Cloud Computing: CNIL’s 7 recommendations are necessary but not sufficient
By Gaëtan Cordier and Adeline Jobard
Cloud computing stands for the offset to the “Internet cloud” of personal data and applications previously stored into the servers and computers of companies, organisations or individuals.
Failing a consensus on a clear definition of what is meant by cloud computing, the CNIL suggested in its consultation run at the end of 2011 that the existence of cloud computing services be characterised by the following indicators:
- Simplicity of an on-demand service: A user may, unilaterally, immediately and generally without any human intervention, have the IT resources he needs at his disposal—servers’ computing time, storage capacity, etc.;
- Extreme flexibility: The resources that are made available are strongly and rapidly upgradable generally in a way that is transparent to the user;
- “Light” access: Access to the resources requires no proprietary equipment or software. Access to the resources shall be through easily available applications—sometimes open source applications—and generally through a mere web browser;
- Pooling of resources: The provider’s IT resources are configured in such a way that they may be used by a multitude of machines and are often distributed between different host centres, possibly at different locations worldwide;
- Pay-per-use: Payment of the cloud computing service may be in proportion to the use of the service.
Cloud computing makes it possible for companies to increase their competitiveness in reducing their IT costs and providing a higher quality of service. The cloud computing market would already represent 6 billion euros at European level, with an annual growth of approximately 20 percent.
The CNIL noted that the companies planning to use cloud computing services are facing numerous difficulties related to the compliance of their cloud computing services with the French Data Protection Law. In particular, those issues related to the determination of the service provider’s legal qualification, the applicable law, the transfer of data and security, are particularly delicate in cloud computer transactions.
The service provider’s legal qualification
The CNIL notes that, in the provision of cloud computing services, the customer, in principle, is the data controller in the meaning of Article 3 of the French Data Protection Law of 1978, to the extent the customer is the person collecting the data and deciding to outsource the processing thereof to a service provider. So, the service provider would act as subcontractor.
However, in practice, it also seems possible to describe a service provider as a data controller by reference to the following list of indicators: To which extent is the service provider constrained by instructions from the customer? What is the level of constraints a customer may impose on the service provider? How much expertise does the service provide have in data processing? To what extent is the service provider’s identity known to the persons using the customer’s services?
Determination of applicable law
Given that cloud computing is based on the use of multiple servers at different locations worldwide, obvious difficulties exist when it comes to determining the applicable law.
The CNIL notes that, however, identifying the applicable law is particularly important for it makes it possible to identify the obligations that are incumbent on the data controller.
Regulating data transfers
As the cloud computing implies the worldwide circulation of data from a server to another server, it frequently happens that the customer using cloud computing services is unable to know in real time where its data are being transferred to and stored.
Still, storing data outside the European Union shall result in very high penalties being imposed by the CNIL on the customer, as data controller, if no safeguards have been implemented to prevent this.
The CNIL notes that service providers, especially when they use standard contracts, provide few information to their customers as to the technical and organisational measures they implement to guarantee the security and confidentiality of the data processed on behalf of their customers.
However, this transparency insufficiency from service providers to customers means that the latter do not have all necessary information to comply with their duties as data controllers.
In order to consider all potential solutions, both from a legal and technical standpoint and to guarantee a high level of personal data protection when using cloud computing, the CNIL launched a call for contributions from all stakeholders—professionals, customers and providers of cloud computing services—from 17 October to 17 November 2011. On 25 June 2012, and on the basis of the answers received, the CNIL drafted seven practical recommendations that should make it possible for data controllers to meet their statutory duties.
- The CNIL’s seven recommendations are based mainly on a risk analysis carried out beforehand by customers and undertakings of transparency on the part of service providers towards their customers which must be formalised in the service contracts.
CNIL’s seven recommendations
Contents of the recommendations
Clearly identify the data and processing operations which will be passed to cloud
The CNIL recommends to identify the data which may be hosted in cloud computing, distinguishing between
Define one’s own requirements for technical and legal security
The CNIL notes that many cloud offers are standard for all customers and do not meet a particular specification.
However, the customer must make sure the offer made by the service provider meets all of its constraints, including
Carry out a risk analysis to identify the security measures essential for the company
The main risks identified by the CNIL are as follows:
The CNIL notes that most of these risks should be reduced by contractual provisions that can include penalties for the service provider, and by technical and organisational measures for the customer and the service provider.
Identifier the relevant type of cloud for the planned processing
There are various cloud computing service offers on the market, which can be distinguished according to three service models and three deployment models.
The service models are as follows:
The deployment models are as follows:
The CNIL recommends to choose different cloud computing solutions according to the processing type. For example, the CNIL indicates that a French public IaaS service can be chosen for the company’s website, an accredited medical server for the medical data and a private European SaaS for e-mails.
The CNIL further recommends that the transfer of data to cloud be done progressively by data category and increasing security requirements.
Choose a service provider offering sufficient guarantees
The choice of a service provider must be made in consideration of the following analytical grid:
The CNIL acknowledges that, in certain circumstances, and notably in the case of a public cloud, the service provider could be considered as joint controller, when the customer cannot really give him instructions and is not in a position to monitor the effectiveness of the security and confidentiality guarantees given by the service provider. An example of this is the non-negotiable standard offers.
As emphasised by the CNIL, joint responsibility is a source of legal uncertainty. For this reason, it is necessary to identify, in relation to each step, who; i.e., customer or service provider, shall be responsible vis-à-vis the competent personal data protection authorities.
The effective definition of the steps and the division of responsibilities should be made in the cloud computing agreement.
The CNIL reminds that the customer is responsible for choosing a service provider who provides a sufficient level of protection for the data he entrusts to him. To that effect, the CNIL listed the essential elements, in terms of the protection of personal data, that should appear in a cloud computing service contract:
PLEASE NOTE: The CNIL suggests models of contractual clauses summarising the essential elements listed above. These model clauses can be inserted in the cloud computing service contracts.
Review the internal security policy
The use of a cloud computing service requires a complete review of the internal procedures in line with the conclusions of the risk analysis, notably in relation to risks related to transmissions via the Internet, the use of mobile terminals and the mechanisms for authentication of employees.
The service provider must be in a position to offer a service compatible with these security requirements.
Monitor changes over time
The CNIL recommends that the cloud computing service be assessed periodically in light of changes over time in the context, the risks, the solutions available on the market, legislation, etc.
In particular, the CNIL suggests that the recommended risk analysis must be updated as soon as a significant change in the service takes place.
The CNIL’s recommendations detailed above are a practical tool for any customer who wishes to use a cloud computing service. Customers' attention is drawn to the fact that they should choose the service provider after carrying out an analysis of requirements and a risk analysis and after having identified the required security measures given the envisaged type of service.
The CNIL’s recommendations are also a useful guidance for negotiating and drafting contracts relating to cloud computing services.
However, one will note that the CNIL fails to precisely address the issue of the applicable law in its recommendations. Said issue remains an issue as it seems there is no consensus on this question.
A large proportion of the contributors to the public consultation suggested using only the data controller’s law to determine the applicable law. However, such a suggestion very quickly shows its limits in relation to cloud computing, especially when the customer and the service provider are joint data controllers and are located in two different countries. The CNIL suggests to identify the applicable law using the targeted data subjects as the criterion. However, there is no unanimity over the use of targeting as a criterion, said criterion being the one chosen in the draft EC Regulation relating to the protection of personal data. Contributors to the public consultation have said that using this criterion could lead to the cumulative application of the law of several countries.
So, pending a clarification on this issue of the applicable law, one should define the law applicable to cloud computing on a case-by-case basis, in accordance with the legal provisions that are currently in force.
Besides, we may regret that the CNIL’s recommendations focus on personal data, as its reflections on personal data would also be applicable to the other categories of data, as well as to the processing and services transferred under cloud computing agreements.
By the way, it is worth noting that the customers who would like to use a cloud computing service, are looking for a wider service that is not restricted to data only. So, the CNIL’s recommendations would cover more widely all of the applications and/or data hosted in the cloud, as well as the maximisation of the customer’s information system as a whole.
Finally, one will note that, on 1 July 2012, the Working Group on Article 29 also published its practical recommendations on the risks and stakes of cloud computing. In this respect, we would like to point out that the recommendations of said Working Group, which describe the stand taken by European personal data protection authorities, are in substance very close to those published by the CNIL, knowing that the latter result from a consultation of the customers and providers of cloud computing services.
Gaëtan Cordier is a partner in the Eversheds Paris office in charge of the IT & Privacy Practice. His practice covers both litigation and transactional IT and privacy matters for all the major IT and privacy disciplines, such as IT/e-commerce, data protection and privacy issues as well as IT outsourcing and software licensing.
Adeline Jobard is an associate in the Eversheds Paris office who specializes in IT & privacy law. She advises both French and international clients in the areas of information technology, Internet and data protection law.