Following the example of the French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés or CNIL), the Spanish Data protection Authority (Agencia Española de Protección de Datos or AEPD) has opened a public consultation on cloud computing to learn the opinions and experiencse of service providers and users.

Interested parties have until January 27 to submit their comments. This public consultation is an good opportunity to enhance the AEPD's understanding of problems on data protection arising from cloud computing and may also help the AEPD find viable solutions and alternatives for data protection compliance within the cloud computing encironment.   

Interested parties can participate in the public consultation by fulfilling and online form (in Spanish) accessible by the AEPD's website, www.agpd.es.

We will keep you posted on the conclusions of this public consultation of the AEPD.

• Towards a new legal framework for data protection.  The European Commission has almost finalized its proposal for a new legislative framework, a draft of which was disclosed last month and which is likely to be published by the end of January.  Hustinx will issue an opinion on the legislative proposal in early 2012, closely follow the review process, and continue to fulfill his advisory role throughout the legislative process by intervening at the appropriate stages.
• Technological developments and the Digital Agenda, IP rights, and Internet.  Of the European Commission's work in the area of new technologies, Hustinx will focus on the policy issues of Internet monitoring, IP enforcement, and takedown procedures (focusing on IP rights and privacy); cloud computing services (focusing on jurisdictional issues); e-Health; and a pan-European framework for electronic identification, authentication, and signature (focusing on e-security and privacy by design).
• Further developing the Area of Freedom, Security, and Justice.  The items in this area at the top of Hustinx's agenda are immigration, border control, anti-terrorism, and internal security strategy, focusing on ensuring the right balance between privacy and security.
• Financial sector reform.  Hustinx plans to issue a package of opinions on data protection issues with legislative proposals concerning the regulation and supervision of financial markets and actors, including the legislative package for the revision of the banking legislation; the market abuse regulation; the regulation and the directive on markets in financial instruments; and the revision of the credit rating agencies regulation.

Hustinx also identified trends of focus for 2012, which include:

• Employment of effective information-gathering and investigative tools by administrative authorities (both EU and national).
• Significant exchanges of information between national authorities, quite often involving EU bodies and large-scale databases (with or without a central part) of increasing size and processing power.
• Developments in the field of technology, mainly due to the widespread use of the Internet and geolocation technologies.

The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies, focusing on monitoring the EU administration's processing of personal data; advising on policies and legislation that affect privacy; and cooperating with similar authorities to ensure consistent data protection.  Hustinx is serving a five-year term as the EDPS, which expires in 2013.

For a place at the event, please send an e-mail to the the address below dcrsvp@microsoft.com

The CNIL’s consultation focuses on five areas: definition of cloud computing, role of the parties, applicable law, international transfers of data outside the European Union and data security.

The consultation process opened on 17 October 2011 and input is sought from the public.

Turning specifically to the five areas of focus:

(i) definition of cloud computing: the CNIL suggests a definitional approach based on the main functional characteristics of various cloud computing services ;

(ii) role of the parties: the CNIL analyzes the role of the customer and service provider as data controller and data processor, respectively. According to the CNIL, the customer should always be regarded as a data controller. The role of the service provider might vary; the service provider could be a data processor or in some cases a co-controller.

(iii) applicable law:  one of the stickiest issues relates to applicable law. If the controller (in most cases the cloud customer) is established in France, French law would apply. But the situation is more complex where the controller is located outside of France and uses a cloud service provider with servers in France.  Note that in a March 2011 decision, the CNIL decided to exempt companies established outside the European Union and using processors based in France from notifying their processing when the processing relates the processing of human resources data or client and prospects data.

(iv) international transfers: most cloud services do not have a fixed location. Rules on international transfers of personal data are therefore difficult to apply. The CNIL suggests a two-fold approach, applying both legal and technical safeguards to international transfers. From a legal standpoint, the CNIL recommends the implementation of Standard Contractual Clauses in service providers' agreements, but also launches the idea of developing "Processor Binding Corporate Rules" or "Processor BCRs". Technically, service providers should apply security measures and data minimization (e.g. through the use of metadata) before data are transferred internationally;

(v) data security: the CNIL recommends the inclusion of security requirements in cloud computing agreements, while noting that customers are not always in a position to impose these requirements.

Interested parties have until November 17 to submit their comments. This consultation is an excellent way to enhance the French DPA’s understanding of cloud computing and propose technical solutions that may mitigate data protection risks.

The public consultation paper can be found (in French) here. 

The German data protection authorities on September 26, 2011 adopted an "Orientation guide – cloud computing."  The guide sets out mandatory and recommended content for any agreement between German users of cloud computing services (“customers”) and cloud computing service providers. It highlights the customer's responsibility for full compliance with German data protection requirements for the cloud. Based on this orientation guide, customers and providers will have to review existing agreements in the German market.

Privacy and data protection compliance has been a challenging and unclear issue for cloud computing customers and service providers. The new German "orientation guide", adopted by the Munich conference of the German data protection authorities gives clear guidance to cloud computing service providers and their customers in the German market. Privacy practitioners can expect that German DPAs will refer to this guide when addressing situations that raise close questions about the application of data protection laws to cloud computing.

Full control by the customer

The guide emphasizes that German cloud computing customers are data controller and therefore are responsible for the "cloud's" compliance with all data protection requirements under German law. This means the customer needs to know the identity not only of his immediate cloud computing service provider, but of all sub-processors involved in the cloud computing services. The agreement with the immediate cloud computing service provider must contain duties to disclose these sub-processors, and certain core elements of compliance, such as technical and organizational security measures, audit and control rights vis-à-vis such sub-processors, and all locations of data processing. The customer is required to safeguard data subjects’ rights. Examples of how this is achieved include having liquidated damages and penalties in the cloud agreement, and ensuring that data subjects' rights (for instance the right to access, to correct or to have the data deleted) are observed by all cloud service providers. To the extent that the service also includes locations outside the European Economic Area (EEA), the customer may not only rely on using the EU Model Clauses, but must enter into an additional data processing agreement with control and audit provisions, which are mandatory under German data protection law.

Sensitive data in the cloud

The guide gives specific attention to sensitive data. Under German data protection law, the transfer of sensitive data like health data, trade union affiliation, or religious beliefs cannot be justified by a balance of interest test (see, e.g., Art. 7(f) of the EU Data Protection Directive, which provides a legal basis for processing non-sensitive data as necessary for a controller’s legitimate interests unless the interests are outweighed by the fundamental rights and freedoms of the data subject; see also § 28 of the German Federal Data Protection Act). Instead, the transfer of sensitive data can only be justified by the data subject's consent or other very specific exceptions. For any intra-EEA-cloud, this is not an issue since an EEA-located data processor following the data controller's instructions is not considered a third party to which data are transferred. The case is different for any provider located outside the EEA: This is a "third party" to whom the personal data are "transferred", and thus, any use of such cloud for sensitive data cannot be justified by a balance of interest.

Safe Harbor and the cloud

The German DPAs are repeating their careful approach to Safe Harbor certifications. A customer may not rely solely on the service provider's assurance with regard to any Safe Harbor certification. Instead, the customer needs to certify the validity and the applicability (for the relevant type of data) of the provider's Safe Harbor certification at least on the Safe Harbor website. If the customer wants to transfer employee data to the U.S. in the cloud computing environment, the customer also has to verify that the service provider has accepted to cooperate in investigations by, and to comply with the advice of, competent EU authorities. This requirement is reflected in the Safe Harbor FAQs (question 9, section 4).

Relevance of technical safeguards

The guide deals with technical issues and security measures and specific threats for data protection principals by cloud computing services in detail. The guide frequently addresses transparency for customers and data subjects regarding the location of the data processing, and the identity of the service providers involved (even as subcontractors). The guide highlights the problem of the reliable deletion of the data in the view of the vast storage resources of cloud computing services providers, regular back-up services, and the easy copying and global transferring of data in broadband networks. The guide emphasizes that personal data for different clients need to be securely separated. The guide also raises the concern of the potential access to personal data by state authorities beyond what is accepted in the EEA, and views this as a relevant consideration by a customer when deciding on the service provider. Customers need to address security against illegal access to the data, but also the portability of the data in case of their service provider's insolvency or in case of a termination of the contract.

Conclusion

The guide does not contain revolutionary approaches to the difficult question of how to harmonize the benefits of cloud computing with the legitimate objective to ensure compliance with German data protection requirements. However, it is a clear statement that German DPAs do not compromise on sometimes very strict requirements even for globally standardized services. The guide supports the role of intra-EU/EEA cloud computing service providers and those services that are reliable and highly transparent regarding to the location of the data processing and the identity of any subcontractors used in these services.

Both customer and providers of cloud computing services with an interest in the German market should now review their standard agreements for compliance with the requirements published by the German DPAs.

The paper is published in German can be found here.

After a year of hearings, including meetings in Washington with the FTC and DOJ, a French parliamentary commission released its findings on the protection of individual rights in the digital revolution. The 384-page report from the French National Assembly covers a broad range of issues linked to data protection, including specific recommendations on EU privacy law reform.   Hogan Lovells partner Winston Maxwell testified before the parliamentary commission and the commission cited Winston's testimony in connection with the commission's recommendations on the "right to be forgotten," privacy by design, and net neutrality.

The parliamentary commission found that the "right to be forgotten," while an attractive concept, covers a broad range of different situations, and that the key element of the "right to be forgotten," ie. that individuals have a right to access and to require the deletion of personal data about them, is already covered by existing law.   Citing Maxwell's testimony, the commission concluded that the creation of a new "right to be forgotten" does not appear necessary from a legal standpoint. On the issue of privacy by design, the commission recommended that Europe invest heavily in privacy-enhancing technology, and use privacy by design to create competitive edge for European industry.    

The commission issued several recommendations on cloud computing, including a startling suggestion that future legislation should prohibit cloud services located outside the EU from storing sensitive data, such as health data, genetic data, data about children, and financial data. Prohibiting cloud services based outside the EU from handling sensitive data could create a major barrier to the development of cloud computing for the financial services industry and health care industry. The commission also recommended that cloud service providers be required to conduct security audits, and that French and European authorities conduct impact assessments on the risks of cloud computing conducted outside the EU. 

The commission recommended that the Article 29 Working Party be given a budget and personnel of its own in order to ensure the group's independence. Echoing recommendations of the European Commission, the parliamentary commission urged reform of the rules on applicable law, citing diverging court decisions in France on the question of whether French data protection rules apply to Google.  

In an unexpected twist, the French parliamentary commission supported the use of a European Regulation in reforming European privacy rules, so as to ensure proper harmonisation of rules throughout Europe. This recommendation seems surprising coming from members of parliament because national parliaments generally want to maintain freedom to interpret EU rules, and a Directive, as opposed to a Regulation, gives Member States this freedom. Finally, the parliamentarians urge the French government to initiate diplomatic action to encourage the adoption of a new international treaty on data protection, under the auspices of the United Nations. The parliamentary commission echoed remarks of Hogan Lovells partner Christopher Wolf made at the eG8 conference in Paris, finding it highly regrettable that the eG8 had been organized without inviting a single data protection authority to speak.

Recent guidance from the National Institute of Standards and Technology (“NIST”) encourages federal agencies to take advantage of cloud computing. It also provides draft security and privacy guidelines for federal agencies to follow when engaging cloud providers. The draft guidelines serve as roadmaps for how to negotiate meaningful privacy and data security protections from cloud providers. Though prepared for federal agencies, the draft guidelines could prove influential to the private sector as an increasing number of private businesses use cloud services. NIST has requested comments on the drafts by no later than February 28, 2011.

On February 2, 2011, as part of its broader effort to encourage cloud computing for federal agencies, NIST announced a new cloud computing Wiki to enable industry-NIST collaboration and published three significant cloud computing documents. The documents separately address (1) security and privacy in public cloud computing, (2) the definition of cloud computing, and (3) a guide to security for virtualization technologies. For cloud providers, the most important is NIST’s draft Guidelines on Security and Privacy in Public Cloud Computing (the "Guidelines").  

The comprehensive 60-page Guidelines focus on identifying trouble spots that arise from using cloud providers and articulating an analytical framework to address them. Four overarching themes emerge: (1) moving data to the cloud does not relieve an organization from its privacy or data security obligations; (2) cloud computing complicates security because it adds layers of technology (and thus complexity and new avenues of attack) and strips the data owner of control over its data; (3) to the extent practicable, organizations should seek the same or better security on the cloud as in-house; and (4) cloud computing therefore requires a deliberative approach by organizations and unprecedented levels of trust between them and cloud providers. 

The Guidelines emphasize terms of service as a tool to deal with privacy and security challenges. Despite recognizing that many cloud providers offer only non-negotiable terms of service (and the cost-saving benefits that go with them), the draft guidelines offer a number of recommendations about what the terms of service should contain, including:

• “A detailed description of the service environment, including facility locations and applicable security requirements”
  • disclosure of any third party arrangements or nested cloud services (where a cloud provider stores customer data on another cloud provider’s system)
  • a prompt reporting requirement of breaches involving both information held for an organization and information held about an organization
• “Policies, procedures, and standards, including vetting [of staff] and management of staff”
• “The process for assessing the cloud provider’s compliance with service level agreements, including audits and testing”
• “Specific remedies for noncompliance or harm caused by the provider”
• “Procedures, protections, and restrictions for commingling organizational data and handling sensitive data”
• That the organization retains data ownership over all its data and the cloud provider acquires “no rights or licenses . . . to use the data for its own purposes”
• The provider’s obligations on contract termination
• That the contract should not be subject to unilateral amendment by the provider

NIST also released The NIST Definition of Cloud Computing (Draft) and its final Guide to Security for Full Virtualization Technologies. In the first, NIST formally adopts its working definition of cloud computing and asks for comments on whether it should be modified. In the second, NIST catalogues security risks for full virtualization and offers recommendations to address them. Virtualization is a core enabling technology that uses a layer of software to run multiple operating systems and applications on the same hardware. This allows cloud providers to maximize server resources.  The recommendations focus on the need to secure each component, especially the hypervisor, which is the software “conductor” that runs the virtual environment. NIST recommends securing the hypervisor by, for example, continuous monitoring, restricting administrative access, and disabling unnecessary tools. 

All three documents have the potential to shape how federal agencies and private-sector companies approach cloud computing and negotiating terms of service with cloud providers.  Comments on the draft documents are due on February 28, 2011.

Recent guidance from the National Institute of Standards and Technology (“NIST”) encourages federal agencies to take advantage of cloud computing. It also provides draft security and privacy guidelines for federal agencies to follow when engaging cloud providers. The draft guidelines serve as roadmaps for how to negotiate meaningful privacy and data security protections from cloud providers. Though prepared for federal agencies, the draft guidelines could prove influential to the private sector as an increasing number of private businesses use cloud services. NIST has requested comments on the drafts by no later than February 28, 2011.

On February 2, 2011, as part of its broader effort to encourage cloud computing for federal agencies, NIST announced a new cloud computing Wiki to enable industry-NIST collaboration and published three significant cloud computing documents. The documents separately address (1) security and privacy in public cloud computing, (2) the definition of cloud computing, and (3) a guide to security for virtualization technologies. For cloud providers, the most important is NIST’s draft Guidelines on Security and Privacy in Public Cloud Computing (the "Guidelines").  

The comprehensive 60-page Guidelines focus on identifying trouble spots that arise from using cloud providers and articulating an analytical framework to address them. Four overarching themes emerge: (1) moving data to the cloud does not relieve an organization from its privacy or data security obligations; (2) cloud computing complicates security because it adds layers of technology (and thus complexity and new avenues of attack) and strips the data owner of control over its data; (3) to the extent practicable, organizations should seek the same or better security on the cloud as in-house; and (4) cloud computing therefore requires a deliberative approach by organizations and unprecedented levels of trust between them and cloud providers. 

The Guidelines emphasize terms of service as a tool to deal with privacy and security challenges. Despite recognizing that many cloud providers offer only non-negotiable terms of service (and the cost-saving benefits that go with them), the draft guidelines offer a number of recommendations about what the terms of service should contain, including:

• “A detailed description of the service environment, including facility locations and applicable security requirements”
  • disclosure of any third party arrangements or nested cloud services (where a cloud provider stores customer data on another cloud provider’s system)
  • a prompt reporting requirement of breaches involving both information held for an organization and information held about an organization
• “Policies, procedures, and standards, including vetting [of staff] and management of staff”
• “The process for assessing the cloud provider’s compliance with service level agreements, including audits and testing”
• “Specific remedies for noncompliance or harm caused by the provider”
• “Procedures, protections, and restrictions for commingling organizational data and handling sensitive data”
• That the organization retains data ownership over all its data and the cloud provider acquires “no rights or licenses . . . to use the data for its own purposes”
• The provider’s obligations on contract termination
• That the contract should not be subject to unilateral amendment by the provider

NIST also released The NIST Definition of Cloud Computing (Draft) and its final Guide to Security for Full Virtualization Technologies. In the first, NIST formally adopts its working definition of cloud computing and asks for comments on whether it should be modified. In the second, NIST catalogues security risks for full virtualization and offers recommendations to address them. Virtualization is a core enabling technology that uses a layer of software to run multiple operating systems and applications on the same hardware. This allows cloud providers to maximize server resources.  The recommendations focus on the need to secure each component, especially the hypervisor, which is the software “conductor” that runs the virtual environment. NIST recommends securing the hypervisor by, for example, continuous monitoring, restricting administrative access, and disabling unnecessary tools. 

All three documents have the potential to shape how federal agencies and private-sector companies approach cloud computing and negotiating terms of service with cloud providers.  Comments on the draft documents are due on February 28, 2011.

Recent guidance from the National Institute of Standards and Technology (“NIST”) encourages federal agencies to take advantage of cloud computing. It also provides draft security and privacy guidelines for federal agencies to follow when engaging cloud providers. The draft guidelines serve as roadmaps for how to negotiate meaningful privacy and data security protections from cloud providers. Though prepared for federal agencies, the draft guidelines could prove influential to the private sector as an increasing number of private businesses use cloud services. NIST has requested comments on the drafts by no later than February 28, 2011.

On February 2, 2011, as part of its broader effort to encourage cloud computing for federal agencies, NIST announced a new cloud computing Wiki to enable industry-NIST collaboration and published three significant cloud computing documents. The documents separately address (1) security and privacy in public cloud computing, (2) the definition of cloud computing, and (3) a guide to security for virtualization technologies. For cloud providers, the most important is NIST’s draft Guidelines on Security and Privacy in Public Cloud Computing (the "Guidelines").  

The comprehensive 60-page Guidelines focus on identifying trouble spots that arise from using cloud providers and articulating an analytical framework to address them. Four overarching themes emerge: (1) moving data to the cloud does not relieve an organization from its privacy or data security obligations; (2) cloud computing complicates security because it adds layers of technology (and thus complexity and new avenues of attack) and strips the data owner of control over its data; (3) to the extent practicable, organizations should seek the same or better security on the cloud as in-house; and (4) cloud computing therefore requires a deliberative approach by organizations and unprecedented levels of trust between them and cloud providers. 

The Guidelines emphasize terms of service as a tool to deal with privacy and security challenges. Despite recognizing that many cloud providers offer only non-negotiable terms of service (and the cost-saving benefits that go with them), the draft guidelines offer a number of recommendations about what the terms of service should contain, including:

• “A detailed description of the service environment, including facility locations and applicable security requirements”
  • disclosure of any third party arrangements or nested cloud services (where a cloud provider stores customer data on another cloud provider’s system)
  • a prompt reporting requirement of breaches involving both information held for an organization and information held about an organization
• “Policies, procedures, and standards, including vetting [of staff] and management of staff”
• “The process for assessing the cloud provider’s compliance with service level agreements, including audits and testing”
• “Specific remedies for noncompliance or harm caused by the provider”
• “Procedures, protections, and restrictions for commingling organizational data and handling sensitive data”
• That the organization retains data ownership over all its data and the cloud provider acquires “no rights or licenses . . . to use the data for its own purposes”
• The provider’s obligations on contract termination
• That the contract should not be subject to unilateral amendment by the provider

NIST also released The NIST Definition of Cloud Computing (Draft) and its final Guide to Security for Full Virtualization Technologies. In the first, NIST formally adopts its working definition of cloud computing and asks for comments on whether it should be modified. In the second, NIST catalogues security risks for full virtualization and offers recommendations to address them. Virtualization is a core enabling technology that uses a layer of software to run multiple operating systems and applications on the same hardware. This allows cloud providers to maximize server resources.  The recommendations focus on the need to secure each component, especially the hypervisor, which is the software “conductor” that runs the virtual environment. NIST recommends securing the hypervisor by, for example, continuous monitoring, restricting administrative access, and disabling unnecessary tools. 

All three documents have the potential to shape how federal agencies and private-sector companies approach cloud computing and negotiating terms of service with cloud providers.  Comments on the draft documents are due on February 28, 2011.