The French Data Protection Authority (CNIL) has issued a working document setting out its recommendations to companies contemplating the use of cloud computing services. This is in part the result of a public consultation carried out by the CNIL from October to December 2011. The guidance includes a checklist applicable to both private and public clouds with seven key steps, summarized below, to be followed by cloud customers:
1. Identify the types of data and the data processing that could go to a cloud provider, particularly focusing on personal data, sensitive personal data (as defined by the 95/46 EC Directive) as well as data that are strategic for the customer. The purpose of this identification phase is to determine whether certain data should be subject to additional safeguards when being processed by the cloud provider or should simply be excluded from the cloud services (e.g. under French law, only approved providers may store health-related data).
2. Determine security requirements from a legal (e.g. localization of the data), technical (e.g. interoperability with the existing system) and practical (e.g. reversibility and data portability) standpoint. The purpose of this exercise is to collate the information needed to benchmark the services provided by different cloud providers so as to choose the one with security levels that meet your needs.
3. Undertake a risk analysis so as to ensure an adequate level of security. The CNIL points out that the main risks for a cloud customer include loss of control over the data processing, technological dependency, unauthorized access, access requests by foreign authorities, availability issues and disappearance of the provider (e.g. through insolvency). The CNIL recommends that, where applicable, such risks be addressed in the contract entered into between the customer and provider and be subject, for some, to contractual penalties.
4. Identify the right cloud offering (Saas, PaaS, or IaaS, private, public or hybrid cloud solutions) based on the findings and conclusions of steps 1 to 3 above (e.g. public IaaS cloud solution for the website of the company, and private SaaS cloud solution for emails).
5. Choose the right cloud provider with sufficient service level and privacy guarantees. First, this involves determining whether the cloud provider will act as a data processor (with the result that the cloud customer will bear full responsibility for the compliance of the data processing with French law) or as joint data controller. While the CNIL admits that cloud providers should generally be regarded as processors, it states that the provider will be a joint controller if it exclusively determines the technical means, leaving no real leverage for the customer to negotiate them (these considerations are not new — the CNIL had already outlined them in a former recommendation relating to cross-border transfer of data). In cases where the provider acts as joint controller, the CNIL recommends that the customer be responsible for the necessary filing with the CNIL and for providing the data subjects with information notices, while the customer and provider should both be responsible for implementing the confidentiality and security measures. In any event, the CNIL remains at liberty to re-qualify the relationship regardless of what is stated in the contractual provisions. Secondly, the CNIL imposes an obligation to include certain essential elements in the cloud computing contract. For the CNIL, this includes contractual provisions addressing, among other things, how complaints will be dealt with, notification of unauthorized access, a duty of cooperation with the data protection authorities, audit rights, requirements as to the location of the data, SLAs with penalties, etc. The working document contains a list of recommended contractual clauses setting out these essential elements.
6. Revisit customer’s IT security policy in light of the conclusions of the risk analysis conducted in step 3 above.
7. Update the risk analysis regularly.