In the last issue, I started looking at the issues of cloud computing and some of the data protection issues. This article continues that analysis.
The Article 29 Working Party
On 1 July 2012, the EU’s Article 29 Working Party adopted an Opinion (05/2012) on Cloud Computing, in which it analysed all relevant issues for cloud computing service providers operating in the European Economic Area (EEA) and their clients specifying all applicable principles from the EU Data Protection Directive (95/46/EC) and the e-privacy Directive 2002/58/EC (as revised by 2009/136/EC) where relevant.
In that Opinion the Working Party stated that:
“Despite the acknowledged benefits of cloud computing in both economic and societal terms, this Opinion outlines how the wide scale deployment of cloud computing services can trigger a number of data protection risks, mainly a lack of control over personal data as well as insufficient information with regard to how, where and by whom the data is being processed/sub-processed. These risks need to be carefully assessed by public bodies and private enterprises when they are considering engaging the services of a cloud provider. This Opinion examines issues associated with the sharing of resources with other parties, the lack of transparency of an outsourcing chain consisting of multiple processors and subcontractors, the unavailability of a common global data portability framework and uncertainty with regard to the admissibility of the transfer of personal data to cloud providers established outside of the EEA. Similarly, a lack of transparency in terms of the information a controller is able to provide to a data subject on how their personal data is processed is highlighted in the opinion as a matter of serious concern. Data subjects must be informed who processes their data for what purposes and to be able to exercise the rights afforded to them in this respect.”
The Opinion highlights the importance of carrying out a detailed risk assessment before choosing a Cloud Computing provider (whether private or public) given that irrespective of what the Cloud Computing provider has promised (or not) it is for the Data Controller to determine whether or not the Data Protection Principles have been observed. This means that the Data Controller requires to satisfy itself of such matters as:
- where the data will be stored (and alternative storage locations);
- whether the provider uses sub-contractors for processing – and if so where these are, and what steps have been taken to ensure that the sub-contractors are complying with the Data Protection Principles;
- whether data are transferred outside the EEA, and once so transferred, can it be transferred again – and to where.
Remember that the foundation for all cloud computing arrangements will be a written contract – if for no other reason, then because a written contract between the Data Controller and the Data Processor will be required by the law.
Some of the issues identified in the Opinion arise as a result of the lack of control that the Data Controller will have as a result of the use of the Cloud Computing Provider:
- Lack of availability due to lack of interoperability (lock in); if the provider uses proprietary technology it may be difficult to move the data to another cloud provider (or to repatriate it to the Data Controller);
- Lack of Integrity due to sharing of resources; if physical resources are shared, there may be issues in relation to priority of access to those resources;
- Lack of Confidentiality in terms of law enforcement requests made to the Cloud Provider; personal data being processed in the cloud may be subject to requests from law enforcement agencies in the EU and elsewhere. This leads to the risk that EU personal data will be disclosed without a Data Protection justification. This is in addition to the risks that the Cloud Provider may be prevented from disclosing the fact of the request to the Data Controller or affected Data Subjects;
- Lack of Intervenability due to the complexity and dynamics of the outsourcing chain. The Cloud service may be but one service offered by the Provider and this service may change over the period of the contract;
- Data Subject’s Rights. It may be difficult for the data held to be accessed, deleted or amended as required by the Data Protection Directive.
- Lack of Information on Processing. This may give risks for both Controllers and Subjects because they may be unaware of the potential risks and threats and therefore cannot take measures to minimise or remove the risk. Chain processing may take place in different locations using different processors; personal data may be processed in different geographical locations within (or outwith) the EEA which may impact adversely on the right of the consumer on any dispute with the Provider; Personal Data may be transferred outwith the EEA – and the Subject would never know – to countries with inadequate levels of protection, and such processes as standard contractual clauses or binding corporate rules may be insufficient to remedy the position.
We may be familiar with the requirements of the Data Protection Act, but perhaps believe that others will deal with the regulatory requirements, whether that be our bank or public authority. However, the fact remains that it is our data and therefore we cannot absolve ourselves of the primary responsibility to ensure compliance with the Act and the Eight Principles.
Know your processor
In relation to Cloud Computing these issues are even more focussed. It may appear at first sight that the Cloud Computing provider is simply a service provider who maintains the storage array used by the business; the fact however is that the Cloud Computing provider is (or at least may be) a data processor and the Data Controller needs to consider the Cloud Provider as a Data Processor and, with that put in place the same controls and checks as it would with any other processor.
The Article 29 Working Party Report refers in some detail to the application of the Directive in the particular circumstances of cloud computing; however, in substance there is really nothing special about cloud computing as opposed to any other data processing arrangement. Whether the data is stored by an enterprise on its own premises, in other premises it owns or controls, in third party physical data centres or in the cloud, the Data Controller must apply exactly the same considerations to determining whether the Controller is meeting its obligations under the Act.
Equally with the Article 29 Working Party Opinion, the Guidance from the UK Information Commissioner does not add anything new to the debate and largely reiterates the points made above. The one important thing to be taken from each of the official pronouncements is not their substance as such (important as that may be) as much as the fact that businesses cannot abrogate responsibility for their data obligations merely by choosing a cloud provider over a more traditional storage solution. The cloud is there but not there; visible but invisible; real but virtual. It is these apparent incongruities that mean that the issues are sometimes overlooked but, with the ICO looking increasingly at penalties for non-compliance, it would be a foolish data controller who didn’t carry out all the necessary investigations before saying farewell to the data in its possession.
Next time, I shall look at some of the challenges and myths of cloud storage and the US Patriot Act and similar requirements in other jurisdictions before concluding with some of the questions that lawyers need to be asking both on their own behalf and on behalf of their clients of cloud solution providers.
David Flint is a partner in and heads the Intellectual Property, Technology & Commercial Group at MacRoberts LLP, Glasgow, Edinburgh and Dundee and, thanks to Cloud Computing, a large number of other locations. He has been advising on computer law issues for over 30 years.