New type of outsourcing of computing resources which enables to access, via Internet and by means of a simple web browser, multiple services, the Cloud computing constitutes a major economic stake but also raises new questions, notably regarding personal data protection.
The debate launched by the French data protection authority (CNIL) is to define the concept of Cloud computing. In this respect, the CNIL believes that any definition should be based on the features specific to Cloud Computing.
The CNIL is also concerned with the qualification of stake holders. Although the service provider is usually qualified of a subcontractor or data processor, the CNIL wonders if, in some cases, both the client and the service provider should be jointly qualified data controllers. For instance, the CNIL refers to the necessary assessment of the extent to which the service provider controls the data.
The question of the identification of the applicable law is addressed to stakeholders. Especially, regarding the criterion of the “processing means”, the CNIL whishes to know which other criteria would enable the determination of applicable law.
The CNIL also addresses the issue of instruments which could provide a framework to regulate data transfers to non-EU third countries failing to provide any adequate protection. In this regard, the CNIL suggests the use of Binding Corporate Rules, especially in the field of subcontracting, which is bound to know a great development in the next few years.
Beyond the problematic of the personal data transfers, the CNIL raises questions about security, especially confidentiality and reversibility, and wonders how those requirements should be materialized in contracts. It also addresses the issue of risk assessment before switching over to Cloud computing.
The replies to the call for contributions are expected for November 27, 2011. There is no doubt the CNIL is bound to play a critical role in the interaction between Cloud computing and personal data protection.