The cloud is global, the law is local. I’ve been pointing this out a number of times. So, I was very curious when discovering that the CNIL (Commission Nationale de l’Informatique et des Libertés), the French Data Protection Authority, made some recommendations to enterprises wanting to subscribe to cloud computing services. As the CNIL works in close relationship with the EU, it is really interesting to see what they recommend and see how it aligns with the Data Protection Directive 95/46/EC, and the draft Data Protection Regulation. These recommendations should be looked at seriously by CIOs, even if they don’t do any business in Europe as they contain sound proposals for improved protection of data.
In a document dated June 25th and titled « Recommandations pour les entreprises qui envisagent de souscrire à des services de Cloud computing », not yet translated in English to my knowledge, the CNIL highlights 5 key recommendations:
1. Clearly identify the data and processes that will move to the (service provider) cloud, highlighting four data categories:
a. Personal information
b. Sensitive information
c. Information strategic for the enterprise
d. Information used in the business applications
2. Define your own requirements for technical and legal security:
a. Legal constraints (data location, security and confidentiality guarantees, compliance with regulations for specific types of data etc.)
b. Practical constraints (availability, reversibility/portability, etc.)
c. Technical constraints (interoperability with existing systems, etc.
3. Perform a risk analysis to identify the critical security measures required by the enterprise. Key risks include:
a. Loss of governance of the processing
b. Technical dependencies on the cloud service provider, i.e. the lack of possibility to choose another vendor or an internal alternative without losing data
c. Breach in data isolation, i.e. the risk that data can be altered or made inaccessible by an unauthorized third party, as a result of a failure by the service provider or a bad management of the hypervisor
d. Judiciary requisition, amongst others by foreign authorities
e. Failure in the cloud service supply chain
f. Ineffective or unsecure destruction of data, or too long data retention
g. Access right management problems due to lack of supplier means
h. Unavailability of the service or the service access (network)
i. Service closure or acquisition of the service provider by a third company
j Non-compliance, in particular in case of international transfers
4. Identify which type of cloud is pertinent for the planned service
5. Choose a service provider delivering sufficient guarantees
a. Assess the juridical qualification of the provider
b. Evaluate the level of security put in place for the treated data
This is quite an exhaustive list. The document goes on and highlights the elements that have to be found in any contract with a service provider. The CNIL complements all this with two internal recommendations:
- Review the internal security policies
- Monitor the evolutions over time (continuous improvement)
And finally the document includes a sample contract proposal.
Such comprehensive document, even if not yet translated in English, was doomed to initiate reactions. I’d like to highlight some that address key points in the report.
Controller versus Processor issues
The HLdataprotection blog focuses on the legal role of the cloud service provider and points out that a cloud provider will generally be considered the data processor, but that the provider will become joint controller with the customer if the cloud customer lacks any real autonomy in the negotiation of the contract and in defining how the data are processed.
A Data Processor is a person who processes data on behalf of the data controller. He is as such not subject to data protection legislation (such as the UK Data Protection Act), because he only acts on behalf of the data controller. A person is only a data controller if, alone or with others, they “determine the purposes for which and the manner in which any personal data are processed”. In essence, this means that the data controller is the person who decides how and why personal data is processed. However, we take the view that having some discretion about the smaller details of implementing data processing (ie the manner of processing) does not make a person a data controller.
What is interesting in the document from CNIL is that if the customer is not able to give instructions to the cloud provider and must accept the cloud provider’s proposal “as is”, the cloud provider is considered as joint controller, jointly liable with his customer for compliance to (French) data privacy laws. Providers of private clouds are generally deemed processors; providers of public SaaS or PaaS cloud services will often be deemed joint controllers.
CNIL goes on and recommends splitting responsibility in following way:
Duty to inform data subject
Confidentiality and security obligation
Data subject's right of access
Where cloud provider is joint controller:
Joint customer and cloud provider responsibility
Customer responsible with assistance of cloud provider
This clear analysis raises an important point. As most public cloud service providers require their customers to agree on their terms and conditions, they should be considered joint data controller. But as many are global companies, which jurisdiction is applicable? I fully subscribe to CNIL’s recommendation. They bring transparency with them and that is something we miss in the public cloud in particular. However, we also need more consistency in the legislations across the different geographies. Remember how I started this blog entry, cloud is global and the law is local. How can we build more consistency across the world?
The CNIL focused mainly on data as data is persistent. The recommendations as well as the new EU data protection laws that are coming will fundamentally affect every company doing business in Europe, so it’s probably worth a little longer discussion. But that’s for an next blog entry.