In its Opinion 05/2012 on Cloud Computing published as document WP 196 in early July 2012, the Article 29 Working Party identifies the data protection risks that are likely to result from the use of cloud computing services, such as the lack of control over personal data and lack of information about how, where and by whom the data are being processed or sub-processed in the cloud. It expressly deems the Safe Harbor regime insufficient to meet the requirements of the national data protection laws.
Even though opinions of Article 29 Working Party do not have the force of law, they have a very significant influence over the ways companies operate, and the privacy choices they make. US businesses operating in the European Economic Area should keep in mind that the data protection authority of the country or countries in which they operate are highly likely to follow the guidance set forth in a Working Party’s opinion. Thus, it is important that they operate within the guidelines and guidance provided in the opinions and other writings of the Article 29 Working Party.
One of the most significant concerns expressed in the Article 29 Opinion on Cloud Computing is the extent to which the Safe Harbor Principles fail to address the unique ways in which cloud computing services hold and process data. The Article 29 Working Party believes that the Safe Harbor Principles, which were conceived in a different technological environment, fail to address the unique environment in which cloud services are provided. In their view, sole self-certification with Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment.
The Opinion points to the lack of control over the whereabouts of the data held in the cloud, the lack of transparency on the security measures being adopted or the identity of the subprocessors, as threats to the protection of personal data. It also stresses the importance of informing the data subjects about who processes their data, for what purposes, and in which locations, and how they can exercise the rights afforded to them in this respect when their data are hosted or processed in the cloud.
Due Diligence & Contract Terms
The document recommends that the cloud client select a cloud provider that guarantees compliance with EU data protection legislation derived from Directives 95/46/EC and 2002/58/EC. It stresses that the cloud client should verify whether the cloud provider can guarantee the lawfulness of any crossborder international data transfers.
Once the cloud service provider is identified, the relationship should be recorded in a contract that affords sufficient guarantees in terms of technical and organizational measures for the cloud service. The Opinion identifies a number of contractual safeguards to be included in the contract for cloud services.
Crossborder Transfers & Safe Harbor
One of the most important components of the Opinion is its negative analysis of the ability of most cloud providers to meet the restrictions on crossborder data transfers that are part of the EEA Member States national data protection laws. The Opinion expresses significant concerns about the Safe Harbor’s ability to meet the requirements that the recipient of the data provide “adequate protection” consistent with that which is provided in the EU and EEA.
Among other things, the Opinion warns that the Working Party considers that companies exporting data should not merely rely on the statement of the data importer claiming that it has a Safe Harbor certification. The company exporting data should request evidence demonstrating that their principles are complied with. The Opinions also states that it might be advisable to complement the commitment of the data importer to the Safe Harbor with additional safeguards taking into account the specific nature of the cloud.’’
It is not clear what effect the Working Party’s Opinion in WP 196 will have on US cloud providers. If US cloud providers want to continue to attract EU based clients, they will have to address the recommendations of WP 196, at least in connection with their sales in the European Union. Will US customers request the same level of transparency and control?
Further analysis of WP 196 available in Francoise Gilbert’s article published by the BNA Privacy & Security Law Report, available here.