CNIL (French Data Protection Authority) Recommendations on the use of Cloud Computing Services
The following blog entry on “CNIL on Cloud Computing” was written by the external legal counsel of the CSA, Ms. Francoise Gilbert of the IT Law Group. We repost it here with her permission. It can be viewed in its original form at: http://www.francoisegilbert.com/2012/06/cnil-on-cloud-computing/
On June 25, CNIL – the French Data Protection Authority – published its recommendation on the use of cloud computing services. This recommendation is the result of a research project on cloud issues, which started in the Fall of 2011 with a consultation with industry. The documents released by CNIL include a summary of the research and documents; a compilation of the responses received to the consultation, and a set of recommendations.
The recommendations includes:
- Clearly identify the type of data and type of processing that will be in the cloud
- Identify the security and legal requirements
- Conduct a risk analysis to identify the needed security measures
- Identify the type of cloud service that is adapted for the contemplated type of processing
- Choose a provider that provides sufficient guarantees
The CNIL document also provides an outline of the contractual clauses that should be included in a cloud contract and contains “Model Clauses” that may be added to contracts for cloud services. These model clauses are provided as a sample, are not mandatory, and can be changed or adapted to each specific contract.
Except for a high level summary in English, the documents described above are currently available only in French on the CNIL website. According to CNIL representatives, English translations of these documents should be available shortly.
- Overview of CNIL Recommendation – Summary in English:
- Overview of CNIL Recommendation – Summary in French
- Compilation of the responses to the CNIL consultation on cloud computing (in French)
- Recommendation for companies wishing to use cloud services (in French)