Privacy Advisor

Cloud Computing: CNIL’s 7 recommendations are necessary but not sufficient

November 1, 2012

Cordier_Gaetan_2012_web.gif   Jobard_Adeline_2012_web.gif
By Gaëtan Cordier and Adeline Jobard

Cloud computing stands for the offset to the “Internet cloud” of personal data and applications previously stored into the servers and computers of companies, organisations or individuals.

Failing a consensus on a clear definition of what is meant by cloud computing, the CNIL suggested in its consultation run at the end of 2011 that the existence of cloud computing services be characterised by the following indicators:

  • Simplicity of an on-demand service: A user may, unilaterally, immediately and generally without any human intervention, have the IT resources he needs at his disposal—servers’ computing time, storage capacity, etc.;
  • Extreme flexibility: The resources that are made available are strongly and rapidly upgradable generally in a way that is transparent to the user;
  • “Light” access: Access to the resources requires no proprietary equipment or software. Access to the resources shall be through easily available applications—sometimes open source applications—and generally through a mere web browser;
  • Pooling of resources: The provider’s IT resources are configured in such a way that they may be used by a multitude of machines and are often distributed between different host centres, possibly at different locations worldwide;
  • Pay-per-use: Payment of the cloud computing service may be in proportion to the use of the service.

Cloud computing makes it possible for companies to increase their competitiveness in reducing their IT costs and providing a higher quality of service. The cloud computing market would already represent 6 billion euros at European level, with an annual growth of approximately 20 percent.

The CNIL noted that the companies planning to use cloud computing services are facing numerous difficulties related to the compliance of their cloud computing services with the French Data Protection Law. In particular, those issues related to the determination of the service provider’s legal qualification, the applicable law, the transfer of data and security, are particularly delicate in cloud computer transactions.

Comments

           The service provider’s legal qualification

The CNIL notes that, in the provision of cloud computing services, the customer, in principle, is the data controller in the meaning of Article 3 of the French Data Protection Law of 1978, to the extent the customer is the person collecting the data and deciding to outsource the processing thereof to a service provider. So, the service provider would act as subcontractor.

However, in practice, it also seems possible to describe a service provider as a data controller by reference to the following list of indicators: To which extent is the service provider constrained by instructions from the customer? What is the level of constraints a customer may impose on the service provider? How much expertise does the service provide have in data processing? To what extent is the service provider’s identity known to the persons using the customer’s services? 

           Determination of applicable law

Given that cloud computing is based on the use of multiple servers at different locations worldwide, obvious difficulties exist when it comes to determining the applicable law.

The CNIL notes that, however, identifying the applicable law is particularly important for it makes it possible to identify the obligations that are incumbent on the data controller.

           Regulating data transfers

As the cloud computing implies the worldwide circulation of data from a server to another server, it frequently happens that the customer using cloud computing services is unable to know in real time where its data are being transferred to and stored.

Still, storing data outside the European Union shall result in very high penalties being imposed by the CNIL on the customer, as data controller, if no safeguards have been implemented to prevent this.

           Data security

The CNIL notes that service providers, especially when they use standard contracts, provide few information to their customers as to the technical and organisational measures they implement to guarantee the security and confidentiality of the data processed on behalf of their customers.

However, this transparency insufficiency from service providers to customers means that the latter do not have all necessary information to comply with their duties as data controllers.

Recommendations

In order to consider all potential solutions, both from a legal and technical standpoint and to guarantee a high level of personal data protection when using cloud computing, the CNIL launched a call for contributions from all stakeholders—professionals, customers and providers of cloud computing services—from 17 October to 17 November 2011. On 25 June 2012, and on the basis of the answers received, the CNIL drafted seven practical recommendations that should make it possible for data controllers to meet their statutory duties.

  • The CNIL’s seven recommendations are based mainly on a risk analysis carried out beforehand by customers and undertakings of transparency on the part of service providers towards their customers which must be formalised in the service contracts.

CNIL’s seven recommendations

Contents of the recommendations

1.

Clearly identify the data and processing operations which will be passed to cloud

The CNIL recommends to identify the data which may be hosted in cloud computing, distinguishing between

  • personal data;
  • sensitive data;
  • strategic data for the company, and
  • data used in business applications.

BE CAREFUL:

  • One will make sure that the processing operations transferred to cloud are not including other processing operations which have not migrated. An example of this is the use of a messaging service in which staff members exchange content that is strategic for the company).
  • Certain types of data are subject to a specific legal framework. For example, medical data can only be stored in a medical data host approved by the Ministry of Health.

2.

Define one’s own requirements for technical and legal security

The CNIL notes that many cloud offers are standard for all customers and do not meet a particular specification.

However, the customer must make sure the offer made by the service provider meets all of its constraints, including

  • the legal constraints—location of data, guarantee of security and confidentiality, regulations specific to certain types of data, etc.;
  • the practical constraints—availability, reversibility/portability, etc.;
  • the technical constraints—interoperability with existing system, etc..

 

3.

Carry out a risk analysis to identify the security measures essential for the company

The main risks identified by the CNIL are as follows:

  • loss of governance regarding processing;
  • technological dependency on the cloud computing supplier; i.e., impossibility of changing solution without loss of data;
  • flaw in the isolation of the data; i.e., risk that the data hosted on a virtualised system will be modified or made accessible to unauthorised third parties;
  • judicial requisitions, in particular by foreign authorities;
  • a flaw in the subcontracting chain, if the service provider himself has used third parties to provide the service;
  • ineffective or nonsecure destruction of data, or excessive retention period;
  • problem of management of access rights for data subjects caused by the inadequacy of means put in place by the service provider;
  • unavailability of the provider’s service;
  • shutdown of service or takeover of service provider by a third party;
  • noncompliance with regulations, in particular on international transfers.

The CNIL notes that most of these risks should be reduced by contractual provisions that can include penalties for the service provider, and by technical and organisational measures for the customer and the service provider.

 

4.

Identifier the relevant type of cloud for the planned processing

There are various cloud computing service offers on the market, which can be distinguished according to three service models and three deployment models.  

The service models are as follows:

  • SaaS: “Software as a Service”, that is, online software provisioning;
  • PaaS: “Platform as a Service”, that is, online application development platform provisioning;
  • IaaS: “Infrastructure as a Service”, that is, online computing and storage infrastructure provisioning.

The deployment models are as follows:

  • “Public” when a service is shared and pooled between many customers;
  • “Private” when the cloud is dedicated to one customer;
  • “Hybrid” when a service is partly in a public cloud and partly in a private cloud.

The CNIL recommends to choose different cloud computing solutions according to the processing type. For example, the CNIL indicates that a French public IaaS service can be chosen for the company’s website, an accredited medical server for the medical data and a private European SaaS for e-mails.

The CNIL further recommends that the transfer of data to cloud be done progressively by data category and increasing security requirements.

 

5.

Choose a service provider offering sufficient guarantees

 

The choice of a service provider must be made in consideration of the following analytical grid:

  • Step No. 1: Determine the service provider's legal qualification

The CNIL acknowledges that, in certain circumstances, and notably in the case of a public cloud, the service provider could be considered as joint controller, when the customer cannot really give him instructions and is not in a position to monitor the effectiveness of the security and confidentiality guarantees given by the service provider. An example of this is the non-negotiable standard offers.

As emphasised by the CNIL, joint responsibility is a source of legal uncertainty. For this reason, it is necessary to identify, in relation to each step, who; i.e., customer or service provider, shall be responsible vis-à-vis the competent personal data protection authorities.


The CNIL suggests the following division of responsibilities:

Assumption

Notification to CNIL

Information to data subjects

Obligation of confidentiality and security

Exercise of data subjects’ rights to the…

The service provider is joint data controller for the processing

Customer

Customer

Customer + Service Provider

Customer (with the service provider’s support)

 

The effective definition of the steps and the division of responsibilities should be made in the cloud computing agreement.

  • Step No. 2: Assess the level of protection given by the service provider for the data processed

The CNIL reminds that the customer is responsible for choosing a service provider who provides a sufficient level of protection for the data he entrusts to him. To that effect, the CNIL listed the essential elements, in terms of the protection of personal data, that should appear in a cloud computing service contract:

  • Information on processing: Existence of a system for reporting complaints and security breaches; processing means; recipients of data; subcontracting; existence of simple procedures for observing the rights of the data subjects to their data, etc.;
  • Guarantees put in place by the service provider: Limited and reasonable retention period for the data with regard to the purposes for which the data have been collected; destruction and/or restitution of data at end of service or in case of early termination of the contract in a structured and widely-used format; duty to cooperate with the competent data protection authorities; when the service provider is a data processor, indication that the customer can audit the service provider to make sure that these guarantees are effectively implemented, etc.;
  • Location and transfers: Clear and complete indication of the countries hosting the service provider’s data centres; assurance of adequate protection abroad—particularly by means of the EC Standard contractual clauses or binding corporate rules, "BCR"; possibility of limiting data transfers solely to EU member states or to third countries recognised as providing an adequate level of protection by a decision of the European Commission; immediate information to the customer in case of a request from a foreign administrative or judicial authority, etc.;  
  • Formalities with the CNIL: Completed by the customer when the service provider is a data processor; to be decided by the customer and the service provider when the service provider is a joint data controller.
  • Security and confidentiality: Security policy and minimum security measures; certifications; reversibility/portability; traceability; continuity of service; backups and integrity; Service Level Agreements.

PLEASE NOTE: The CNIL suggests models of contractual clauses summarising the essential elements listed above. These model clauses can be inserted in the cloud computing service contracts.

 

6.

Review the internal security policy

The use of a cloud computing service requires a complete review of the internal procedures in line with the conclusions of the risk analysis, notably in relation to risks related to transmissions via the Internet, the use of mobile terminals and the mechanisms for authentication of employees.

The service provider must be in a position to offer a service compatible with these security requirements.

 

7.

Monitor changes over time

The CNIL recommends that the cloud computing service be assessed periodically in light of changes over time in the context, the risks, the solutions available on the market, legislation, etc.

In particular, the CNIL suggests that the recommended risk analysis must be updated as soon as a significant change in the service takes place.

 

The CNIL’s recommendations detailed above are a practical tool for any customer who wishes to use a cloud computing service. Customers' attention is drawn to the fact that they should choose the service provider after carrying out an analysis of requirements and a risk analysis and after having identified the required security measures given the envisaged type of service.

The CNIL’s recommendations are also a useful guidance for negotiating and drafting contracts relating to cloud computing services.

However, one will note that the CNIL fails to precisely address the issue of the applicable law in its recommendations. Said issue remains an issue as it seems there is no consensus on this question.

A large proportion of the contributors to the public consultation suggested using only the data controller’s law to determine the applicable law. However, such a suggestion very quickly shows its limits in relation to cloud computing, especially when the customer and the service provider are joint data controllers and are located in two different countries. The CNIL suggests to identify the applicable law using the targeted data subjects as the criterion. However, there is no unanimity over the use of targeting as a criterion, said criterion being the one chosen in the draft EC Regulation relating to the protection of personal data. Contributors to the public consultation have said that using this criterion could lead to the cumulative application of the law of several countries.

So, pending a clarification on this issue of the applicable law, one should define the law applicable to cloud computing on a case-by-case basis, in accordance with the legal provisions that are currently in force.

Besides, we may regret that the CNIL’s recommendations focus on personal data, as its reflections on personal data would also be applicable to the other categories of data, as well as to the processing and services transferred under cloud computing agreements.

By the way, it is worth noting that the customers who would like to use a cloud computing service, are looking for a wider service that is not restricted to data only. So, the CNIL’s recommendations  would cover more widely all of the applications and/or data hosted in the cloud, as well as the maximisation of the customer’s information system as a whole.

Finally, one will note that, on 1 July 2012, the Working Group on Article 29 also published its practical recommendations on the risks and stakes of cloud computing. In this respect, we would like to point out that the recommendations of said Working Group, which describe the stand taken by European personal data protection authorities, are in substance very close to those published by the CNIL, knowing that the latter result from a consultation of the customers and providers of cloud computing services.


Gaëtan Cordier is a partner in the Eversheds Paris office in charge of the IT & Privacy Practice. His practice covers both litigation and transactional IT and privacy matters for all the major IT and privacy disciplines, such as IT/e-commerce, data protection and privacy issues as well as IT outsourcing and software licensing.

Adeline Jobard is an associate in the Eversheds Paris office who specializes in IT & privacy law. She advises both French and international clients in the areas of information technology, Internet and data protection law.