Mastodon Kuan0: Cloud contracts requirements for personal data - regulators set out their views

Tuesday 3 July 2012

Cloud contracts requirements for personal data - regulators set out their views

EU privacy regulators the Article 29 Working Party have today issued their Opinion 05/2012 on Cloud Computing (WP 196), adopted 1 July 2012

Basically, the data protection regulators have taken a very strict approach; it will be harder for cloud users to process personal data in the cloud, and the opinion unfortunately still doesn't take into account how cloud works (see my 12 Cs of Cloud Computing) - to use the analogies in that article, they're basing it all on regulating the hiring of caterers or chefs rather than renting a (possibly pre-equipped) kitchen or buying take-out or ready meals.

Making a provider agree to follow your instructions in preparing a meal for you makes sense when the provider is a caterer, but not so much when it's a kitchen rental company and you're doing the cooking in their kitchen, or when it's a fast food chain selling you take-out.

Providers will be asked to disclose the identities of all sub-providers (so providers who use Amazon Web Services, Google App Engine, Windows Azure etc will be asked about their sub-providers, and yes that includes both Engine Yard and Heroku as intermediary sub-providers), as well as the locations of all data centres where personal data may be processed.

I'm still going through it but I wanted to draw attention to the passages quoted below which are relevant to the contracts of EU users who want to put personal data (eg customer data) in the cloud.

Just to mention a few points here, there's going to be difficulty with "passing on" obligations "down" the provider chain, as the regulators require.

As for a provider giving assurance as to compliance of sub-providers with "applicable national and international legal requirements and standards", how will a Dropbox be able to guarantee that Amazon's internal arrangements are compliant, never mind ensure Amazon must "act only" in accordance with the instructions of each of Dropbox's many customer(s)?

As I've touched on in the 12 Cs article but want to elaborate on more here, cloud is a form of IT outsourcing, but not in the traditional sense. With cloud, compared with traditional outsourcing, the "direction of travel", as I like to call it, is the opposite. In classic outsourcing a customer hires a provider, who then engages sub-contractors, who might engage sub-sub-contractors etc. (Analogy, hire a caterer who might hire sub-caterers etc).

But, in cloud, often a provider builds its service on top of an existing standard service offered on standard terms in a standardised way by an existing IaaS or PaaS provider. The customer then comes along and uses the provider's service. It's not easy to ask the provider to re-write its contract with its existing IaaS or PaaS provider to accommodate the customer's data protection law regulatory requirements.

Current laws just don't cater for this opposite direction of travel in cloud. To be fair, the regulators are, in giving their opinion, working within the constraints of existing laws. It's those which don't deal with, to again use my analogies, self-service rental kitchens or take-outs rather than caterers, and which assume the old "direction of travel" used in classic outsourcing.

Providers who want users to process personal data using their services may well have to come up with a "personal data" version of their contract terms (and a, no doubt more expensive, "personal data" service). As I predicted in my article.

The winners may well be the providers like IBM who control the whole supply chain, and don't use external sub-providers.

The regulators' recognition that third party certifications may be relied on to some extent is helpful, but that could perhaps go further.

I now quote some of the key points from the opinion on cloud contracts (bold added):

"The contract must at a minimum establish the fact, in particular, that the processor is to follow the instructions of the controller and that the processor must implement technical and organizational measures to adequately protect personal data.

To ensure legal certainty the contract should also set forth the following issues:

1. Details on the (extent and modalities of the) client’s instructions to be issued to the provider, with particular regard to the applicable SLAs (which should be objective and measurable) and the relevant penalties (financial or otherwise including the ability to sue the provider in case of non-compliance).

2. Specification of security measures that the cloud provider must comply with, depending on the risks represented by the processing and the nature of the data to be protected. It is of great importance that concrete technical and organizational measures are specified such as those outlined in paragraph 3.4.3 below. This is without prejudice to the application of more stringent measures, if any, that may be envisaged under the client’s national law.

3. Subject and time frame of the cloud service to be provided by the cloud provider, extent, manner and purpose of the processing of personal data by the cloud provider as well as the types of personal data processed.

4. Specification of the conditions for returning the (personal) data or destroying the data once the service is concluded. Furthermore, it must be ensured that personal data are erased securely at the request of the cloud client.

5. Inclusion of a confidentiality clause, binding both upon the cloud provider and any of its employees who may be able to access the data. Only authorized persons can have access to data.

6. Obligation on the provider’s part to support the client in facilitating exercise of data subjects’ rights to access, correct or delete their data.

7. The contract should expressly establish that the cloud provider may not communicate the data to third parties, even for preservation purposes unless it is provided for in the contract that there will be subcontractors. The contract should specify that subprocessors may only be commissioned on the basis of a consent that can be generally given by the controller in line with a clear duty for the processor to inform the controller of any intended changes in this regard with the controller retaining at all times the possibility to object to such changes or to terminate the contract. There should be a clear obligation of the cloud provider to name all the subcontractors commissioned (e.g., in a public digital register). It must be ensured that contracts between cloud provider and subcontractor reflect the stipulations of the contract between cloud client and cloud provider (i.e. that sub-processors are subject to the same contractual duties than the cloud provider). In particular, it must be guaranteed that both cloud provider and all subcontractors shall act only on instructions from the cloud client. As explained in the chapter on sub-processing the chain of liability should be clearly set in the contract. It should set out the obligation on the part of the processor to frame international transfers, for instance by signing contracts with subprocessors, based on the 2010/87/EU standard contractual clauses.

8. Clarification of the responsibilities of the cloud provider to notify the cloud client in the event of any data breach which affects the cloud client’s data.

9. Obligation of the cloud provider to provide a list of locations in which the data may be processed.

10. The controller’s rights to monitor and the cloud provider’s corresponding obligations to cooperate.

11. It should be contractually fixed that the cloud provider must inform the client about relevant changes concerning the respective cloud service such as the implementation of additional functions.

12. The contract should provide for logging and auditing of relevant processing operations on personal data that are performed by the cloud provider or the subcontractors.

13. Notification of cloud client about any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.

14. A general obligation on the provider’s part to give assurance that its internal organisation and data processing arrangements (and those of its sub-processors, if any) are compliant with the applicable national and international legal requirements and standards. In the event of infringement by the controller, any person suffering damages as a result of unlawful processing shall have the right to receive compensation from the controller for the damages caused. Should the processors use the data for any other purpose, or communicate them or use them in a way that breaches the contract, they shall also be considered to be controllers, and shall be held liable for the infringements in which they were personally involved.

It should be noted that, in many cases, cloud service providers offer standard services and contracts to be signed by controllers, which set forth a standard format for processing personal data. This imbalance in the contractual power of a small controller with respect to large service providers should not be considered as justification for the  controllers to accept clauses and terms of contracts which are not in compliance with data protection law."