Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The French CNIL’s new guidelines on cloud computing revisit the tricky question of whether a cloud provider is a data processor or a data controller. The CNIL says that a cloud provider will generally be considered the data processor, but that the provider will become joint controller with the customer if the cloud customer lacks any real autonomy in the negotiation of the contract and in defining how the data are processed.
If the cloud customer is not able to give instructions to the cloud provider and must accept the cloud provider’s proposal "as is," the CNIL will consider the cloud provider as joint controller, jointly liable with the customer for compliance with French data privacy laws. The CNIL’s guidelines indicate that providers of private clouds will generally be deemed processors, but that providers of public SaaS or PaaS cloud services will often be deemed joint controllers. Where a cloud provider is joint controller, the CNIL recommends that the contract divide responsibilities between customer and provider as follows:
Filing obligations |
Duty to inform data subject |
Confidentiality and security obligation |
Data subject’s right of access |
|
Where cloud provider is joint controller: |
Customer responsible |
Customer responsible |
Customer and cloud provider both responsible |
Customer responsible with assistance of cloud provider |
The CNIL’s guidelines contain seven recommendations for cloud customers, and a list of recommended contractual clauses. Part of the CNIL’s objective is to raise awareness among small and medium sized businesses that they should have more say in how their data are treated under cloud contracts. The CNIL’s seven recommendations are:
1. Clearly identify the data and the processing that will be entrusted to the cloud provider. The CNIL points out that certain kinds of data are subject to special requirements, citing the example of health data, which can only be stored by a cloud provider licensed by the French Ministry of Health.
2. Ensure that the customer defines its own requirements on the technical and legal security aspects of the processing, including the localization of the data, reversibility and data portability.
3. Undertake a risk analysis to ensure that the customer is getting the right level of security. The CNIL recommends that businesses refer to the guidelines of ENISA when conducting this risk analysis.
4. Be sure to identify the right kind of offer that is appropriate for a cloud customer’s business: SaaS, PaaS, or IaaS, public, private or hybrid cloud solutions.
5. Choose a cloud provider with sufficient service and privacy level guarantees. This involves first determining whether the cloud provider will be a "processor" or "joint controller." Second, the CNIL lists "essential elements" that should appear in the cloud contracts, including the prohibition (or not) of using sub-processors, audit provisions, data retention rules, geographic location of servers, including whether data should be restricted to a European cloud, ISO 27001 certification, reversibility, data portability, etc.
6. The customer should rethink its own IT security policy. The CNIL says that a business’s use of cloud services may impact the customer’s own IT policy, such as rules on authentication of users, and employees’ use of mobile devices to access the employer’s network.
7. Update the risk analysis regularly.
The CNIL says that it will welcome the introduction of binding corporate rules (BCRs) for processors, which will facilitate cloud providers’ ability not only to transfer data throughout their cloud infrastructure.
The CNIL proposes twenty-three model clauses that can be used in cloud contracts. The CNIL’s model clauses give the possibility to cloud customers to require that their data remain in Europe. The CNIL points out that when the cloud provider is located in a non-European country "local government authorities can send requests to the provider to have access to the data." The CNIL’s model clauses also contain obligations requiring the cloud provider to inform the customer immediately in case of a request by a government authority. The CNIL’s guidelines unfortunately omit to state that government authorities within Europe can also request access to data, and that in many cases, including in Europe, providers are prohibited by law from informing their customers that a government request has occurred. The CNIL refers to the US Patriot Act as an example of the risks that can arise when entrusting data to a US-based cloud provider.
But Hogan Lovells’ white paper on government access to data in the cloud shows that most governments in Europe also have legislation permitting government access to cloud data, and that government authorities in Europe may in some cases prohibit the cloud provider from informing its customer about the government request.
Authored by Winston Maxwell.