On 17 October, the French data protection authority, CNIL, launched a consultation process on Cloud Computing. The deadline for responses is 27 November.
This is a short time frame considering the extent of the topics which are up for discussion.
• The first question relates to defining what makes up Cloud Computing and CNIL’s proposal to use a range of indicia when assessing this.
• CNIL raises the question of whether or not, in certain cases, contractors should be jointly qualified data controllers (the question of determining the frontier between the classification of data controllers and data processors has already been the subject of much discussion and of a Working Party 29 opinion). CNIL has said that, in any event, the client will remain a data controller.
• CNIL also addresses the issue of identifying the applicable law (which has also been the subject of an opinion of Working Party 29) and more specifically whether the criteria of “means of processing in EU member States” is really appropriate in such circumstances where there are multiple servers in various countries ( this criteria triggers the application of the law of the relevant EU member state(s) where the “means” are located in the event that the data controller is based outside the EU).
• CNIL has also asked what tools can, in practice, be used to protect data which is transferred to countries whose data protection regulations are not of the same standard as those of the EU. CNIL has suggested that one solution to this problem would to use “Processor BCR” (yet to be accepted under UE regulations) . Indeed, CNIL and a number of service providers are calling for the regulations to allow for outsourcing companies and cloud vendors to provide their client with a guarantee (recognised officially by the EU data protection authorities) on the level of protection that they are implementing when processing client data (acting as data processors). However, even that might not be sufficient if a service provider with Processor BCRs was to subcontract part of the services to service providers outside of its group (as BCR apply only for a group of companies).
• Lastly, CNIL raised questions about security: the transcription of security principles on the contractual relationship, the need to have risk assessments, the guidelines that CNIL should issue to service providers and the issue of reversibility.
The questions which have been raised reflect the difficulty of the subject. Even if technology is not really new, it now exists given the trend of globalisation of data and, where there is a lack of power to negotiate standard terms and an increased awareness of privacy and security issues. The commercial issues are also significant. It will be particularly interesting to see how CNIL will follow-up this consultation.