
of the EEA, that an "adequate" level of protection is in
place. The EU Commission has deemed Switzerland, Guernsey,
Argentina, Isle of Man, Canada, Faroe Islands, Jersey, Andorra and
Israel to be countries which provide an adequate level of data
protection.
Irish data protection legislation also provides that, in the event
an adequate level of protection is not in place, personal data may
be transferred outside the EEA in accordance with the US Safe
Harbor programme, EU model contracts or Binding Corporate
Rules.
Cloud Contract
Data protection legislation stipulates that, in cases
where personal data is being processed for a data controller by a
data processor, a written contract must be in place between the
data controller and data processor. The contract must provide that
the data processor will only process personal data in accordance
with the instructions of the data controller and that the data
processor will implement appropriate technical and organisational
security measures to protect such personal data.
The Article 29 Working Party emphasises that applicable cloud
contracts must include a set of standardised data protection
safeguards (ie, security assurances) as well as additional
mechanisms that can prove suitable for facilitating due diligence
and accountability (such as audits or third party
certification).
Certain contracts for cloud services will be concluded online on
the basis of the cloud provider's standard terms and
conditions. It is important that data controllers read such terms
and conditions to ensure that they contain the provisions required
by data protection legislation as discussed above.
Implications for the Cloud
The Article 29 Working Party opinion and the
Commissioner's guidance advise businesses to conduct
comprehensive risk assessments of any prospective cloud provider.
The same data protection concerns exist for a data controller when
outsourcing data processing to a cloud provider as to any other
provider of data processing services. The guidance, however, places
particular emphasis on the necessity for a high level of security
when contracting for data processing services in the cloud
space.
It is critical that a data controller assess the service offering
of the cloud services provider and the terms and conditions of the
contract to ensure that, as a data controller, it will be in
compliance with its obligations under data protection legislation
in the event that the data processing is outsourced to the cloud
services provider.
The Commissioner notes that the technology surrounding cloud
computing is constantly evolving. It is likely, therefore, that
further guidance will be needed in the future to keep pace with the
developing technology.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.