Call for Contributions on Cloud Computing
Consultation procedure open from 17 October to 17 November 2011
Information details on Contributor
(all data are optional)
|
Name of company:
Business sector:
Country of primary head office:
For Cloud Computing, you are:
A service Provider
A Client
Please forward the questionnaire below
- by e-mail to consultationcloud@cnil.fr
- via postal mail to:
Commission Nationale Informatique et Libertés
Service des affaires européennes et internationales
8 Rue Vivienne
75002 Paris, France.
Terminology / Abbreviations:
In the context of this request for contributions, the term “Provider” designates the companies offering Cloud Computing services, and the term “Client” designates the companies or public administrations who are the clients of Cloud Computing providers.
Definition of Cloud Computing
CNIL’s assessment
Since the term of Cloud Computing is both recent and encompassing numerous concepts, there is still no consensus on any single specific definition.
Proposed solution
We believe that the most appropriate approach to any definition should be based on the features specific to Cloud Computing.
Accordingly, the CNIL suggests considering the following set of features to characterise the existence of a Cloud Computing service:
-
simplicity of an on-demand service: any user may unilaterally, immediately and generally without any human intervention, have access to the IT resources they need (server computing time, storage capacity, etc.).
-
extreme flexibility: the resources made available have a high and fast adaptability to upgrading requests, and generally in a fully transparent way for the user.
-
“light-client” access: access to the resources requires no specific hardware or proprietary software. Access is gained via readily (and sometimes free1) applications, generally from a simple Internet browser.
-
virtualisation of resources: the Provider’s IT resources are configured for use by a multitude of machines, and frequently distributed in various hosting centres (possibly in various locations across the world).
-
“pay per use”: payment for Cloud Computing services may be made proportionately to actual use of the service.
Question
In your opinion, does this set of features enable the proper characterisation of a Cloud Computing service? Should this set of features be complemented?
II. Qualification of stakeholders: towards an assumption of subcontracting?
A. Principle
Under Article 3 of the French Data Privacy Law of 1978, the Data Controller is defined as “a person, public authority, department or any other organisation who determines the purposes and means of the personal data processing”.
The Processor is defined as the subcontractor who processes the personal data on behalf of and according to the instructions of the Data Controller.
B. Proposed solution
Client
The Client will always be responsible for the processing as Data Controller. By collecting data and deciding to outsource their processing to a service provider, the Client retains full responsibility for the data processing, since the Client also defines the purposes and means of data processing.
Provider
In principle, the Provider acts on behalf of and according to the instructions of the Client acting as Data Controller.
Accordingly, it would appear reasonable to establish en assumption that the Service provider acts as Data Processor in the context of the relationship between the Client and the Provider.
Such an assumption will be particularly effective whenever the Client uses a private Cloud2 that involves extensive control over the execution of the Cloud Computing service.
Conversely, whenever the Client uses a public Cloud3, the respective roles of the Client and the Provider may prove difficult to determine, and will also depend on the type of services subscribed by the Client. In this case, the CNIL proposes that the above assumption be discarded in favour of a set of features that should enable the determination of the margin for manoeuvre available to the Provider to perform the service provision.
Criterion
|
Meaning
|
Instruction level
|
Assess to what extent the Provider is bound by the Client’s instructions.
|
Level of control over the performance of the service
|
Assess the level of constraint that the Client may dictate on the Provider.
|
Expertise of Provider
|
Assess the level of expertise of the Provider to find out to what extent he controls the data processing.
|
Level of transparency of the Data Controller in the service provision.
|
Find out to what extent the identity of the Provider is known by the stakeholders. If this identity is known by the stakeholders using the Client’s services, then the Provider may be presumed to act as a de facto Data Controller.
|
By applying this set of features, it will be possible among other to take into account the highly standardised nature of Cloud Computing offers generally resulting in an extensive control of the Provider over the service.
The following analysis is submitted by the CNIL for consultation:
- The Client is necessarily regarded as the Data Controller.
- The Provider is presumed to be a subcontracted Processor, unless the set of features leads to disregarding this assumption, thereby demonstrating that the Provider acts as the de facto Data Controller.
In the context of the revision of the EU Directive on data protection, it would be of interest to look at the possible creation of a legal status for the subcontracted Processor, in order to assign a number of specific requirements to said Processor.
Question
In your opinion, does the above analysis reflect the specific features of Cloud Computing? Why?
What is your opinion on a specific legal status for service providers?
Applicable law
Since Cloud Computing is based on the use of multiple servers located in various places in the world, there are obvious difficulties to determine the applicable law, since the flexibility and fluidity of data transfers mean that as many laws as there are countries where data processing servers are located, are potentially applicable.
Yet, it is essential to identify which law is applicable, in particular to determine which legal obligations are enforceable on the Data Controller.
Principle
Under Article 5 of the French Data Privacy Law of 6 January 1978 as amended, the French law applies if the Data Controller:
-
“is established on French territory”,
-
or, “uses means of processing located on French territory” (although not established on the territory of any other EU Member State)
Avenues of investigation
While the CNIL is in favour of extending the concept of “processing means”, it nevertheless wishes to mitigate any excessive consequences of an abusively broad interpretation of “processing means” and any potentially systematic application of French law.
Question:
In your opinion, which criteria would enable the determination of applicable law to Cloud stakeholders?
Regulating framework for data transfers
Principle
Under Article 68 of the French Data Privacy Law of 1978, personal data may only be transferred to recipients in countries located outside the EU if that State provides an adequate level of data and privacy protection. Article 69 of the Law expressly specifies the instruments required to regulate such transfers: standard contract clauses, internal corporate regulations (or BCRs), Safe Harbor, or exceptions.
Resorting to such instruments implies knowledge of the country(ies) where the data are to be transferred, which is essential to complete the required declaration/authorisation formalities with the CNIL and to inform the data subjects of such transfers to these countries.
However, Cloud Computing is most frequently based on a complete lack of any stable location of the data. The Client is therefore rarely in a position to be able to know in real time where the data are located or stored or transferred.
In this context, the legal instruments providing a framework to regulate data transfers to non-EU third countries failing to provide any adequate protection, have shown their limits.
In addition, there are exceptions to the principle of banned transfers.
Proposed solutions
(i) From a legal standpoint
The increasingly multiple locations of data storage make it difficult to enforce any legal instrument that would guarantee adequate protection levels.
The CNIL therefore proposes that 1) service providers should incorporate standard contractual clauses into the service provision contracts, and 2) the feasibility of Binding Corporate Rules (BCRs) for subcontracted Processors should be investigated.
Such BCR for processors would enable the Provider’s client to entrust their personal data to this subcontracted Processor while being assured that the data transferred within the Provider’s business scope would receive an adequate protection level.
(ii) From a technical standpoint
Regulatory control over data transfers could also depend on the technical solutions used. For instance, some Providers mention the use of “metadata”4 to define or describe another data item, regardless of its media (print or electronic), or homomorphic encryption solutions5.
Resorting to encryption would also be regarded as a satisfactory solution to guarantee the transfer of data to predetermined countries only.
In such cases, the Client could then truly endorse its role as Data Controller by defining the data recipient countries, even before the service is performed.
In practice:
-
The Cloud Computing Provider, whether Data Controller or Processor, will have to obtain an approval of its BCRs from European data protection authorities, based on the current procedure.
-
The Client will submit its request for data transfer authorisation to the data protection authorities, based on the previously approved BCRs of the Provider.
Questions Which of the existing instruments do you think are most suitable for Cloud Computing?
How are you regulating the data transfers carried out in the context of the Cloud Computing service you provide or to which you have subscribed?
Do you think that BCRs for the subcontracting Processor are an interesting solution? What type of mechanism would you consider for these BCRs?
Have you already thought about technical solutions that would enable you to better identify and control data flows in the context of Cloud Computing services?
Data security
The issues of security and confidentiality of data outsourced to the Cloud, as covered under Article 34 of the French “Informatique et libertés” Law, are generally one of the top concerns for users6.
In the case of an organisation subscribing to a Cloud Computing service, the management of data security is largely delegated to the service Provider, from whom it is often difficult to obtain guarantees on the actual security level. In application of Article 35 of the French law, the subcontracted Processor “shall offer adequate guarantees to ensure the implementation of the security and confidentiality measures mentioned in Article 34”7, while the Data Controller has the “obligation to supervise the observance of such measures [of security and confidentiality]”7.
In addition, the same Article provides that “The contract between the Processor and the Data Controller shall specify the obligations incumbent upon the Processor as regards the protection of the security and confidentiality of the data and provide that the Processor may act only upon the instruction of the Data Controller”.
It is therefore necessary for these security requirements to be materialised in a contract. In particular, it is essential that the roles and responsibilities of the parties be clearly defined in advance, in order to ensure efficient processing of any incident that might lead to a loss or disclosure of personal data.
Question
What are your views on the contractual relations between the Client and the Provider regarding security measures and compliance with Articles 34 and 35 of the French Data Privacy Law (“Informatique et libertés”)?
Risks specific to Cloud Computing
A risk assessment8 is recommended prior to drafting any data security policy, in particular for large-size IT systems. This recommendation was previously formulated by ENISA9 in its report published in November 2009 entitled “Cloud Computing: benefits, risks and recommendations for information security”10 and by ANSSI in its more general report on “Outsourcing of IT systems – Risk management” published on 19 March 201011.
This risk assessment should in particular factor in the nature of the organisation using the Cloud Computing service and the type of data processed in the Cloud.
The CNIL therefore believes that a risk analysis approach to assess the impact of switching over to Cloud Computing, should be adopted by all Data Controllers wishing to use Cloud Computing for some of their personal data processing operations.
Question:
What are your views on the recommendation to conduct a risk assessment before switching over to Cloud Computing?
Assessments and proposals on data security Security aspects to be boosted
When using Cloud Computing services, the CNIL recommends that some aspects of data security should be looked at carefully:
-
external protection of the network (firewalls, proxy server with content analysis, intrusion detection, etc.)
-
protection of the terminal (PC, laptop, PDA, cell phone): antivirus, operating system and software regularly updated, firewall12.
-
encryption of links13 to ensure the confidentiality of data exchanges
-
traceability: keep a record of connections and operations performed14 on the data (in many service offers, including for large companies, “administration”-type events, such as creation or deletion of accounts or authorised access to data, are not recorded).
For Providers offering services to private companies or public administrations, the following could be added:
-
management of authorisations, e.g. the account of an employee who left the organisation must be immediately deactivated, since they could still have access to the IT systems even though they no longer have access to the physical premises.
-
authentication: similarly, the authentication process must be reinforced. A high-level authentication process is indispensable whenever the accessed data are sensitive and/or extensive in volume.
Questions:
What are your views on this analysis? In your opinion, which security measures should the CNIL highlight to draw the attention of Data Controllers?
Access by administrators and encryption
In the absence of any encryption at the data storage level, which is very frequently the case, the IT administrators15 of the Provider have full access to the data of their Clients16.
One way to secure at least partial protection against such risks is to ensure that the Provider’s administrators have a confidentiality clause in their employment contract or have signed a specific non-disclosure agreement. In addition, it is recommended to record the traceability of the administrators’ actions in logs that are not accessible to them.
However, for the Data Controller Client, encryption of the data stored in the Cloud constitutes the only way to prevent the Provider’s IT administrators17 from accessing the data entrusted to them.
Question
What are your views about encryption in the Cloud?
Data destruction and reversibility
Once the service provision expires (account closed, contract termination, etc.), it is important for the Client to ensure that the data previously entrusted to the Provider will no longer be accessible to the Provider. Depending on the sensitivity of the data, the followed measures may be required:
-
conventional deletion of data
-
“secured” deletion18 of data
-
return of storage media to the Client (hard disks, backup tapes) or physical destruction in the case of hardware dedicated to the Client (e.g. case of private Clouds); in such cases, it is important to plan for such measures from the onset in the contractual clauses19.
In addition, the issue of data reversibility should also be taken into account by the Client prior to subscribing to a Cloud Computing service. The Client may wish to retain the data entrusted to the Provider, and in such case, the Provider should plan to return the data in a standardised format that will enable the Client to reuse these data with another service provider or using a conventional software program.
Question:
What are your views about the return of data and reversibility?
Standardisation: a potential solution?
All of the above-discussed issues could be partially addressed by bolstering the transparency from Cloud Computing providers about their security policies. It would be possible to boost the trust of clients and data protection authorities by adopting measures designed to certify the data centres, taking into account personal data protection without inducing any additional risks20. However, there are currently no existing security standards adapted to Cloud Computing that would fully factor in the issue of personal data protection.
The CNIL recommends that security standards incorporating the issue of personal data protection in the Cloud be defined and promoted by the industry in order to strengthen transparency for the clients.
Questions:
-
Do you approve of the CNIL’s analysis regarding the lack of any standards or certifications regarding personal data protection in Cloud Computing?
-
What proposals would you have on this subject regarding standardisation or certification?
Cloud Computing
Share with your friends: |