The International Working Group on Data Protection in Telecommunications, a working group of the International Conference of Data Protection and Privacy Commissioners (no entry in the Wikipedia. Should that make us think?), established and still run by the head of the data protection authority of the federal state of Berlin, has published a working paper with recommendations regarding the use of cloud computing services by companies and public authorities. They’ve called it the “Sopot Memorandum“. Conference pros never fail to pick one of the nicer and more interesting spots to meet, do they?
Starting from the usual analysis (cloud computing is risky with respect to privacy, data protection “and other legal issues”, you know the deal), the Working Group, essentially, recommends:
- “Data controllers” (i.e. the company or public authority) should do their own risk assessment and move forward with any cloud computing plans in “careful, measured steps”.
- The services providers should practice greater “transparency, security, accountability” (can’t go wrong with those) and offer “more balanced contractual clauses to promote data portability and data control the cloud users”.
- Third party certification, standardization, privacy by design technologies and the like should be advanced
- The data protection legislation in place should be reassessed with a view to the cloud computing phenomenon (especially the cross border aspects).
While all that sounds fairly standard, making one stifle a hearty afternoon yawn, there are some interesting “best practice guidances” in the paper that highlight what the data protection authorities at least in most of (or, honestly speaking, maybe only “some of”) Europe expect the companies and public authorities to ensure before using cloud computing services, amongst others:
- Effective data deletion routines;
- Encryption of data both during storage and transport;
- Logging of any “use” of the data by the service provider;
- “location audits trails” (i.e. a record of where personal data has been stored) and “copying and deletion audit trails;
- Transparency on possible and actual location of the data transferred;
- The right to inspect all location at which the data may be processed;
- The right to have a third party conduct an audit;
- Ensure that the data subjects (a truly terrible term, really) “can exercise their rights of access, rectification, erasure or blocking of data”;
- Transparency with respect to each and every subcontractor of the service provider which, given that we are likely reading a document drafted by a German jurist, means down to the very last data processing center, whether run by a subsidiary or some third party somewhere in the world.
I don’t think the issue will go away any time soon.
For more updates on German and EU IT law and other IT-related matters please follow us on Twitter @germanitlaw.