The UK Information Commissioner’s Office (“ICO“) has released guidance on the use of cloud computing (“Guidance“). This Guidance follows the long awaited opinion of the EU Article 29 Data Protection Working Party (“WP 29“) (Opinion 05/2012 on Cloud Computing (the “WP29 Opinion“)) issued in July 2012, which stresses that control and transparency are key for ensuring the cloud customer, as data controller, can meet its obligations under data protection legislation.
The Guidance recognizes that a shift towards a greater use of cloud computing is already underway but stresses the importance of cloud customers ensuring that they take time to understand that there might be risks presented by cloud computing. The Guidance also recommends that cloud providers should use the Guidance to make their services more attractive to customers.
The Guidance explains the different types of cloud computing deployment models (private cloud, community cloud, public cloud and hybrid cloud) and discusses the various service models (infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS)).
The Guidance then considers how the UK Data Protection Act applies to cloud services. The clear message is that there is no “cloud exemption,” the Data Protection Act must be complied with and it is the cloud customer who will be responsible for ensuring compliance.
The Guidance also discusses the highly topical question of cloud providers complying with requests for information from foreign law enforcement agencies (eg: under the US Patriot Act). The Guidance takes a very pragmatic approach, and states that ICO enforcement action is unlikely if the disclosure was made in accordance with a legal requirement.
The Guidance contains a checklist under the headings of Risks, Confidentiality, Integrity, Availability and Legal and will be very helpful in providing data users with a framework for considering data protection compliance when moving towards using the cloud. It sets out practical issues to consider and, along with the WP29 Opinion, provides a valuable road map to cloud compliance. The WP 29 Opinion contains a list of fourteen specific issues (such as audit rights and an obligation to notify of law enforcement data access requests) which it recommends the cloud customer should include in its contract with the cloud provider to provide “legal certainty.”
In summary, the message from the Guidance and WP 29 Opinion is very clear: cloud customers and cloud providers, in particular those providing services from outside the EEA, should carefully review their current contractual terms and conditions, and adapt their practices to comply with the guidance set forth in these documents. The enforcement risk for cloud customers was highlighted in the UK recently with the ICO imposing a £250,000 fine on a data controller which had failed to make the necessary security checks and put in place a suitable contract with its service provider.
Cloud users should review the Guidance carefully. Cloud customers are likely to expect providers to respond to the Guidance and it is likely that cloud providers that do not recognize, and adapt to, the Guidance may risk losing market share to compliant providers. Although not referred to in the Guidance, the development of Processor Binding Corporate Rules (BCRs) (see EU Article 29 Data Protection Working Party (“WP 29“) (Working Document 02/2012)) issued in June 2012) will be helpful in offering cloud providers the opportunity to develop more flexible compliant cloud service delivery models.