On July 1, an influential European body released an opinion that offers guidance to companies trying to comply with European Union (EU) personal data-protection requirements in the context of cloud computing—the “global technological paradigm,” as the opinion calls it, that companies are turning to in an attempt to manage their data efficiently and affordably. In its opinion, the Article 29 Working Party (WP 29) identifies some of the key privacy and security risks related to storing and processing personal data in the cloud. Notably, it also recognizes the economic benefits of the cloud. The opinion also notes that cloud computing can offer security benefits: It allows small- to medium-size companies to acquire sophisticated data-security technologies that otherwise would be budgetary impossibilities.

The WP 29, mandated under Article 29 of the EU’s Data Protection Directive, consists of privacy experts and information commissioners from each EU member state who meet to discuss and publish opinions that aid in harmonizing the different states’ approaches to applying the directive. Although their opinion is not EU law, it has quite a bit of authority.

“In some corners of Europe, there’s been a bit of reluctance among EU regulators to accept cloud computing as an appropriate means of handling personal data,” says Alan Raul, global coordinator of Sidley Austin’s privacy, data security and information law practice. “[This opinion] will have influence because it does reflect an acceptance of cloud computing under the specified circumstances, which is a step forward.”

It also reflects some measure of accord with the way U.S. regulators have begun to address the protection of personal data sent to or processed in the cloud. For instance, the U.S. Federal Financial Institutions Examination Council on
July 10 issued its own cloud-computing guidance for financial institutions. Like the WP 29, the guidance took the approach of making the client responsible for conducting due diligence on cloud providers to ensure information security.

“Both the regulators in the U.S. and the EU Data Protection Authorities are converging on a consensus that cloud computing is essentially efficient and therefore desirable and, subject to certain appropriate safeguards, is a perfectly acceptable approach to handling computer storage and processing,” Raul says.

Giving Guidance

A key conclusion of the WP 29 opinion is that entities considering storing or processing their data with a cloud provider should conduct a thorough risk analysis (see “Risk Assessment”). The WP 29 opinion identifies two broad categories of data-protection risk related to cloud computing: lack of control over personal data and lack of transparency about a cloud’s processing operations. It goes on to outline guidelines for clients and providers of cloud-computing services.

“It’s impossible to get advice from all these different member states. This is the best advice from a government authority that lawyers, data-protection specialists and chief information officers can look at to make good choices [regarding] data protection if they have data being created or received in Europe,” says David Kessler, a partner at Fulbright & Jaworski and a member of its cloud task force.

Entities considering cloud computing need to choose their cloud providers carefully, the report says, and it’s the clients’ responsibility to ensure their providers and any commissioned subcontractors can guarantee data security and compliance with the fundamental EU data-protection principles of transparency, purpose specification/limitation and appropriate data-retention policies and procedures.

The WP 29 provides a 14-point checklist of issues companies should include in client-provider contracts, such as specifications on how data is handled and secured, and on the client’s rights to monitor and be informed of data processing, usage and access. Some of the recommendations may depart from most cloud providers’ standard practices, such as imposing on providers the obligation to provide “a list of locations in which the data may be processed.” But in light of the WP 29 document, says Mark Prinsley, head of Mayer Brown’s intellectual property & IT group in London, it likely will be easier for businesses to negotiate contracts.

“This opinion will help the small- to medium-size business that might not have as much commercial clout in its negotiations with major suppliers to make sure they get contracts that protect the personal data being processed on their behalf,” Prinsley says.

Safe Harbor

In one section of the opinion, the Working Party notes that data transfers to U.S. organizations adhering to Safe Harbor principles are lawful; however, it says, “sole self-certification with Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment.”

Data controllers that are transferring the personal data from the EU to cloud services based in the U.S., for example, should obtain evidence of Safe Harbor self-certification and of compliance with Safe Harbor principles.

“[The opinion] did say, mainly by negative implication, that the Safe Harbor may well be an important protection. … Certainly nothing in it suggests you can’t use the U.S. cloud providers, that there exists a legal showstopper,” says Stewart Baker, partner at Steptoe & Johnson and former assistant secretary for policy at the Department of Homeland Security.

The Working Party also says that additional safeguards “might be advisable” to complement existing Safe Harbor data-security principles, which may not sufficiently address some cloud-specific data-security risks. Similarly, the report is in favor of European Commission-approved standard contractual clauses covering international data transfers but adds that cloud providers could offer customers additional provisions.

Creating BCRs

The Working Party also says that it is developing binding corporate rules (BCRs) for data processors as a global approach to ensuring data protection.

Currently, Prinsley says, only a handful of companies have implemented BCRs addressing cloud computing, and those that have BCRs focus on the data controller rather than the cloud provider.

In light of a growing collection of data-protection guidance in the EU and the U.S., however, the ability of cloud providers to ensure compliance is sure to become an important selling point.

“The existing model terms-type contractual arrangements probably are not sufficient to deal with a global cloud solution, so the idea that there will be some binding corporate rules for data processors is a really good idea,” Prinsley says.