|
Whether your undertaking relates to the preparation of or answer |
Our approach
We offer a professional and practical counsel,
fully oriented and tailored towards the
achievement of your business goals.
As professionals in IT outsourcing transactions,
we are very much aware of the risks involved
with this kind of contracts and are ready to help
you in mitigating them.
Areas of expertise
For those who are considering using “cloud computing” services there is a need to be aware of certain elements in order to optimize its use from an operational perspective while making sure that these services comply with applicable laws and regulations. This article highlights the specificities of French Data Protection law that must be taken into consideration as well as stresses on the main contractual aspects to focus on, when setting up a “cloud project”.
I. PERSONAL DATA PROTECTION: A REGULATION THAT MUST BE TAKEN INTO ACCOUNT AT THE VERY BEGINNING OF THE PROJECT
A. PRINCIPLE: THE NECESSARY PRIOR AUTHORIZATION
Personal data are protected in France by the French Data Protection Act dated 6 January 1978[1]. This act was amended in 2004[2] in order to transpose into the French law the European directive dated 24 October 1995[3] which is still the main European text in the field of the personal data protection.
The rights and obligations included in the above-mentioned documents apply to all cloud providers and users when the data controller is established on French territory or if the data controller, although not established on French territory or in any other Member State of the European Community, uses means of processing located on French territory[4]. For the purpose of this paper we will focus solely on the rules set forth by these regulations when data flows outside the European Union.
If the 24 October 1995 directive permits free data movement within the European Union[5], then this would cause the implementation of strict rules when the data flows outside this area.
As per the directive, one of the principles set forth by the French Data Protection Act (DPA) is that personal data cannot be transferred to a state that is not a member of the European Union unless the aforesaid state provides a sufficient level of protection of the private life and of the fundamental rights. Today, very few states are considered as providing such an adequate level of protection[6]. Additionally, it’s important to note that the term “transfer” has an extensive meaning since simply accessing data is considered to be a “transfer”.
In France, if data is transferred to another state as mentioned above, an authorization must be obtained with the French Data Protection Authority[7] prior to the implementation of the said transfer. The request for authorization must be completed with standard contractual clauses drafted between the exporting and importing entities[8], unless the transfer comes under BCR (Binding Corporate Rules). In such cases, the time necessary to obtain said authorization (which may vary from a few weeks to a few months) must be taken into consideration when establishing the project plan.
It must be stressed that when it comes to personal data it is the data controller who is responsible for dealing with all legal formalities and if these are not respected this may result in criminal sanctions[9].
B. WHEN PRIOR AUTHORIZATION IS UNNECESSARY
Personal data transfer that enter into one of the following categories are exempted from authorization:
- Transfer to a company located within the United States when this company has subscribed to the US Department of Commerce’s Safe Harbor Privacy Principles[10],
- Transfer that corresponds to one of the exceptions listed by article 69 of the French DPA, which exception must be understood in a restrictive manner[11],
- Transfer which is governed by a “simplified norm” to the extent this norm expressly allows such a transfer to a country that is not a member of the European Union (EU).
Among this latter category it may be useful to give some details in this article concerning the simplified norm #48[12]. When the defined conditions are met this norm allows for the process of the data without having to ask for an authorization for the following treatments: customer’s and prospect’s files management. However, this norm has limitations, among which one, which is fully in line with French law, is important to mention here: upon request the data controller must provide complete information on the data recipient's established country.
The situation is complicated. And the “cloud” rarely stays confined to one national area. That is the reason why cloud providers would like very much to benefit from an international harmonized and simplified data protection framework. This could happen in the near future: the European Commission, which is currently working on the revision of the data protection directive, is very likely to take into account the need raised by all the stakeholders of a “comprehensive and coherent approach guaranteeing that the fundamental right to data protection for individuals is fully respected within the EU and beyond”[13].
II. CONTRACTUAL GUIDELINES TO SECURE A CLOUD COMPUTING SERVICE FOR BUSINESS USE
A. STANDARD LEGAL ASPECTS TO CONSIDER
Some of the various legal points that a company which uses or intends to use a cloud service must take into consideration are the same as for any IT project. Herein are some examples.
The cloud computing offering must allow the user to comply with its in-house and external audit obligations. In another but related domain, the certification processes followed by the company or which the company targets must be taken into consideration. Concerning the payments for example, the use of a public cloud[14] may prevent the company becoming or remaining PCI DSS compliant[15].
Service provider commitments in terms of service quality and continuity shall be scrutinized. The penalty mechanisms can be a useful tool in case of failures during the delivery of the services. However they do not replace the technical environment set up by the provider, such as redundancy and back-up solutions. When the provider is consigned with strategic data, these technical security measures will be ideally regularly tested. These tests shall be performed either by the provider or someone appointed by it (in such cases the provider may provide a SAS 70 level II certificate) or by the client or someone appointed by the latter.
Both the subcontracting provisions and the data localisation and transfer conditions shall be thoroughly examined, especially when personal data are to be concerned by the service outsourced.
The limitation of liability must be examined and if the level of liability assumed by the service provider does not seem to be high enough to cover the risks in case of failure in the service, the corresponding clause shall be negotiated and/or the client shall make sure that the risk is otherwise covered, i.e. through its insurance coverage.
It could be of interest for the client to include a benchmarking process in the contract, especially when the contract will be in effect for a long duration.
Finally the matter of the contractual applicable law shall not be forgotten. However the mention of an applicable law in the contract shall not lead the parties to neglect the fact that other imperative regulations, that are in effect where the data and/or services are located, such as “police” laws, may still apply.
B. LEGAL ASPECTS WHICH REQUIRE SPECIFIC ATTENTION IN A CLOUD CONTEXT
It should be stressed that intellectual property (IP) must be scrutinized. With cloud services IP aspects must be taken into consideration, not only when the client entrusts the provider with the development of an application, but for other kinds of services, i.e. when the cloud service’s user utilizes the development platform or the data bases structure put at its disposal by the service provider. If these elements are based on standard technologies, whether they are accessible by free licences or can be easily acquired on the market, the client can easily change provider or re-internalise the service should he want to do so. On the contrary if the cloud provider owns the related technologies, issues likely to be generated by IP, especially when the contract will terminate, must be anticipated and handled at a very early stage, i.e. when examining the offers and during the contract negotiation period. If such precautions are not implemented, it may be difficult to operate a smooth and seamless transition in case of change of provider or in case of re-internalisation.
In general, reversibility conditions shall be carefully looked into when the cloud provider is entrusted with data or when tools are used remotely. The conditions under which the user will be able to take back the service, either to re-internalise it or to pass it on to a third party, shall be checked, and if needed, negotiated, before the signature of the cloud contract.
Finally, the security aspects deserve specific attention with cloud computing. This type of services manifest a major difference with the more traditional outsourcing organizations. They usually rely on a high level of virtualisation of the servers and therefore authorize the coexistence of data that belong to different companies on the same server. The frequency of data and services being relocated to a foreign country also justifies special consideration to be given to the security aspects.
It is therefore fundamental to make sure that security and breach notification measures put in place by the provider are clear, secure, and duly formalized.
In conclusion, although cloud computing does not greatly affect the legal aspects faced by IT users, special attention is required, in order to ensure that the project planning and related client business are secure, and that at the very early stage of the project.
[1] French Act # 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties, here after referred to as “Data Protection Act” or “DPA”.
[2] French Act # 2004-801 of 6 August 2004 relating to the protection of individuals with regard to the processing of personal data.
[3] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[4] Article 5 of Data Protection Act.
[5] Free data movement extends, concerning personal data protection, to the European Economic Area (EEA) which includes, in addition to the member countries of the EU, Iceland, Liechtenstein and Norway.
[6] The list of these countries is as follows: Switzerland, Argentina, the Bailiwicks of Guernsey and Jersey, Isle of Man, Andorra, Israël and within certain conditions, Canada and Faeroe Islands.
[7] CNIL, which stands for Commission Nationale de l’Informatique et des Libertés.
[8] Standard contractual clauses model can be found in the Commission decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.
[9] Article 226-16 of French Penal Code states that “Processing data or causing data to be processed where the data concerned is of a personal nature, without respecting the formalities required by statute prior to the processing of such data, is punished by five years' imprisonment and a fine of €300,000, even where committed through”.
[10] More information on the Safe Harbor principles is available on the website of the US Department of Commerce.
[11] These exceptions mainly correspond to situations where (i) the individual data subject has clearly given her or his consent and (ii) the transfer is necessary, for example, to protect the life of the individual or the public interest.
[12] Deliberation #2005-276 of the French Data Protection Authority (CNIL).
[13] You can read concerning this matter the communication from the Commission dated 4 November 2010 and named “A comprehensive approach on personal data protection in the European Union”.
[14] For some explanation concerning the differences between public cloud and private cloud you can read the ENISA report dated 20 November 2009 accessible through the following link: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment.
[15] Payment Card Industry Data Security Standard.
Le 3 février 2011 le Journal Du Net a publié un article de Marion Depadt Bels consacré aux aspects juridiques et contractuels liés à l'utilisation de services de type cloud computing.
By issuing its decision on 29 June 2010 in the case Faurecia vs. Oracle, the French Supreme Court has, ruling in favour of the latter, reinstated the value of the limitation of liability clauses. Doing so the Court has also given back a new dimension to the discussions – often tough – that surround the negotiation of the liability clauses.
Indeed it seems difficult now to limit the negotiation of this kind of clause to a discussion on the cap itself and the perimeter of the limitation. The party who may have to use the limitation of liability needs to make sure that the contractual rationale that lies behind this clause is included in the contract.
We will not address the facts that gave rise to the already famous decision but will simply review the principle points. In this decision the French Supreme Court validated the limitation of liability although Oracle had failed to achieve an “essential obligation”. The Court ruled in this way because the contractual limitation of liability did not render Oracle’s essential obligation devoid of any substance.
To make this decision the French Supreme Court has especially taken into account, based on the contractual terms, that : (i) the indemnification amount was not trivial (the cap was equal to the amount paid by Faurecia for the licences), (ii) the prices agreed upon reflected the risk distribution (Oracle has granted a 49% price reduction) and (iii) Faurecia had been given a preferential position regarding future improvements of Oracle’s products.
In order to avoid the risk of having a limitation of liability clause deemed null and void, the provider must be able to demonstrate that this clause does not contradict the scope of the essential obligation it has subscribed. This demonstration shall be made, for example, through the granting of preferential financial and/or of technical, commercial or contractual advantages. In a general manner this demonstration shall be made by proving that the global balance of the contract has been preserved during the negotiation, especially when it comes to the definition of the limitations of liability.
If such precautions are duly implemented, only the proof of a gross negligence or of a fraud shall lead to an unlimited liability.
Such a proof is usually difficult to make in the computer related field – where each contractor usually bears a part of the responsibility. However the other 2010 outstanding French decision, pronounced in the case IBM v/. Maïf, reminds us that such a situation can happen…
On February 5 2010 the European Commission adopted a new set of standard contractual clauses for the transfer of personal data to processors established outside the European Union. Since May 15, 2010, this new set of clauses must be used in place of the previous set which had been defined by the European Commission under a decision dated December 2001.
As a reminder, a contract based on these contractual clauses must be set up between the data exporter and the data importer, and added to the application for authorization that must be filed within the CNIL (Commission Nationale de l’Informatique et des Libertés – the French data protection authority). This must be done when there is the case of transfer of personal data from a data controller established in the European Union to a data processor established in a third country which does not offer adequate level of protection.
The purpose of the changes made by the European Commission in 2010 is to clarify the obligations of the parties when a data processor established in a third country sub-contracts some if its processing services to other sub-processors established in third countries.
Note that when a treatment has already been executed under the 2001 clauses, it is not necessary to execute a new contract as long as the transfers and data-processing operations are not modified, since the previous contract remains in force and effective in such a case.
PCI Security Standards Council (PCI SSC) published in October 2010 the updated versions of the PCI standards. Even if validation against the previous versions of the standards will be allowed until 31 December 2011 both users and providers should start to implement the new versions as soon as possible, as recommended by the Council.
About PCI: PCI stands for Payment Card Industry.
About PCI SSC: the PCI SSC was formed by the major payment card organizations.
About PCI DSS: extract of the PCI SSC website: “The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data”.
MDB Avocat practices in the following areas:
IT and computer law - Contract law - Intellectual property law
Internet law - Data protection and privacy
