Last year the Article 29 Working Party published an Opinion on Cloud Computing expressing concern at the information available to those considering moving services to the cloud about the protection that cloud services offered for their data. The Cloud Security Alliance have now produced a template for service providers to provide the information that the Working Party were asking for.
The aim is for Cloud Service Providers to publish a Privacy Level Agreement (PLA) as an appendix to their service contracts, setting out the privacy arrangements for each service. By putting these PLAs in a standard form it should be easier for organisations to determine which services meet both their internal (“is this a safe place for my data?”) and external (“does this satisfy my legal obligations?”) privacy and security requirements. It should also be easier to compare different services – the CSA suggest that providers might offer different PLAs for different services.
According to the template, the PLA should provide various different types of information:
- Categories of personal data that may be uploaded to the service: in fact this suggests listing types of information that the service is not suitable for, an interesting idea;
- How information will be processed in the cloud: including whether the cloud provider is a data processor or joint data controller and how the duties of those roles are delivered;
- Data location, transfer, retention, monitoring and security measures: including measures such as Safe Harbor, Binding Corporate Rules and security certifications;
- Personal data breach notification: how any breaches will be notified;
- Data portability, migration, and transfer back assistance: what options (including additional charged services) are offered;
- Accountability of the cloud provider;
- Law enforcement access: in what circumstances law enforcement may obtain access to information, and when customers will be notified if this occurs;
- Remedies available against the provider in case of breach of the PLA.
Throughout the template there are extensive references to the Working Party Opinion and to publications by national data protection regulators including the UK Information Commissioner’s Guide to help providers and customers interpret what is required.
Having Privacy Level Agreements in a form that can be compared with each other and with European guidance on the use of clouds should help both cloud providers and customers. Even better will be if these PLAs are a step towards cloud providers being formally recognised under European laws through measures such as Binding Corporate Rules and other provisions in the new Data Protection Regulation.