Cloud Computing and Personal Data

November 7, 2012

Cloud computing is often presented as an opportunity for companies to reduce their investment costs in computer infrastructure and only to pay an external service provider for consumption. Cloud computing varies from the provision of online processing and storage infrastructure (provision of remote data centers) to the supply of online software (messaging software, file management software, etc.) as well as the provision of online application development platforms. This model may be attractive, particularly for small and medium-size companies that do not wish, or do not have the means, to invest and to manage computer platforms or infrastructures. Generally speaking, this model is also interesting for file synchronisation.

Personal Data

Although the model may be attractive from a financial point of view, there are however several risks involved concerning personal data protection. This was recently highlighted in the opinion dated 1 July 2012, rendered by the European group reuniting the representatives of the different national authorities in charge of personal data protection (Group article 29). This opinion is shared by certain national authorities for personal data protection, such as the CNIL (National Commission Computer and Liberty) in France and the ICO (Information Commissioner’s Office) in Great Britain. In substance, all these authorities underlined the two main risks related to cloud computing, namely:

  • loss of control of personal data; and
  • lack of transparency by the cloud computing service provider concerning the processing of personal data.

The Client of the Cloud Computing Service Remains Liable for Personal Data Protection

Although the supplier of the cloud computing services is the best informed on the level of security of its services, on the flow of data generated between different services globally, on the identity of its subcontractors and so on, it is nevertheless its client, the person using the cloud computing services, who remains mainly liable for compliance with personal data processing regulations. In fact, it is the client who decides upon the purposes and means of personal data processing. The cloud computing service provider is in principle considered as a simple subcontractor.

The possible lack of balance of forces in negotiations between a small client and a large service provider does not exonerate the client from its liability concerning personal data protection. The client must obtain from the service provider, in a written contract, all assurances for compliance with personal data protection regulations. Particularly important among these are compliance with data integrity, confidentiality, transparency towards data subjects, data isolation, intervention on behalf of data subjects and portability. The client must also ensure that it has the means of checking, for example by means of an audit, the compliance by the service provider with all its obligations.

Subcontractors of the Cloud Computing Service Provider

The client must also ensure that the obligations which are incumbent upon the cloud computing service provider are not weakened by the fact that the latter itself uses subcontractors. The client therefore must contractually ensure, in particular, that:

  • the service provider only subcontracts with its agreement;
  • the subcontractors are identified; and
  • the service provider obliges its subcontractors to comply with all the obligations that the service provider is subject to.

Transfers Abroad

Cloud computing infrastructures are generally spread out geographically and therefore personal data is transferred. This does not cause any problem within the European economic area (European Union, Norway, Iceland and Liechtenstein) or when the transfers take place to other countries which are presumed to offer adequate data protection. Things are different beyond the European economic area and these countries. The client should therefore be sure to check that its cloud computing service provider is also bound by contractual clauses or by binding company rules ensuring an adequate protection in case of the transfer of personal data outside the European economic area or to a country not offering an adequate level of protection.