ANALYSIS: The EU Article 29 Working Party Opinion On Cloud Computing And Privacy: Ten Key Questions And Answers
By Michael Schmidl, of Baker & McKenzie, Munich.
On July 1, 2012, the EU Article 29 Data Protection Working Party, an independent EU advisory body on data protection and privacy set up under Article 29 of the EU Data Protection Directive (95/46/EC), issued Working Paper 196 containing its “Opinion 05/2012 on Cloud Computing” (hereafter “WP 196”). The scope of WP 196 is to “analyze all relevant issues for cloud computing service providers operating in the European Economic Area (EEA) and their clients specifying all applicable principles from the EU Data Protection Directive (95/46/EC) and the e-privacy Directive 2002/58/EC (as revised by 2009/136/EC) where relevant.” Consequently, WP 196 does not contain an overall analysis related to the risks of outsourcing in general and the processing of personal data in particular. WP 196 categorizes the aforementioned risks into two major categories, namely the category “lack of control over the data” (e.g., lack of availability to lack of interoperability, lack of integrity caused by the sharing of resources, lack of confidentiality in terms of law enforcement requests made directly to a cloud provider, etc.; see p. 5 of WP 196) and the category “lack of information on processing (transparency)” (e.g., use of multiple processors and subcontractors, parties involved are located in various different jurisdictions, data transfers to countries outside the EEA; see p. 6 of WP 196).
As my colleague Matthias Scholz and I laid out in our Special Report “Pragmatic Solutions To Typical Privacy Challenges For EU Customers Of Cloud-Based Software Services” (see WDPR, June 2012, page 37), the provision of cloud services most often qualifies as data processing (with the customer being the data controller and the provider being the data processor) as per Article 17 of the EU Data Protection Directive and its respective national implementations if and to the extent personal data are concerned. It is in line with this evaluation that WP 196 “focuses on the situation, where the relationship is assumed to be a controller-processor relationship, with the customer qualifying as controller and the cloud provider qualifying as processor.”
This article summarizes WP 196 in the form of questions and answers in alphabetical order, and presents an approach of how a European cloud provider could use non-European sub-processors.
Summary of WP 196 in Alphabetical Q&A Format
The following lays out the main information contained in WP 196 in a Q&A format in alphabetical order, with page references:
1. Client-Provider Relationship: What criteria have to be respected from a privacy compliance point of view as regards a contract on cloud services?
The contract regarding the provision of the cloud services must enable the controller to act in compliance with its general privacy obligations, such as maintaining transparency vis-à-vis data subjects (see p. 10), respecting purpose specification and limitation (see p. 11) and erasing data if they are no longer needed for the purposes for which they have originally been collected (see p. 11). Furthermore, the contract has to respect the criteria of the respective national law implementations of Article 17 of the Data Protection Directive (see p. 12), and, according to WP 196, it especially has to deal with:
1. applicable service level agreements and relevant penalties;
2. security measures that the cloud provider must comply with;
3. subject and time frame of the cloud service to be provided by the cloud provider, extent, manner and purpose of the processing of personal data by the cloud provider as well as the types of personal data processed;
4. conditions for returning the (personal) data or destroying the data once the service is concluded;
5. confidentiality of the data;
6. the facilitation of data subjects’ rights to access, correct or delete their data;
7. the communication of data to third parties;
8. the processor’s obligation to notify the controller of security breaches;
9. a list of locations in which the data may be processed;
10. the controller’s rights to monitor and the cloud provider’s corresponding obligations to cooperate;
11. information obligations in case of changes concerning the respective cloud service;
12. logging and auditing of relevant processing operations;
13. notification of the cloud client about government disclosure requests;
14. assurance of the cloud provider that its internal organization respects applicable laws and standards (see pp. 13-14);
and the technical and organizational measures to be adopted by the cloud provider (see pp. 14-17).
2. Controller to Controller or Controller to Processor: From a privacy law point of view, what is the legal quality of the relationship between the customer and the provider, especially in the case of large providers imposing the contract’s structure and content and the technical and organizational measures?
Both are possible, but WP 196 focuses on the controller to processor scenario (see p. 4) with the customers being the controllers and the providers being the processors (the latter could be seen as co-controllers if they process data for their own purposes). In any event, the roles of the parties as either controller or processor (see the Article 29 Working Party’s Working Paper 169 “Opinion 1/2010 on the Concepts of ‘Controller’ and ‘Processor’ ” (see analysis by Michael Schmidl and Daniel Krone, of Baker & McKenzie, Munich, at WDPR April 2010, page 4) have to be clearly defined (see p. 7) and all legal tasks must be clearly allocated to one of the parties in order to avoid a “negative conflict of competence” (see p. 8). Even in cases where the providers dominate the content of the cloud service agreements, the customer remains the controller in charge and cannot rely on the justification that the provider did not accept a compliant solution. Instead, if there is no other means to reach compliance, the customer ultimately has to choose a cloud provider ensuring a compliant solution…