The Article 29 Working Party (WP29) adopted - on 1 July 2012 - Opinion 05/2012 on Cloud Computing, clarifying the responsibilities of cloud clients and cloud providers, and detailing which standard provisions it would expect to see in a contract between clients and providers, among others. The aim of the Opinion is to tackle what the WP29 considers to be the two main privacy risks in cloud computing: the lack of control over personal data and the absence of transparency.
''The Opinion clarifies that, in general, the relationship between the cloud client and provider must be construed as a relationship between a data controller and a data processor respectively'', said Pablo Rivas Virgos, Senior Associate at Hogan Lovells Madrid. ''However, providers may be regarded as controllers where they use the data for their own purposes, for example''.
© 2013 Cecile Park Publishing Ltd. All rights reserved
Jason Currill, CEO of cloud provider Ospero, told DataGuidance: ''The Opinion represents a shift in the duty of care towards the cloud client as the data controller. On the whole, we welcome the Opinion as it is certainly easier than 27 variations of the law''.
In its Opinion, the WP29 stated that independent verification or certification by a reputable third party could be a credible method for providers to demonstrate their compliance to with their obligations to clients. Conor Ward, Partner at Hogan Lovells International LLP and Chair of the Cloud Industry Legal Forum (CILF), told DataGuidance: ''The Working Party's Opinion has highlighted a number of issues which the Cloud Industry Forum (CIF) has been keen to see addressed, many of which are covered in its Code of Practice as well as its guide to best practice on Contracting Cloud Services, including the role that independent verification and certification by a reputable third party. A core feature of CIF's Code of Practice is the importance of suppliers providing full transparency to clients''.
The contractual safeguards outlined in the Opinion also detail the minimum level of information that cloud providers are expected to give to businesses. This includes providers' responsibilities to notify the client of data breaches, provide a list of locations in which the data may be processed, as well as a general obligation to give assurance that its internal data processing arrangements are compliant with applicable national and international legal requirements and standards.
Marco Leone, Associate at DLA Piper Italy, highlighted the problem of applicable law: ''According to the WP29, if a cloud client is established outside the EEA, but commissions a cloud provider located in the EEA, then the EU national law of the cloud provider will apply to the non-EU cloud client. Such an approach may have a material and detrimental impact on the EU cloud market, especially for those cloud providers who are established in jurisdictions like Italy that traditionally have national laws which are stricter than EU directives. In my opinion, in order to mitigate such economic adverse effect, EU cloud providers should only comply with the instructions given by the non-EU cloud client, therefore applying the laws of the country where the client is established''. In particular, Currill stated this requirement could lead to 'forum shopping' where businesses based in third countries such as the USA will contract with providers in EU countries with kinder laws.
''In light of this new Opinion, all cloud computing providers should immediately modify their data processing agreements as each cloud client operating in the EU will ask for these changes'', said Luca Bolognini, President of the Italian Institute for Privacy and scientific member of the European Privacy Association. ''The actual risk for cloud computing providers not complying with these provisions could be their de facto exclusion from the European cloud market in addition to public procurement''.