Earlier this month, the European Commission’s independent panel on privacy protection published the first draft of an opinion paper on Cloud Computing security and privacy. The group formally known as the “Article 29 Data Protection Working Party” is an independent body commissioned by the European Commission, but their work products aren’t official European Commission opinions. Nonetheless they influence the European Commission’s directives. From what I can tell, their recommendation can be summed up as caveat emptor.
The Article 29 Data Protection Working Party draft opinion summarizes but does not recommend any changes to the current state of the European Unions legal requirements on data protection as outlined in Directive 95/46/EC. The opinion simply notes that it is the “location of [the data controllers'] establishment and the activities it carries out” that triggers the applicability of the European Union’s data privacy directive. If the organization’s main location of activity is in one of the member states, it applies. This is the business as usual that companies have been living with for the past few decades for better or worse.
The Article 29 Data Protection Working Party draft opinion appears to be to define the relationship between cloud service clients and cloud service providers in terms of the European Union’s legal definitions of data controller and data processor as defined in Directive 95/46/EC. According to that Directive, a data controller is “the natural or legal person, public authority, agency or any other body that alone or jointly with others determines the purposes and means of the processing of personal data.” The Directive defines a data processor as “the natural or legal person, public authority, agency or any other body that alone or jointly with others, processes personal data on behalf of the controller.”
The Article 29 Data Protection Working Party Stakes Its Claim
The key “stake in the ground” that this Article 29 Data Protection Working Party makes is that the cloud service client should be legally considered to be the “data controller” and that the cloud service provider should be legally considered to be the data processor. The opinion sums it up like this:
“The client as the controller must accept responsibility for abiding by data protection legislation and is subject to all the legal obligations mentioned in Directive 95/46/EC and 2002/58/EC, where applicable, in particular vis-à-vis data subjects (see 3.3.1). The client should select a cloud provider that guarantees compliance with EU data protection legislation as reflected by the appropriate contractual safeguards”
While this “buyer beware” approach to defining the relationship between the cloud service client and cloud service provider seems almost like stating the obvious, I suspect it has large implications on the ability for cloud service providers to set up shop in European Union member countries. If the Article 29 Data Protection Working Party opinion is adopted and enacted into appropriate directives by the European Commission, this principle provides a certain amount of legal certainty about their obligations and relationships.
Not that the cloud service providers are off the hook in terms of security and privacy responsibilities. For one thing, the Article 29 Data Protection Working Party opinion makes it clear that there are cases where data and information generated while providing services for a client may be considered to be data controlled by the cloud service provider. Off the top of my head things like customer demographic data and usage statistics data come to mind. For these types of data that the cloud service provider collects and uses, it would be considered to be the data controller for that data.
But more to the point, the Article 29 Data Protection Working Party opinion explicitly calls for the cloud service providers to provide all the necessary transparency about their operations and security controls to enable the clients to ensure they are complying with their responsibilities per Directive 95/46/EC:
A key conclusion of this Opinion is that businesses and administrations wishing to use cloud computing should conduct, as a first step, a comprehensive and thorough risk analysis. All cloud providers offering services in the EEA should provide the cloud client with all the information necessary to rightly assess the pros and cons of adopting such a service. Security, transparency and legal certainty for the clients should be key drivers behind the offer of cloud computing services.
It sounds like a very weak opinion, like an exercise in spending 27 pages of legal text to say “caveat emptor.” But sometimes the most obvious stakes in the ground are the most important.