LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS

Transcription

1 LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS This document is a rough draft aiming at presenting key provisions, current clauses used in Cloud computing contracts and first drafts on possible clauses templates. The only goal of this draft is to open discussions on this issue. NB: the boxed sections present key points and core elements of this proposal offering the possibility of a short version reading (less than 3 pages). Regarding the tight schedule, reporters propose to focus the debate on the boxed sections presented on this page, at the end of section II and on section III (other comments could be sent in writing before the meeting). Key points to be discussed: 1/ Should we envisage a clause of de facto requalification of the CSP in "(joint-) controller" whenever the customer has no real possibility to give instructions to the CSP? Or do customers remain liable because of their prior and free choice of a CSP (meaning they will have to check whether effective procedures to monitor instructions are provided or not)? 2/ Should we consider that CSP s qualification in (joint-) controller or processor entails two distinct sets of contractual clauses on "liability" (i.e. CNIL s choice in 2012)? 3/As WP29 pointed it out in 2010, should we consider that significant contractual imbalance (due to adhesion contracts for instance or to the absence of any free and prior negotiation) does not lead to the qualification of the CSP as a ( joint-)controller? 4/ Would it be better to consider the parties are totally free to distribute responsibilities in the contract or that, in specific cases, specific recommendations should be issued (e.g. regarding security control in SAAS services for instance, the CSP could qualify as «jointcontroller» unless he demonstrates that he provides adequate tools to take customers instructions into account)? 5/ Should we endorse a double set of clauses (proposed in this document) according to the fact that the contract is either an adhesion or a freely negotiable one? 6/ Should we envisage CSPs and customers could be severally liable or only jointly liable? Or should we consider that only the parties to the contract can freely state on this point? 7/ Should the final version of the templates include an obligation, for CSPs, to be able to produce specific documentation (art 28 draft regul.) as to benefit from an exemption of liability? Or should we consider this is an extra-contractual topic (that only ought to be handled by DPAs)? In other words, should accountability be contractually framed? 8/ Should we identify a clause template concerning CSPs security «basic safeguards»? 9/ How the Commission could incent customers and CSPs to use this set of clauses? What specific incentives could be designed? 10/ Should we promote a clause determining that an annex to the contract will provide a «mapping» of processing for which CSP qualifies as processor and those for which he qualifies as a controller or a co-controller? 11/ Should those templates keep on being recommended, as good practices, even is the customer enters the scope of the household exemption? 1

2 I- PROBLEMS RELATED TO LIABILITY FOR NON COMPLIANCE I-1- EXAMPLES OF EXISTING CONTRACT CLAUSES (X= the CSP concerned) II-1-a Example of IAAS service 3. Security and Data Privacy. 3.1 X Security. Without limiting Section 10 or your obligations under Section 4.2, we will implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access or disclosure. 3.2 Data Privacy. We participate in the safe harbor programs described in the Privacy Policy. You may specify the X regions in which Your Content will be stored and accessible by End Users. We will not move Your Content from your selected X regions without notifying you, unless required to comply with the law or requests of governmental entities. You consent to our collection, use and disclosure of information associated with the Service Offerings in accordance with our Privacy Policy, and to the processing of Your Content in, and the transfer of Your Content into, the X regions you select. [ ] 4. Your Responsibilities 4.1 Your Content. You are solely responsible for the development, content, operation, maintenance, and use of Your Content. For example, you are solely responsible for: (a) the technical operation of Your Content, including ensuring that calls you make to any Service are compatible with then-current APIs for that Service; (b) compliance of Your Content with the Acceptable Use Policy, the other Policies, and the law; (c) any claims relating to Your Content; and (d) properly handling and processing notices sent to you (or any of your affiliates) by any person claiming that Your Content violate such person s rights, including notices pursuant to the Digital Millennium Copyright Act. Main observation: Implicitly, X qualifies itself as processor but keeps control on data storage. Positive points: X complies with Article 17-3 of Directive 95/46 + location of the data centre seems to be under control of the customer (but is this wish binding X, considering that X does not agree to keeping the Content exclusively in the selected regions but only not to move it to another region without notifying the Customer?). Negative points: There is no explicit qualification of the CSP + Transfers are presented as covered by Safe Harbor without further specifications + X seems to keep control over the location of data as it just states that it will previously notify location changes to the customers + Access law enforcement is not framed. I-1-b Example of PAAS service 3.2. Protection of Your Data. We will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Your Data, as described in the Documentation. Those safeguards will include, but will not be limited to, measures for preventing access, use, modification or disclosure of Your Data by Our personnel except (a) to provide the Purchased Services and prevent or address service or 2

3 technical problems, (b) as compelled by law in accordance with Section 8.3 (Compelled Disclosure) below, or (c) as You expressly permit in writing. [ ] 4.3 Your Responsibilities. You will (a) be responsible for Users compliance with this Agreement, (b) be responsible for the accuracy, quality and legality of Your Data and the means by which You acquired Your Data, (c) use commercially reasonable efforts to prevent unauthorized access to or use of Services and Content, and notify Us promptly of any such unauthorized access or use, (d) use Services and Content only in accordance with the Documentation and applicable laws and government regulations, and (e) comply with terms of service of Non-X.com Applications with which You use Services or Content. Main observation: Implicitly, X qualifies as data processor. Positive points: X complies with Article 17-3 of Directive 95/46 + a comprehensive documentation seems to be provided to help the customer to be aware of its obligations Negative points: There is no explicit qualification of the CSP + there are no specifications on international data transfers + the first exception (a) provided in Article 3.2 is ambiguous as it could refer either to the data processed (CSPs don t have to access) or basic operational data. I-1-c Example of SAAS service 1. Services 1.1 Facilities and Data Transfer. All facilities used to store and process Customer Data will adhere to reasonable security standards no less protective than the security standards at facilities where X stores and processes its own information of a similar type. X has implemented at least industry standard systems and procedures to ensure the security and confidentiality of Customer Data, protect against anticipated threats or hazards to the security or integrity of Customer Data and protect against unauthorized access to or use of Customer Data. As part of providing the Services X may transfer store and process Customer Data in the United States or any other country in which X or its agents maintain facilities. By using the Services Customer consents to this transfer, processing and storage of Customer Data. 2.3 Customer Administration of the Services. Customer may specify one or more Administrators through the Admin Console who will have the rights to access Admin Account(s) and to administer the End User Accounts. Customer is responsible for: (a) maintaining the confidentiality of the password and Admin Account(s); (b) designating those individuals who are authorized to access the Admin Account(s); and (c) ensuring that all activities that occur in connection with the Admin Account(s) comply with the Agreement. Customer agrees that X's responsibilities do not extend to the internal management or administration of the Services for Customer and that X is merely a data-processor Effects of Termination. If this Agreement terminates, then: (i) the rights granted by one party to the other will cease immediately (except as set forth in this Section); (ii) X will provide Customer access to, and the ability to export, the Customer Data for a commercially reasonable period of time at X s then-current rates for the applicable Services; (iii) after a commercially reasonable period of time, X will delete Customer Data by removing pointers to it on X s active servers and overwriting it over time; and (iv) upon request each party will 3

4 promptly use commercially reasonable efforts to return or destroy all other Confidential Information of the other party. If a Customer on an annual plan terminates the Agreement prior to the conclusion of its annual plan, X will bill Customer, and Customer is responsible for paying X, for the remaining unpaid amount of Customer s annual commitment. Main observation: X qualifies explicitly as data processor, but the customer has few powers with regard to defining and controlling the manner in which the processing takes place. Positive points: X specifies the roles of the service provider (processor) and of the customer, which is not qualified as controller but has a set of rights and obligations regarding personal data defined in the agreement. Negative points: Although X qualifies itself as a processor, it retains near full discretion with regard to the means of processing + X makes no particular specification/effort to comply neither with Article 17-3 of Directive 95/46 nor Article 6-1-e. I-2- CONTRACTUAL LIMITS: CONTRACTUAL SITUATION - No clause on the qualification as a data controller or processor in the contract - Unclear clause on the qualification of the CSP as joint controller or processor Clause on the qualification of the CSP as a processor in the contract Clause in the contract leading to a significant imbalance towards the controller Adhesion contract with no possibility to freely negotiate on liability LEGAL PROBLEM Even if the qualification in data controller or processor depends on facts, the contract gives direct indications on the intention of the parties. Therefore, usually, in such a situation, facts will tend to demonstrate that the customer qualifies as data controller and that he is fully liable. There could be litigation about liability: the customer will try to establish joint and several liability whereas the CSP will retain no liability at all as it implicitly qualifies as a processor. In adhesion contracts, the CSP will tend to retain he is only a processor. The customer will tend to retain the exemption provided by Article 23-2 of Directive 95/46 or to establish a de facto qualification as joint controller (because of the absence of effective instructions monitoring system, of further processing, of absence of compliance with its reasonable and legitimate instructions) The customer might lodge a complaint, most of all in adhesion contracts. But according to Opinion 1/2010 released by the WP29, the imbalance in the contractual power should not be considered as a justification for the controller to accept clauses and terms of contracts which are not in compliance with data protection law. The customer might claim that the contract is null and void. In adhesion contract, the CSP will tend to retain that he qualifies as processor and is, under no condition, liable. But, indeed, he might not be a mere 4

5 Freely negotiable contract Unsatisfactory implementation of the qualification of the CSP as( joint) controller or processor in the other clauses of the contract processor as it will actually give no real possibility to the customer to be in control of the processing (no instructions monitoring procedure). The CSP will mitigate its liability and tend to retain a qualification as a processor but the customer could use EU clauses templates. The qualification as processor or (joint) controller might be written in one clause of the contract but not lead to adequate adaptations in the other clauses, blurring the frontier between customer s and CSP s liability. I-3 PRE-CONTRACTUAL INFORMATION PRACTICE Adequate pre-contractual information practice allows the Customer: - to make a better informed choice of CSP, considering the obligation to select a processor providing sufficient guarantees ; - to better comply with legal obligations, namely with regard to ensuring as a data controller that the CSP applies appropriate technical and organizational measures - to more easily compare the different offers available in the market and to choose in a more informed manner the CSP that better responds to the customer s needs (access rights, data location, back-up policy, etc.); - a better picture of the eventual requirements to fulfill before the DPA prior to entering into the cloud agreement and of the need to request further consent from data subjects considering the particular features of the cloud services; - to better structure the internal processes that it will move to the cloud and to distribute/split such processes to the more suitable CSPs. I-4 EVIDENCE SHOWING THE IMPORTANCE OF THESE PROBLEMS Among all the current contracts and clauses provided by CSPs in IAAS, PAAS and SAAS services, whether they are free or not, some recurrent problems arise such as: - the lack of real possibility, for the customer, to give instructions to the CSP calling into question the qualification as data controller; - the continuous attempt of CSPs to be exonerated from their responsibility regarding to security despite Article 17-3 of the Directive explicit specifications originating litigations on liability; - the absence of explicit qualification of the CSP as processor whereas the customer meets genuine difficulty to contribute effectively to the terms of the contract (adhesion contracts of clauses templates for freely negotiable contracts) and therefore to give initial instructions; - the absence of any direct reference to privacy policy or of any annexing of those policies to the contract blurring the scope of liability or the predictable implementation of those policies (i.e. concerning transfers or access law enforcement for instance). 5

6 II- KEY PROVISIONS ON CONTROLLER S AND PROCESSOR S QUALIFICATION: Liability for non-compliance with data protection obligations is framed in key provisions/sections of (i) Directive 95/46 of 24 October 1995 (the Directive ), (ii) WP29 Opinion 5/2012 on Cloud Computing, adopted on 1 July 2012, (iii) the European Data Protection Supervisor (EDPS) Opinion adopted on 16 November 2012, (iv) WP29 Opinion 1/2010 on the concepts of controller and processor, adopted on 16 February 2010 and (v) the Commission decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries (2010/87/EU) ("the Standard Contractual Clauses") that provides an example for contractual clauses on the liability of controller and processor towards the data subject. II-1- Current key provisions on controller s and processor s definitions: - A 'controller' shall mean the natural or legal person public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data (Article 3-(d) of the Directive) - A 'processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller (Article 2-(e) of the Directive) - The processor must not process them [personal data] except on instructions from the controller, unless he is required to do so by law (Article 16 of the Directive) - the same entity may act at the same time as a controller for certain processing operations and as a processor for others, and the qualification as controller or processor has to be assessed with regard to specific sets of data or operations (WP29 Opinion 1/2010, p.24). - the fact that the contract and its detailed terms of business are prepared by the service provider rather than by the controller is not in itself a sufficient basis to conclude that the service provider should be considered as a controller, in so far as the controller has freely accepted the contractual terms, thus accepting full responsibility for them. In the same line, the imbalance in the contractual power of a small data controller with respect to big service providers should not be considered as a justification for the controller to accept clauses and terms of contracts which are not in compliance with data protection law (Opinion 1/2010, p.26). - II- 2- Current key provisions on controller s data protection basic obligations: - It shall be for the controller to ensure that paragraph 1 [fair and lawful processing, legitimate purposes, etc.] is complied with (article 6 of the Directive). - the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing and ensure a level of security appropriate to the risks (article 17-1 of the Directive). He shall also choose a processor providing sufficient guarantees and ensure compliance with those measures (article 17-2 of the Directive) 6

7 - Controllers should provide security measures to protect personal data and to be able to demonstrate accountability. In addition to the core security objectives of availability, confidentiality and integrity, attention must also be drawn to the complementary data protection goals of transparency (see above), isolation, intervenability, accountability and portability (WP29 opinion 05/2012 on Cloud Computing, p.14). - It should be recalled that the WP29 pointed out in its opinion 1/2010 on the concepts of controller and processor that the first and foremost role of the concept of controller is to determine who shall be responsible for compliance with data protection rules, and how data subjects can exercise the rights in practice. In other words: to allocate responsibility. These two general criteria responsible for compliance and allocation of responsibility should be borne in mind by the parties involved throughout the analysis in question (WP29 opinion 05/2012 on Cloud Computing,p.7) - The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that [ ] the processor shall act only on instructions from the controller (article 17-3 of the Directive) - Article 17(2) of Directive 95/46/EC puts full responsibility on cloud clients (acting as data controllers) to choose cloud providers that implement adequate technical and organizational (WP29 opinion 05/2012 on Cloud Computing, p.13). II-3- Current key provisions on processor s data protection basic obligations: - the obligation of the controller to implement technical and organizational measures to protect personal data shall also be incumbent on the processor (article 17-3 of the Directive) II-4- Current key provisions on controller s liability: - The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage (article 23-2 of the Directive see also Recital 55 of Directive); - The client as the controller must accept responsibility for abiding by data protection legislation and is subject to all the legal obligations mentioned in Directive 95/46/EC and 2002/58/EC, where applicable, in particular vis-à-vis data subjects (see 3.3.1) (WP29 opinion 05/2012 on Cloud Computing, p.20). - Appropriate contractual safeguards are addressed in the opinion with the requirement that any contract between the cloud client and cloud provider should afford sufficient guarantees in terms of technical and organizational measures (WP29 opinion 05/2012 on Cloud Computing, p.2) - For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form (article 17-4 of the Directive). - It should be emphasized that even in complex data processing environments, where different controllers play a role in processing personal data, compliance with data protection rules and responsibilities for possible breach of these rules must be clearly allocated, in order to avoid that the protection of personal data is reduced or that a "negative conflict of competence" and gaps arise whereby some obligations or rights 7

8 stemming from the Directive are not ensured by any of the parties (WP29 opinion 05/2012 on Cloud Computing, p.8). - "The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered." (Standard Contractual Clauses, Clause 6 (1)). II-5- Current key provisions on joint controllers liability: - Acting on behalf means serving someone else's interest and recalls the legal concept of delegation. [ ] A processor that goes beyond its mandate and acquires a relevant role in determining the purposes or the essential means of processing is a (joint) controller rather than a processor (Opinion 1/2010 on the concepts of "controller" and "processor" adopted on 16 February WP169, p.25). II-6- Current key provisions on processor s liability: - Should the processors use the data for any other purpose, or communicate them or use them in a way that breaches the contract, they shall also be considered to be controllers, and shall be held liable for the infringements in which they were personally involved (WP29 opinion 05/2012 on Cloud Computing, p.14) - when the provider re-processes some personal data for its own purposes. In such a case, the cloud provider has full (joint) responsibility for the processing and must fulfill all legal obligations that are stipulated by Directives 95/46/EC and 2002/58/EC (if applicable) (WP29 opinion 05/2012 on Cloud Computing, p.20) - Better balancing of responsibilities between controller and processor: The WP welcomes the provisions contained in Article 26 of the Commission s proposals (Draft EU General Data Protection Regulation) that are aimed at making processors more accountable towards controllers by assisting them in ensuring compliance in particular with security and related obligations. Article 30 of the proposal introduces a legal obligation for the processor to implement appropriate technical and organizational measures. The draft proposals clarify that a processor failing to comply with the controller s instructions qualifies as a controller and is subject to specific joint controllership rules. The Article 29 Working party considers that this proposal goes in the right direction to remedy the unbalance that is often a feature in the cloud computing environment, where the client (especially if it is a SME) may find it difficult to exercise the full control required by data protection legislation (WP29 opinion 05/2012 on Cloud Computing, p.23 referring to Article 26-4 and 27 of LIBE committee amendments). - The controller should be able to avail of contractual recourse possibilities in case of breaches of contracts caused by the subprocessors. This could be arranged by ensuring that the processor is directly liable toward the controller for any breaches caused by any sub-processors he has enlisted (WP29 opinion 05/2012 on Cloud Computing, p.10). - Where the subprocessor fails to fulfill its data protection obligations under such written agreement the processor shall remain fully liable to the controller for the performance 8

9 of the sub-processor s obligations under such agreement (WP29 opinion 05/2012 on Cloud Computing, p.9-10). - the acceptance by the controller established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage (Article 43-2-f) of the draft regulation on BCRs). - "If a data subject is not able to bring a claim for compensation [ ] against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities" (Standard Contractual Clauses, Clause 6 (2)). IN THE CLOUD SECTOR, WE COULD CONCLUDE FROM THOSE KEY PROVISIONS THAT 1/ THE CLOUD CUSTOMER: - is liable for data protection law compliance and the implementation of appropriate technical and additional safeguards; - has the duty to establish compliance with data protection law, in particular with regard to data security and oversight by DPAs; - is fully accountable for choosing cloud providers that implement adequate technical and organizational measures; - is in charge of determining in the contract who shall be responsible concerning specific sets of data or operations and respective responsibilities; - could be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage; 2/ THE CLOUD PROVIDER: - that only processes personal data on behalf of the controller qualifies as a processor; - either going beyond its mandate (and acquiring a relevant role in determining the purposes or the essential means of processing) or failing to comply with customers instructions qualifies as a joint-controller or controller (not a processor); - that uses the data for any other purpose (or communicates or uses such data in a way that breaches the contract) shall be considered a controller, be subject to all applicable legal obligations and be held liable for any infringement to such obligations; - is contractually accountable towards controllers by assisting them in ensuring compliance, in particular with regard to security and related obligations; - is directly liable towards the controller for any breaches caused by any sub-processors he has enlisted. 9

10 Moreover, prospective dispositions in the LIBE committee amendments adopted in October 2013 give further evidence that CSP s liability should be interpreted broadly: - Technical and organizational guarantees may be demonstrated by adherence to codes of conduct or certification mechanisms pursuant to Articles 38 or 39 of this Regulation (Article 26-3a). - Comprehensive responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller s behalf should be established, in particular with regard to documentation, data security, impact assessments, the data protection officer and oversight by data protection authorities. In particular, the controller should ensure and be able to demonstrate the compliance of each processing operation with this Regulation. This should be verified by independent internal or external auditors (Recital 60). - The arrangement between the joint controllers should reflect the joint controllers' effective roles and relationships. The processing of personal data under this Regulation should include the permission for a controller to transmit the data to a joint controller (Recital 62). - Where several controllers jointly determines the purposes and means of the processing of personal data, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them. The arrangement shall duly reflect the joint controllers' respective effective roles and relationships vis-à-vis data subjects, and the essence of the arrangement shall be made available for the data subject. In case of unclarity of the responsibility, the controllers shall be jointly and severally liable (Article 24). - Where more than one controller or processor is involved in the processing, each of those controllers or processors shall be jointly and severally liable for the entire amount of the damage, unless they have an appropriate written agreement determining the responsibilities pursuant to Article 24 (Article 77-2). III- RIGHTS AND OBLIGATIONS OF THE PARTIES TO BE SPECIFIED IN THE CSP CONTRACT III-1 BEST PRACTICES ACHIEVING A BALANCE BETWEEN THE PARTIES TO THE CONTRACT Regarding a satisfactory implementation of the liability, the parties to the contract should: - provide one clear contractual clause on the qualification of the CSP as (joint-) controller or processor; - in case of a qualification of the CSP as processor, define and document the CSP initial mandate with regard to the processing of data and provide clear procedures on the way additional instructions to those set in the contract could be given by the customer and genuine controls operated; - determine the liability of the CSP when not complying with the customer s reasonable and legitimate instructions; - determine the liability of the CSP when further processing the data (i.e. big data) and split responsibilities according to the set of processing concerned; 10

11 - write down, on the basis of the qualification retained, specific responsibilities in all the relevant clauses in the contract regarding liability (i.e. liability for non compliance with Directive 95/46, for handling of security breaches, for subcontracting, for data subjects rights exercise, for data erasure and portability, for cooperation and notification to DPA(s), for audits, for data location and transfers legal framing, access law enforcement, security obligations incumbent on the CSP and on the customer such as continuity of service). III-2 WHY THOSE PRACTICES ARE A GOOD SOLUTION TO PROPERLY SOLVE THE PROBLEM? Although liability of the parties to a cloud contract is ultimately established by the Courts, a clear definition of the role and legal status of the CSP and Customer: - provides more effective safeguards to data subjects in the event of breach of data protection obligations; - allows a swifter and more effective allocation of responsibility between the Customer and the CSP and more legal certainty; - ensures better compliance with regulatory requirements by the Customer, namely with regard to the fulfillment of notification/prior checking obligations before the DPA and the requirements applicable to the data being processed (banking, insurance, health, traffic and location, etc.). III-3 EXAMPLES OF CONTRACTS TARGETING DATA PROTECTION AND A BALANCE BETWEEN THE PARTIES III-3-a X General Terms and Conditions for X Cloud Services (v8-2012) Article 13 Data Protection 13.1 Customer has and accepts the full responsibility for all personal data as controller in terms of Art. 2 (d) of the EU Data Protection Directive 95/46/EC. To the extent personal data is stored and/or processed under this Agreement, X will adhere to Customer s instructions as a processor in the terms of Art. 2 (e) of the EU Data Protection Directive 95/46/EC. Customer s instructions exceeding the scope of services offered by X will be at Customer s expense and subject to technical and organizational feasibility by X. X and Customer will implement all technical and organizational measures necessary to meet the requirements of applicable data protection laws to protect personal data against misuse To the extent that personal data of Customer are being processed, X shall obligate its personnel entrusted with the processing of Customer s data to data protection and data secrecy in accordance with applicable law X is authorized to engage subcontractors for the processing of personal data to the extent necessary for fulfilling its contractual obligations under this Agreement. X shall obligate its subcontractors to obey all relevant data protection rules. In case that such subcontractor is located outside the EU, X shall provide for a level of data protection deemed adequate under EU data protection regulations Customer ensures that no legal requirements of Customer prevent X from fulfilling its contractual obligations under this Agreement in compliance with applicable law. This includes, but is not limited to, ensuring that all concerned individuals have previously declared consent to a possible processing of personal data. 11

12 Main observation: X addresses data protection issues in an explicit and clear wording. It states that X adheres to customers instructions and therefore qualifies as a processor. Positive points: Compliance with EU data protection legal framework is at the core of the data protection section. Article 17-3 of the Directive is fully complied with as X will implement all technical and organizational measures necessary to meet the requirements of applicable data protection laws to protect personal data against misuse and will also obligate its subcontractors to obey all relevant data protection rules Negative points: X is not fully clear on the storage locations options (namely whether the service allows such operations to be confined to specific territories) + it does not mention anything on access law enforcement. III-3-b X CLOUD SERVICES AGREEMENT (SaaS, UK Version, ) 1. DATA PROTECTION 11.1 In performing the Services, X will comply with the X Services Privacy Policy, which is available at and incorporated herein by reference. The X Services Privacy Policy is subject to change at X s discretion; however, X policy changes will not result in a material reduction in the level of protection provided for Your Personal Data provided as part of Your Content during the Services Period of Your order X s Data Processing Agreement for X Cloud Services (the Data Processing Agreement ), which is available at and incorporated herein by reference, describes the parties respective roles for the processing and control of Personal Data that You provide to X as part of the Cloud Services. X will act as a data processor, and will act on Your instruction concerning the treatment of Your Personal Data residing in the Services Environment, as specified in this Agreement, the Data Processing Agreement and the applicable order. You agree to provide any notices and obtain any consents related to Your use of the Services and X s provision of the Services, including those related to the collection, use, processing, transfer and disclosure of Personal Data The Service Specifications applicable to Your order define the administrative, physical, technical and other safeguards applied to Your Content residing in the Services Environment, and describe other aspects of system management applicable to the Services. You are responsible for any security vulnerabilities, and the consequences of such vulnerabilities, arising from Your Content and Your Applications, including any viruses, Trojan horses, worms or other programming routines contained in Your Content or Your Applications that could limit or harm the functionality of a computer or that could damage, intercept or expropriate data You may not provide X access to health, payment card or similarly sensitive personal information that imposes specific data security obligations for the processing of such data unless specified in Your order. If available, You may purchase services from X (e.g., X Payment Card Industry Compliance Services, X HIPAA Security Services, X Federal Security Services, etc.) designed to address particular data protection requirements applicable to Your business or Your Content. Main observation: X explicitly qualifies as a Data processor and clearly indicates its duties in the cloud Services Agreement and in the Data Processing Agreement for Cloud Services (that 12

13 are incorporated herein in reference). The agreement is comprehensive and addresses essential concerns regarding liability for non-compliance. Positive points: X complies with Article 17-3 of Directive 95/46 + includes a clear definition of the instructions received from the client (which categories of personal data and of data subjects are included in the processing) + specifies the manner in which the client can provide additional instructions to those included in the Agreement + grants audit rights to customer, applies incident management procedures, security breach notification obligations, obligations for return and deletion of personal data upon end of services at customer s request in the Data processing agreement? Negative points: Although it applies Safe Harbor and Model Clauses to international transfers, it is not fully clear on the storage/processing options (namely whether the service allows such operations to be confined to specific territories) + it states the customers responsibility for any security vulnerabilities, and the consequences of such vulnerabilities (which should be excluded in case the customer demonstrates CSP s fault. III-4 CONTRACTUAL CLAUSE TEMPLATE ROUGH DRAFT First of all, we should notice that liability could be conceived in 2 ways, that is to say: - liablility towards data subjects, that is broadly addressed in section II; - liability inter-partes, that is to say the balance to determine between CSP and customer regarding joint or several liability settled in the contract. In principle, Customers of CSPs are liable for non-compliance with data protection current law and non-provision of adequate technical and organizational measures; CSPs are liable for breach of obligations arising from the cloud contract and also for sub-processors breaches. By way of exception, CSPs that do not follow customer s instructions OR that process data to serve a different purpose to that specifically identified by the customer qualify as (joint-) controllers; in such event, they will be subject to legal obligations on the processing of data and liable for the infringement of such obligations. Therefore, the clear scope of CSP s liability should be pointed out within the contract (according to the kind of operation concerned). The templates proposed hereafter are only a basis for discussion. Some particularly relevant questions are expressly outlined. III-4-a BY-DESIGN APPROACH: LIABILITY IN FREELY NEGOTIABLE CONTRACTS Among all possible issues to consider regarding liability, we draw your attention to the followings: - location of the data; - transfers (contractual clauses, BCR processors, adequate countries, safe harbor if only US data centers?); - subcontracting; - audits; - access law enforcement by administrative and judiciary authorities; - destruction or restitution of data (portability); - rights of the data subjects: 13

14 - reporting complaints; - security breaches; - security policy (security means and general conditions: integrity, accessibility, confidentiality, reversibility, traceability); - cooperation with the competent data protection authorities; - codes of conduct. Particularly in freely negotiable contracts, dedicated and explicit clauses may be added concerning some or all of those specific issues. Framing which issues should be taken into account in priority is to be debated here. Some templates could further be elaborated on, under the condition this draft document reaches a sufficient consensus and validates, on principle, the necessity or the whole interest of writing down those elements. After reading this first draft, European Commission proposed to distinguish obligations prescribed by the applicable law (including the allocation of liability towards the data subject for a breach of these obligations) and obligations for breaches that are not prescribed by applicable law. The latter could be clarified in the contract in order to guarantee legal certainty for the parties. III-4-b BY-DEFAULT APPROACH: LIABILITY IN ADHESION CONTRACT The following propositions should be considered as a basis to debate what should be a minimum or a by default clause targeting liability for non compliance with data protection obligations. It does not preclude the possibility to propose and promote detailed and specific clauses targeting the issues presented in III-4-a. CASE 1: THE CUSTOMER EFFECTIVELY CONTROLS THE WHOLE PROCESSING = THE CSP QUALIFIES AS PROCESSOR Under this contract, the customer qualifies as data controller of the set of processing carried out (by the cloud service provider) on his behalf. X (the CSP) qualifies as processor and will remain as such as long as it (i) complies with the customers reasonable and legitimate instructions, (ii) provides adequate monitoring procedures regarding compliance with such instructions, (iii) does not go beyond the mandate given by the customer (that is to say it will not acquire a relevant role in determining the purposes or the essential means of processing). In particular, X (the CSP) shall provide an accessible, easy-to-use and comprehensive security-monitoring-tool. The customer is fully liable for data protection law compliance. Therefore, the customer must comply with Directive 95/46 of 24 October 1995 and its implementing national provisions, and, in particular, [TO BE PARTICULARLY DISCUSSED: must keep documentation demonstrating that he has chosen an appropriate cloud service provider], regarding the nature of the data, the transfers, the scale of the processing and the technical and organizational safeguards in use. 14

15 The customer may be exempted from the above described liability, in whole or in part, only if he establishes that he is not responsible for the damage which a data subject may suffer as a result of the processing. X (the CSP) will be liable only if the customer establishes that X (the CSP) has breached this contract or that the breach results from a set of operations that the customer had neither validated via the signature of the contract nor given effective instructions on. Therefore, concerning security and related obligations, X (the CSP) is directly liable towards the customer for any breach caused by all the subprocessors he has enlisted. Concerning access due to law enforcement, the CSP is liable towards the customer and the competent DPA. As a processor, X (the CSP) commits to be diligent and accountable towards the customer by assisting the customer in ensuring compliance with its obligations. The customer s exemption of liability will only result from the demonstration that the CSP did not take appropriate actions. CASE 2: THE CUSTOMER DOES NOT EFFECTIVELY CONTROL ONE PART OR THE FULL PROCESSING = THE CSP QUALIFIES AS JOINT CONTROLLER Under this contract, the customer qualifies as data controller for the set of processing carried out (by the cloud service provider) on his behalf. Concerning the set of operations the customer is in no position to fully control, X (the CSP) qualifies as a joint controller. This qualification applies to the set of operations (i) X (the CSP) does not provide effective customer instructions monitoring system for, (ii) going beyond the mandate given by the customer (that is to say for those where X (the CSP) acquires a relevant role in determining the purposes or the essential means of processing) or (iii) X (the CSP) fails to comply with the customer s reasonable and legitimate instructions. In particular, X (the CSP) provides an accessible, easy-to-use and comprehensive mapping of the processing where he qualifies as processor [TO BE PARTICULARLY DISCUSSED: this set of operations could be specified in an Appendix I]. Concerning the processing that the customer has full control on, the customer is fully liable for data protection law compliance. Therefore, he has the duty to establish compliance with Directive 95/46 of 24 October 1995 and its local implementing laws, and, in particular, [TO BE PARTICULARLY DISCUSSED: keep documentation demonstrating he has chosen an appropriate cloud service], regarding the nature of the data, the transfers, the scale of the processing and the technical and organizational safeguards in use. Concerning the set of operations the customer is in no position to fully control, the customer and the CSP are jointly liable for data protection law compliance. Each is liable for the part of the operations he has effective control on. The customer could be exempted from his liability in whole if he establishes that he is not responsible for the damage which a data subject may suffer as a result of the processing. X (the CSP) will be fully liable only if the customer establishes that the breach results from a set of operations he has no control on (that is to say, neither validated via the signature of the contract nor effectively instructed by the customer). Therefore, concerning security and 15

16 related obligations, X (the CSP) is liable in whole towards the customer for any breach caused by all the sub-processors that X (the CSP) has enlisted. Concerning access law enforcement, the CSP is liable towards the customer and the competent DPA. As a joint-controller, X (the CSP) is under the obligation to comply with data protection law concerning the processing he controls jointly or in whole. 16