Firms that use cloud providers that cannot guarantee compliance risk failing to comply with their own legal requirements as 'data controllers', the Article 29 Working Party said.
The Working Party, which is a committee made up of representatives from the 27 data protection authorities in EU member states, said that although organisations, particularly small businesses, lack negotiating power over contracts when signing up to use the services of cloud providers, those firms had to ensure that the providers they use comply with data protection rules.
The watchdog said firms inherently lack control over personal data they are responsible for when using cloud services, and also may not have access to detailed information about how information is processed in the cloud. The Working Party said that cloud computing also poses risks to data security, such as "loss of governance, insecure or incomplete data deletion, insufficient audit trails or isolation failures."
However, the Working Party has published an opinion (27-page / 180KB PDF) setting out guidance on what companies can do to meet their own data protection requirements when using cloud services. Its recommendations include advice on how contracts between data controllers and cloud providers and any arrangements between cloud providers and sub-contracted data processors should look.
"The controller must choose a cloud provider that guarantees compliance with data protection legislation," the Working Party said. "Special emphasis must be placed on the features of the applicable contracts – these must include a set of standardised data protection safeguards ... as well as on additional mechanisms that can prove suitable for facilitating due diligence and accountability," it added.
Organisations that contract with cloud providers to store personal data have responsibility for that information as 'data controllers', the Working Party said. Cloud providers do not become controllers of the data just because they may choose on behalf of their clients "the methods and the technical or organisational measures" to ensure that data processed in the cloud for the purposes identified is legally compliant, it added. Cloud providers will be considered processors of the data when they supply "the means and the platform" for that processing to take place.
The Working Party acknowledged that there may be some circumstances where cloud providers could be considered as data controllers, such as if they start processing personal data for their "own purposes". Data controllers are more responsible for data protection compliance than data processors.
In situations where there are multiple data controllers in the cloud, "compliance with data protection rules and responsibilities for possible breach of these rules must be clearly allocated, in order to avoid that the protection of personal data is reduced or that a 'negative conflict of competence' and gaps arise whereby some obligations or rights stemming from the [EU Data Protection] Directive are not ensured by any of the parties," it said.
The Working Party said that safeguards could avert risks of non-compliance with data protection laws and be written into the contracts between data controller clients and cloud providers. Those contracts should detail how cloud providers would keep personal data secure, how access to the information would be restricted and enable the controller to monitor the providers' data protection compliance, among other things, it said.
Under the EU's Data Protection Directive personal data can only be processed under strict conditions. Personal data must be "processed fairly and lawfully" and generally it can only be collected for "specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes".
Because cloud data processing often involves multiple sub-contractors, data controllers should draft contracts with cloud providers requiring those providers and sub-processors to record and audit their processing of personal data, the Working Party said. This would help ensure that data is not processed for purposes other than those originally agreed, it said.
Cloud providers that wish to sub-contract processing activities out to others must obtain the consent from the client data controller in order for it to do so, the watchdog said in its opinion. The providers must inform data controller clients who the sub-contractors are and provide further information "detailing the type of service subcontracted, the characteristics of current or potential sub-contractors and guarantees that these entities offer to the provider of cloud computing services to comply with [EU data protection laws]."
The contracts between cloud providers and sub-contractors should set out the sub-contractors' duties to comply with the data protection "stipulations" agreed between the provider and the data controller, the Working Party added, so that the controller can obtain legal recourse for any breaches of contract. Processors within the cloud chain that process personal data for incompatible purposes will be considered as data controllers and could be held liable by individuals for an infringement of their rights, it said.
Under EU data protection rules, personal data can only be kept in a form that can lead to individuals being identified for a period that is necessary to achieve the purposes for which it was collected or for which they are further processed. In a cloud computing context, the Working Party said that this meant that personal data must be deleted from the different servers on which it may be stored when it is no longer needed. The data must be "erased irretrievably" through deletion or from making the data "truly anonymised."
This erasure practice should apply to "previous versions [of personal data], temporary files and even file fragments," it added.
Personal data in the cloud must be available in a "timely and reliable" fashion, so data controllers should "check whether the cloud provider has adopted reasonable measures to cope with the risk of disruptions, such as backup internet network links, redundant storage and effective data backup mechanisms," the Working Party said. Data controllers should also check that cloud providers can maintain the "integrity" of personal data and prevent it from being "maliciously or accidentally altered during processing, storage or transmission".
Personal data must be encrypted when it is "in transit" to ensure that it is kept confidential, and, wherever possible, when the data is "at rest", the Working Party said. It admitted that if personal data is processed in the cloud itself, it may not be possible to encrypt the information, but said other protections, such as using "authorization mechanisms and strong authentication" should be deployed in those instances to restrict who can access the information.
The Working Party said that restrictions should be utilised by cloud providers to prevent companies and users using its services from accessing all cloud-stored data to help ensure that personal information is only processed for legitimate purposes. Cloud providers should also be able to guarantee to data controllers that information they store is portable, it added.
"Preferably, the provider should make use of standardised or open data formats and interfaces," the Working Party said. "In any event, contractual clauses stipulating assured formats, preservation of logical relations and any costs accruing from the migration to another cloud provider should be agreed on."
It is also of "paramount importance" to data controllers' compliance with data protection laws that cloud providers are able to "provide reliable monitoring and comprehensive logging mechanisms" over what processing activity has taken place, the watchdog said. Those providers should also be able to show "documentary evidence of appropriate and effective measures that deliver the outcomes of the data protection principles," it added.
The Working Party also outlined what organisations should do to ensure their cloud providers comply with EU rules on international data transfers.