The Article 29 Working Party (WP29) adopted - on 1 July 2012 - Opinion 05/2012 on Cloud Computing, clarifying the responsibilities of cloud clients and cloud providers, and detailing which standard provisions it would expect to see in a contract between clients and providers, among others. The aim of the Opinion is to tackle what the WP29 considers to be the two main privacy risks in cloud computing: the lack of control over personal data and the absence of transparency.

''The Opinion clarifies that, in general, the relationship between the cloud client and provider must be construed as a relationship between a data controller and a data processor respectively'', said Pablo Rivas Virgos, Senior Associate at Hogan Lovells Madrid. ''However, providers may be regarded as controllers where they use the data for their own purposes, for example''.

The WP29 states that although cloud clients may not have room for manoeuvre in negotiating the contractual terms of use, 'it is ultimately the client who decides on the allocation of part or the totality of processing operations to cloud services for specific purposes'. As they are therefore considered to be data controllers, businesses are responsible for ensuring that the cloud provider has adequate security measures in place; the WP29 advises businesses perform a risk assessment prior to engaging with any cloud provider. The recommended contractual safeguards must stipulate the security measures the cloud provider must comply with, and the controller's rights to monitor.

Jason Currill, CEO of cloud provider Ospero, told DataGuidance: ''The Opinion represents a shift in the duty of care towards the cloud client as the data controller. On the whole, we welcome the Opinion as it is certainly easier than 27 variations of the law''.

In its Opinion, the WP29 stated that independent verification or certification by a reputable third party could be a credible method for providers to demonstrate their compliance to with their obligations to clients. Conor Ward, Partner at Hogan Lovells International LLP and Chair of the Cloud Industry Legal Forum (CILF), told DataGuidance: ''The Working Party's Opinion has highlighted a number of issues which the Cloud Industry Forum (CIF) has been keen to see addressed, many of which are covered in its Code of Practice as well as its guide to best practice on Contracting Cloud Services, including the role that independent verification and certification by a reputable third party. A core feature of CIF's Code of Practice is the importance of suppliers providing full transparency to clients''.

The contractual safeguards outlined in the Opinion also detail the minimum level of information that cloud providers are expected to give to businesses. This includes providers' responsibilities to notify the client of data breaches, provide a list of locations in which the data may be processed, as well as a general obligation to give assurance that its internal data processing arrangements are compliant with applicable national and international legal requirements and standards.

Marco Leone, Associate at DLA Piper Italy, highlighted the problem of applicable law: ''According to the WP29, if a cloud client is established outside the EEA, but commissions a cloud provider located in the EEA, then the EU national law of the cloud provider will apply to the non-EU cloud client. Such an approach may have a material and detrimental impact on the EU cloud market, especially for those cloud providers who are established in jurisdictions like Italy that traditionally have national laws which are stricter than EU directives. In my opinion, in order to mitigate such economic adverse effect, EU cloud providers should only comply with the instructions given by the non-EU cloud client, therefore applying the laws of the country where the client is established''. In particular, Currill stated this requirement could lead to 'forum shopping' where businesses based in third countries such as the USA will contract with providers in EU countries with kinder laws.

''In light of this new Opinion, all cloud computing providers should immediately modify their data processing agreements as each cloud client operating in the EU will ask for these changes'', said Luca Bolognini, President of the Italian Institute for Privacy and scientific member of the European Privacy Association. ''The actual risk for cloud computing providers not complying with these provisions could be their de facto exclusion from the European cloud market in addition to public procurement''.

Alex Bryant
alex.bryant@dataguidance.com

UK: OFT and ICO jointly scrutinise privacy policies

UK: FCA consults on data collection

Ireland: Data Protection Commissioner 2012 Annual Report - Key Highlights

EU: BCR Webinar: Top 5 takeaways

EU: Soundbites from the EU Parliament seminar on the data reform

EU: WP29 clarifies DPAs' expectations of BSPRs

EU: 'Three possible dates' put forward for the LIBE vote on data proposals

USA: Data brokers urged to review privacy practices after FTC warnings

USA: NLRB: blanket confidentiality rule during employee investigations 'invalid'

China: MIIT draft rules expand telecoms & IISP obligations

Singapore: Personal Data Protection Commission to launch May 2013