European Data Protection Regulation of Cloud Services – a Pan-European Comparison

December 7, 2012

Bristows hosted this recent SCL event, with a distinctly European flavour. Roger Bickerstaff kicked off the event with an opening address which made a plea for more understanding at a number of levels. More understanding by IT lawyers of the data protection issues and more understanding of the IT issues by data protection lawyers. He also called for a better understanding across Europe of the different national perspectives on data protection regulation of cloud services. 

Dervish Tayyip from Microsoft gave an industry perspective overview of cloud services and raised some of the key EU data protection questions. Dervish noted the ‘spectrum of tolerance’ when considering data protection compliance in the current regulatory framework with no set standard for cloud privacy. This may lead to difficulties where customers purchase cloud services from a variety of vendors, as well as across different delivery models. A possible future solution would be to set standards for cloud security, although questions are likely to arise over how compliance will be certified and the independence of certifying bodies.  

Sebastian Meissner provided a summary of existing European guidance on cloud computing issues, with a particular focus on the WP29 opinion given in July of this year. Sebastian was the rapporteur to the Article 29 Working Party for this opinion.  European Data Protection Authorities have acknowledged the clear advantages of using cloud services and have expressed a desire to support their progression. However, he emphasised that this desire must be balanced with the important objective of ensuring that data protection standards are not lowered as a result of the growth of cloud computing. 

The European Commission has also released a communication setting out its strategy for a harmonised European cloud computing regime, focussed on standards and certification, fair terms for cloud services contracts and a cloud partnership, which would encourage a standard approach to cloud-based agreements.  

The ‘pan-European’ panel then took to the floor, with each speaker highlighting additional guidance or issues (beyond the WP29 opinion) and where it existed case law from their jurisdictions.  Hazel Grant of Bristows started the discussion with the latest issues in UK data protection law. She identified the current trend for the ICO hitting public authorities with large data breach fines and noted that outsourcing a service to a third party, who then causes a breach, has been shown not to prevent a fine.  We were taken through recent ICO Guidance on cloud computing, which provides that controllers should consider exactly what personal data they are collecting in the cloud and whether this could inadvertently lead to the collection of other data, such as metadata on usage of the cloud services, which may not be covered by their privacy policies. Encryption of sensitive personal data is a key concern, although controllers should be aware that loss of an encryption key could potentially lead to a data breach for accidental deletion of data, where such data can no longer be accessed. Other items include adequate staff training, ongoing review of compliance and the risk of data transfers outside the EEA where support is provided from outside the EEA, even though data centres are within the EEA. 

Rocco Panetta of Panetta & Associati, Rome took us through the cloud computing guidelines provided by the Italian DPA, the ‘Garante’. The view here is that the cloud service provider is always the processor and the Garante recommends that this is explicitly stated in any cloud contract. Like in the UK, the customer will be held liable for a breach caused by a cloud service provider and case law has demonstrated that this remains the case where data has been transferred outside the controller’s jurisdiction. As a result, the Garante suggests that parties to a cloud arrangement should set out a detailed list of each party’s practical duties to help avoid such passing of blame. 

France was up next and Pascale Gelly (Avocat à la cour, Cabinet Gelly ) took us through recent developments in the sphere of cloud computing. The French DPA, the ‘CNIL’, carried out its first public consultation on cloud computing in 2011. This consultation considered the key issues of distinguishing controller and processor, appropriate security measures and international data transfers and it was open to the general public to provide responses.  In June this year, the CNIL pipped WP29 to the post by issuing its own guidance to cloud customers. The CNIL adopted the view that the cloud provider is usually the processor, although there is a possibility of having joint controllers, in which case there needs to be clear agreement on sharing of responsibilities. The guidance also provided example clauses for inclusion in cloud agreements, including a duty on the provider to inform the customer of a breach within 48 hours and audit rights. 

Jürgen Hartung of Oppenhoff & Partner, Cologne next explained some of the key points from his perspective, including specific German data protection requirements for ten additional elements in any data processor contract (including contracts for cloud services).  Additionally, Jürgen explained that placing sensitive personal data in the cloud posed a particular problem, since it was likely to require a specific exemption such as consent, which was frequently missing.  Lastly, before placing any data in the cloud, a German user should carry out a preventative audit and document that audit. 

We then moved to Spain and Cecilia Alvarez of Uría Menéndez, Madrid pointed out a number of issues in using cloud services, including issues with data transfers (the need for DPA authorisations) and subcontracting (the need for each sub processor to be authorised).  The Spanish DPA, in January 2012, recognised some of these issues and produced model clauses to enable transfers between processors.  Additionally, there have been improvements in allowing cross references to one DPA authorisation (rather than individual ones per client). 

We finished with a view from the Nordic region, given by Nicklas Thorgerzon, a Swedish lawyer of Vinge, Stockholm. The Nordic region has been the most active in terms of published decisions on the use by (mainly) public bodies of cloud services such as Google Apps, Windows Azure, Dropbox and Office 365.  These decisions have led to the use of a risk assessment matrix, which each controller should follow to document the planning behind selecting cloud services. 

There was a lively debate on the interaction of IT and data protection, particularly focussing on the roles of the data controller and data processor in the context of cloud services and whether these concepts needed to be updated in the light of cloud service developments.  Pascale Gelly commented that the new Regulation will impose greater obligations on data processors which could overcome many of the current concerns about the lack of liability on data processors, but it will not change the general approach that a data processor is acting on the instructions of the data controller. That approach is of course rather questionable in the context of many cloud services arrangements.      

Faye Weedon is an Associate in the Commercial IT team at Bristows: