As technology advances, companies are increasingly turning to cloud-based solutions to solve the challenges posed by the increasing costs of traditional infrastructure. However, cloud-based solutions pose their own challenges, particularly where personal data is being stored or accessed from the cloud.
The Data Protection Act 1998 (DPA) governs the processing of personal data in the United Kingdom by data controllers. A data controller is an organization that (either alone, jointly or in common with other persons) determines the way in which personal data is, or will be, processed. A data processor is an organization that processes personal data on behalf of a data controller. Amongst other things, the DPA sets out eight principles which govern the way that personal data can be processed.
Data controllers are responsible for their data processors, and a controller will have to answer to the Information Commissioner (the UK data protection regulator) if a security incident arises as a result of the acts or omissions of its processor.
A processor must be subject to a written contract with the controller which includes certain specific contractual provisions. One of the key requirements is to oblige the processor to put in place appropriate technical and organizational security measures which are at least equivalent to those imposed on a data controller under the DPA. However, having written contracts in place is only part of the picture and the DPA also requires due diligence to be undertaken.
Where an organization engages a cloud services provider it is important to identify whether the cloud provider is a controller or a processor. In most instances, it is likely that the cloud provider will be a processor. The Information Commissioner has issued guidance on this issue which may be helpful in making more detailed analysis.
The geographical location of the servers used to store personal data is often contentious. Where the servers are based outside of the European Economic Area (EEA), a customer will need to address the eighth data protection principle which, in broad terms, requires adequate safeguards to be in place when personal data is transferred outside the EEA.
There are various means of achieving compliance with this. The most common solutions are either model contract clauses (a series of clauses approved by the European Commission as affording adequate protection) or complying with safe harbor certification (a self-certification scheme available to US corporations).
However, it has historically been difficult to get cloud providers to agree to model contract clauses. Moreover, the European Commission has cast doubt on the level of security actually provided by safe harbor certifications, and some US corporations are not certified. It is often the case that neither of these solutions is feasible.
“Cloud providers... are perhaps starting to recognize that offering greater reassurances around security and privacy gives them a competitive advantage”
In addition to the material privacy issues set out above there are additional points which should be considered where an organization is contemplating engaging a cloud provider. Customers should ask themselves: are the liability limits appropriate? Are any audit rights included in the contract? What happens on termination?
In the last year there has been a change in tack by cloud providers who are perhaps starting to recognize that offering greater reassurances around security and privacy gives them a competitive advantage. For example, last year Microsoft had its cloud services contracts reviewed by the EU data protection authorities.
These contracts were reviewed in the context of compliance with principle 8 (see above) and approved in a letter from the Article 29 working party as being in line with the model contract clauses. However, the letter makes it clear that the analysis does not cover the Appendixes which accompany the model contract clauses (the Appendixes set out the specific details of the relevant transfer).
Uniform standards and certifications also offer a solution to both cloud providers and customers. The ISO 27018 (code of practice for the protection of personally identifiable information (PII) in public clouds acting as processors) establishes a set of international standards which providers should comply with in order to satisfy the legal and regulatory concerns of their customers. Providers who successfully implement these standards can achieve certification, thereby reassuring customers that their privacy is taken seriously.
Whilst the privacy issues faced by cloud providers and customers are challenging, the recent shift in approach by cloud providers is promising and suggests that customers are more likely to be able to resolve infrastructure issues without compromising data security.