For those who are considering using “cloud computing” services there is a need to be aware of certain elements in order to optimize its use from an operational perspective while making sure that these services comply with applicable laws and regulations. This article highlights the specificities of French Data Protection law that must be taken into consideration as well as stresses on the main contractual aspects to focus on, when setting up a “cloud project”.
I. PERSONAL DATA PROTECTION: A REGULATION THAT MUST BE TAKEN INTO ACCOUNT AT THE VERY BEGINNING OF THE PROJECT
A. PRINCIPLE: THE NECESSARY PRIOR AUTHORIZATION
Personal data are protected in France by the French Data Protection Act dated 6 January 1978. This act was amended in 2004 in order to transpose into the French law the European directive dated 24 October 1995 which is still the main European text in the field of the personal data protection.
The rights and obligations included in the above-mentioned documents apply to all cloud providers and users when the data controller is established on French territory or if the data controller, although not established on French territory or in any other Member State of the European Community, uses means of processing located on French territory. For the purpose of this paper we will focus solely on the rules set forth by these regulations when data flows outside the European Union.
If the 24 October 1995 directive permits free data movement within the European Union, then this would cause the implementation of strict rules when the data flows outside this area.
As per the directive, one of the principles set forth by the French Data Protection Act (DPA) is that personal data cannot be transferred to a state that is not a member of the European Union unless the aforesaid state provides a sufficient level of protection of the private life and of the fundamental rights. Today, very few states are considered as providing such an adequate level of protection. Additionally, it’s important to note that the term “transfer” has an extensive meaning since simply accessing data is considered to be a “transfer”.
In France, if data is transferred to another state as mentioned above, an authorization must be obtained with the French Data Protection Authority prior to the implementation of the said transfer. The request for authorization must be completed with standard contractual clauses drafted between the exporting and importing entities, unless the transfer comes under BCR (Binding Corporate Rules). In such cases, the time necessary to obtain said authorization (which may vary from a few weeks to a few months) must be taken into consideration when establishing the project plan.
It must be stressed that when it comes to personal data it is the data controller who is responsible for dealing with all legal formalities and if these are not respected this may result in criminal sanctions.
B. WHEN PRIOR AUTHORIZATION IS UNNECESSARY
Personal data transfer that enter into one of the following categories are exempted from authorization:
- Transfer to a company located within the United States when this company has subscribed to the US Department of Commerce’s Safe Harbor Privacy Principles,
- Transfer that corresponds to one of the exceptions listed by article 69 of the French DPA, which exception must be understood in a restrictive manner,
- Transfer which is governed by a “simplified norm” to the extent this norm expressly allows such a transfer to a country that is not a member of the European Union (EU).
Among this latter category it may be useful to give some details in this article concerning the simplified norm #48. When the defined conditions are met this norm allows for the process of the data without having to ask for an authorization for the following treatments: customer’s and prospect’s files management. However, this norm has limitations, among which one, which is fully in line with French law, is important to mention here: upon request the data controller must provide complete information on the data recipient's established country.
The situation is complicated. And the “cloud” rarely stays confined to one national area. That is the reason why cloud providers would like very much to benefit from an international harmonized and simplified data protection framework. This could happen in the near future: the European Commission, which is currently working on the revision of the data protection directive, is very likely to take into account the need raised by all the stakeholders of a “comprehensive and coherent approach guaranteeing that the fundamental right to data protection for individuals is fully respected within the EU and beyond”.
II. CONTRACTUAL GUIDELINES TO SECURE A CLOUD COMPUTING SERVICE FOR BUSINESS USE
A. STANDARD LEGAL ASPECTS TO CONSIDER
Some of the various legal points that a company which uses or intends to use a cloud service must take into consideration are the same as for any IT project. Herein are some examples.
The cloud computing offering must allow the user to comply with its in-house and external audit obligations. In another but related domain, the certification processes followed by the company or which the company targets must be taken into consideration. Concerning the payments for example, the use of a public cloud may prevent the company becoming or remaining PCI DSS compliant.
Service provider commitments in terms of service quality and continuity shall be scrutinized. The penalty mechanisms can be a useful tool in case of failures during the delivery of the services. However they do not replace the technical environment set up by the provider, such as redundancy and back-up solutions. When the provider is consigned with strategic data, these technical security measures will be ideally regularly tested. These tests shall be performed either by the provider or someone appointed by it (in such cases the provider may provide a SAS 70 level II certificate) or by the client or someone appointed by the latter.
Both the subcontracting provisions and the data localisation and transfer conditions shall be thoroughly examined, especially when personal data are to be concerned by the service outsourced.
The limitation of liability must be examined and if the level of liability assumed by the service provider does not seem to be high enough to cover the risks in case of failure in the service, the corresponding clause shall be negotiated and/or the client shall make sure that the risk is otherwise covered, i.e. through its insurance coverage.
It could be of interest for the client to include a benchmarking process in the contract, especially when the contract will be in effect for a long duration.
Finally the matter of the contractual applicable law shall not be forgotten. However the mention of an applicable law in the contract shall not lead the parties to neglect the fact that other imperative regulations, that are in effect where the data and/or services are located, such as “police” laws, may still apply.
B. LEGAL ASPECTS WHICH REQUIRE SPECIFIC ATTENTION IN A CLOUD CONTEXT
It should be stressed that intellectual property (IP) must be scrutinized. With cloud services IP aspects must be taken into consideration, not only when the client entrusts the provider with the development of an application, but for other kinds of services, i.e. when the cloud service’s user utilizes the development platform or the data bases structure put at its disposal by the service provider. If these elements are based on standard technologies, whether they are accessible by free licences or can be easily acquired on the market, the client can easily change provider or re-internalise the service should he want to do so. On the contrary if the cloud provider owns the related technologies, issues likely to be generated by IP, especially when the contract will terminate, must be anticipated and handled at a very early stage, i.e. when examining the offers and during the contract negotiation period. If such precautions are not implemented, it may be difficult to operate a smooth and seamless transition in case of change of provider or in case of re-internalisation.
In general, reversibility conditions shall be carefully looked into when the cloud provider is entrusted with data or when tools are used remotely. The conditions under which the user will be able to take back the service, either to re-internalise it or to pass it on to a third party, shall be checked, and if needed, negotiated, before the signature of the cloud contract.
Finally, the security aspects deserve specific attention with cloud computing. This type of services manifest a major difference with the more traditional outsourcing organizations. They usually rely on a high level of virtualisation of the servers and therefore authorize the coexistence of data that belong to different companies on the same server. The frequency of data and services being relocated to a foreign country also justifies special consideration to be given to the security aspects.
It is therefore fundamental to make sure that security and breach notification measures put in place by the provider are clear, secure, and duly formalized.
In conclusion, although cloud computing does not greatly affect the legal aspects faced by IT users, special attention is required, in order to ensure that the project planning and related client business are secure, and that at the very early stage of the project.
 French Act # 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties, here after referred to as “Data Protection Act” or “DPA”.
 French Act # 2004-801 of 6 August 2004 relating to the protection of individuals with regard to the processing of personal data.
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
 Article 5 of Data Protection Act.
 Free data movement extends, concerning personal data protection, to the European Economic Area (EEA) which includes, in addition to the member countries of the EU, Iceland, Liechtenstein and Norway.
 The list of these countries is as follows: Switzerland, Argentina, the Bailiwicks of Guernsey and Jersey, Isle of Man, Andorra, Israël and within certain conditions, Canada and Faeroe Islands.
 CNIL, which stands for Commission Nationale de l’Informatique et des Libertés.
 Standard contractual clauses model can be found in the Commission decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.
 Article 226-16 of French Penal Code states that “Processing data or causing data to be processed where the data concerned is of a personal nature, without respecting the formalities required by statute prior to the processing of such data, is punished by five years' imprisonment and a fine of €300,000, even where committed through”.
 More information on the Safe Harbor principles is available on the website of the US Department of Commerce.
 These exceptions mainly correspond to situations where (i) the individual data subject has clearly given her or his consent and (ii) the transfer is necessary, for example, to protect the life of the individual or the public interest.
 Deliberation #2005-276 of the French Data Protection Authority (CNIL).
 You can read concerning this matter the communication from the Commission dated 4 November 2010 and named “A comprehensive approach on personal data protection in the European Union”.
 For some explanation concerning the differences between public cloud and private cloud you can read the ENISA report dated 20 November 2009 accessible through the following link: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment.
 Payment Card Industry Data Security Standard.