GERMANY—DPA guidance on cloud computing
By Flemming Moos
German data protection authorities are generally concerned over data protection law compliance in the cloud. Reliable interpretations and guidelines are still missing as to if and under which preconditions personal data might be stored and processed in a cloud computing environment. In September 2011, the conference of federal and state data protection officials in Germany made a first step and adopted a resolution on using cloud computing services in compliance with data privacy requirements.
The DPAs note that data controllers are only allowed to use cloud services in case they are in fact able fulfill all of their obligations as a data controller and verify the implementation of the required data privacy and security measures by the service provider. According to the resolution, cloud customers must ensure adequate confidentiality, integrity and availability of the data in the cloud as well as compliance with the requirements regarding transparency, control and governance over the data. In particular, the following minimum requirements shall apply.
- Open, transparent and detailed information by the cloud service provider on the technical, organizational and legal framework including a security concept;
- Transparent, detailed and clear contractual provisions governing the processing of the data in the cloud, especially concerning the location of the data processing including the notification about any changes thereto, as well as concerning the portability of the data and interoperability;
- The implementation of the agreed dat6a protection and data security measures the provider as well as the cloud customer;
- Up-to-date and meaningful evidence regarding the cloud infrastructure; e.g., certificates by recognized and independent auditors.
While it will not always be easy to for cloud customers to comply with all these requirements—in particular because many providers might not be willing to accept respective changes to their standard terms and conditions—it is a positive sign by the DPAs that they do not condemn cloud computing overall but consider it feasible to use these services in a data privacy law-compliant way.
Flemming Moos is a partner at Norton Rose in Germany and a certified specialist for information technology law. He chairs the IAPP KnowledgeNet in Hamburg and can be reached at firstname.lastname@example.org.