Last week the European Commission’s panel on privacy, commonly known as the Article 29 Working Party, provided long-awaited clarity (in the form of an “Opinion”) on whether and how European governments and private enterprise can utilize cloud computing technology in their operations, including processing personal information and other protected data.
Cloud computing is a broad term that varies in context and has been subject to hype, but generally refers to technologies and service models allowing the sharing of on-demand scalable computer resources over the internet, including software programs, computer storage space and elastic computing power. Implementing IaaS systems has allowed companies and governments to significantly reduce capital expenditures by eliminating the need for purchase and maintenance of computer infrastructure equipment. Cloud services also allow for rapid remote deployment of software and network solutions. Importantly, cloud services also enable organizations to decrease reliance on developing sophisticated in-house IT staff since major cloud providers have trained experts monitoring the computing environment.
But, because cloud computing leverages the internet and computing resources in geographically disparate locations, the technologies present serious privacy and data security risks. In addressing this fundamental concern the Opinion indicates that the principal risks are a potential lack of control over data and limited transparency into its processing. A cloud provider’s infrastructure can seem opaque and lacking information ensuring the “availability, integrity, confidentiality, transparency, isolation, intervenability and portability of the data”. Additionally, due to the collaborative nature of cloud computing, customers may not be aware of subcontractors in the supply chain handling their data. With due respect to the data security risk, many observers consider this to be the great triumph of cloud compuing – that is that is simply “works” without its users having to worry about the back-end.
Europe’s framework of strong privacy protections has caused the adoption of cloud computing to move slower than in the United States, as the Continent grapples with how to implement the new technologies within existing legal frameworks. For example, public cloud providers extract fantastic benefits in seamlessly shifting data across a network of computers temporarily housing it in data centers (perhaps) around the globe, necessitating limited transparency on data segregation and other technical logistical details.
However, the economic benefits and technological possibilities associated cloud computing are undeniable, and its wide-spread proliferation seems more inevitable with each passing week. As government and business seek to run leaner more efficient operations in the 21st century global marketplace, they have no choice but to consider the economic benefits of shared-resource computing. In that context, the Opinion attempts to provide practical guidance to European governments and businesses, and cloud providers wishing to infiltrate the European market, on how the parties can evaluate, contract for and utilize cloud computing services while remaining compliant with data protection obligations.
A key conclusion of the Opinion is that organizations seeking to deploy cloud technologies leveraging utility computing must conduct thorough technological compliance-focused due diligence. They must also draft and negotiate robust legal agreements with appropriate contractual safeguards in order to satisfy legal requirements espoused under the Opinion. Additionally, and perhaps controversially, the Opinion notes that users “should select cloud providers that guarantee compliance with EU data protection legislation”; compliance with that representation may be cumbersome, costly and akin to hitting a moving target.
One possible change in legal analysis arising from the Opinion is the inability of companies to rely solely on the EU Data Protection Safe Harbor in exporting data outside Europe. The Opinion states “[i]n the view of the working party, sole self-certification with safe harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment… In terms of data security, cloud computing raises several cloud-specific security risks, such as loss of governance, insecure or incomplete data deletion, insufficient audit trails or isolation failures, which are not sufficiently addressed by the existing safe harbor principles on data security.”
The Opinion requires that if an organization desires to procure cloud services a formal contract be in place between it and the cloud provider. The contract must set forth a number of specific required protections. Although the Opinion misses certain contractual protections typically included in enterprise cloud computing contracts, some of the more significant provisions suggested in the Opinion address that:
· A scope of services must be specified and uptime/service levels guaranteed, all depending on the nature of the service and whether it performs a critical business function;
· The customer makes all decisions as to processing of data;
· Specification of information security architecture, infrastructure and protocols achieving the goals of transparency, isolation, intervenability, accountability and portability must be included;
· Cloud provider must log its data process operations, and customer must have the right to audit such processing operations, or receive third party audits and certifications;
· Specification for conditions of returning and/or destroying data must be noted;
· Geographical location of all data center processing data must be noted;
· All subcontractors processing data must be identified and held to the same data protection standards;
· Appropriate confidentiality obligations must be drafted, including that only cloud provider employees with a need-to-know will have access to customer data;
· Obligation of cloud provider to facilitate access to, correction of or deletion of an individual’s personal data must be affirmed;
· Clarification of responsibilities of cloud provider to notify customer in event of a data breach impacting customer data must be set forth with specificity;
· Customer must have right to monitor and/or audit the cloud provider’s performance of its obligations;
· Cloud provider must notify customer of all legally binding requests for disclosure of personal data by law enforcement or other government representatives;
· Cloud provider must agree to export data to customer upon termination and/or otherwise help in portation/transition;
Though the Opinion is nonbinding, it is likely to influence parliaments and boardrooms around Europe in moving organizations towards adoption of cloud computing, that despite the practical challenge of implementing Europe’s legal requirements. Because the technology underlying cloud computing changes at such a rapid pace, compliance with the Opinion’s obligations cannot be understood as a one-time endeavor; rather, government and enterprise must maintain a dogged focus on constructing an appropriate security environment, and also on understanding the data security practices of its cloud computing providers.
Significant risk exists that complying with the cost of regular third party security audits and other EU legal requirements will diminish the economic benefits of cloud computing. Notwithstanding the skepticism, all stakeholders are incentivized to continue to fashion an agreeable workable framework for the continued expansion of cloud computing technologies in Europe, particularly as the Continent attempts to reduce expenditures and shape globally competitive economies. Major international corporations and the United States government, among other examples of high-risk sophisticated organizations, have already begun utilizing cloud computing in their business operations, in large part undertaking duties outlined by the European Commission in its Opinion.