Acquia Comments on EU Recommendations for Data Processing in the Cloud Executive Summary On July 1, 2012, European Union (EU) data protection regulators provided guidelines for service providers processing personal data in the cloud for client organizations. The opinion describes associated risks and provides recommendations for best practices. This brief white paper explains why Acquia Cloud is aligned with the guidance provided by the EU data protection regulators ensuring that the transfer of EU personal data to cloud service providers such as Acquia may take place lawfully under EU law. The opinion on cloud computing, entitled Opinion of Article 29 Working Party, was issued by Article 29 Data Protection Working Party, which is also known as WP 29. The opinion provides recommendations for both the cloud service provider and the cloud customer to ensure they are satisfying the general Data Protection Directive 95/46/EC, which regulates the processing of personal data within the EU. These recommendations outline best practices that should be observed when the service provider, as a part of its cloud-based service, processes personal data on behalf of a client organization. Acquia observes these best practices and adheres to the recommendations issued in this opinion. The opinion puts a special emphasis on the contractual arrangements between cloud service providers and cloud customers. The recommendations supplement existing best practices concerning an individual s right to data protection that are stipulated in Article 8 of the EU Charter of Fundamental Rights. The report identifies the potential risks of leveraging cloud services that are not in compliance with the Data Protection Directive. When a service provider is not in compliance, potential risks can include loss of control over personal data and the lack of transparency concerning what safeguards are in place during data processing. EU regulators recommend that organizations considering cloud services should conduct comprehensive vendor risk analysis and follow the recommendations provided by the opinion. SKU 0327-130110
2 Acquia Comments on EU Recommendations for Data Processing in the Cloud By choosing a service provider, such as Acquia, that adheres to these recommendations, EEA-based customers may leverage cloud services while remaining in compliance of EU privacy data regulations. Cloud Computing Data Protection Risks and How Acquia Mitigates These Risks The Working Party recommends that cloud customers conduct risk assessments of cloud service providers. Summarized below are the risks the Working Party identified with regards to cloud computing and summarizes how leveraging Acquia Cloud mitigates those risks: A lack of transparency and integrity: Cloud customers should be aware of the service provider s parameters for data processing and whether there are subcontractors who have access to customer data. In instances where data may be accessed by subcontractors, the same contractual and legal provisions should apply both to the service provider and the subcontractors. Acquia Cloud is a Platform as a Service (PaaS), built on Amazon AWS (Amazon Web Services) Infrastructure as a Service (IaaS). In this model, Acquia has sole responsibility to the customer for processing customer data. While Amazon, as the infrastructure provider, maintains the underlying data centers, Amazon personnel have no access to customer data. To provide further assurance to the customer, Amazon is contractually obligated to Acquia to abide by all privacy regulations and provide the same level of confidentiality as Acquia provides to its customers. A lack of availability due to vendor lock-in: Proprietary technology may prove difficult for a cloud client to shift data and documents from one cloud provider to another. Since Drupal is open source software, customers are not locked into Acquia as their vendor. Acquia s customers may export their data and code to another provider or their own on-premise data center at any time. A lack of confidentiality due to law enforcement: Law enforcement and national security officials have access to data stored within cloud service providers in advanced economies, including: the United States, Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, and the United Kingdom. Acquia commits to notifying its customers if it is the subject of a data inquiry from any law enforcement agency unless such notification is prohibited.
3 Acquia Comments on EU Recommendations for Data Processing in the Cloud A lack of intervenability: The term intervenability refers to a person s right to access, change, or update their personal information that has been collected. Providing access to modify, correct, or delete personal data or information is an application layer function that is implemented at the application (Drupal) layer if the site collects personal information from its users. A lack of isolation: This term refers to the risk of data being utilized for unintended purposes. Acquia, as detailed in its Privacy Policy, commits to never communicating its customers data to any third party for any purpose beyond the functional requirements that are detailed in Acquia s Privacy Policy. A lack of transparency of the service provider due to chain processing or processing at different locations: This refers to the need for cloud service providers to be transparent about their use of subcontractors that may have access to the customer s data. In addition, only subcontractors with acceptable data privacy controls should be utilized. Acquia clearly states the parameters of its relationship with its partner, Amazon AWS, and provides the locations where the customer may choose to host its sites (such as the U.S., EU, etc.). Acquia is ultimately responsible to the customer in the event of a data breach by a subcontractor. Legal framework and applicable law: Applicable laws are derived from the country where the cloud customers are based, not where the service provider is located. Acquia is Safe Harbor certified and committed to abiding by EU privacy laws. Recommendations for Cloud Service Providers and Cloud Customers The Working Party provides the following recommendations to cloud customers and cloud service providers: Cloud customers should conduct comprehensive and thorough risk analysis of cloud service providers. Cloud customers should choose service providers based on their agreement to comply with relevant data protection laws. Cloud service providers should guarantee compliance with EU data protection legislation and adhere to the basic principles of EU data protection law. These principles include: maintain transparency; adhere to the principle of purpose of specification and limitation or privacy data; and process data only within the parameters of the service contract. Lastly, personal data should be erased as soon as its retention is no longer needed
4 Acquia Comments on EU Recommendations for Data Processing in the Cloud and appropriate technical and organizational security controls must be provided to protect personal data to ensure the data s confidentiality. Acquia Cloud is fully compliant with these recommendations. Contractual Safeguards The Working Party stresses the importance of contractual safeguards between the service provider and its customers. Contracts between the cloud customer and cloud service provider should establish data security requirements. Acquia complies with all customer data security requirements as part of the contract process. The Working Party recommends that the following points be addressed in a contract: Obligate the cloud service provider to implement organizational and technical data security to adequately protect personal data. Detail the extent, manner, and purpose of the processing of personal data by the cloud provider, if applicable. Specify the conditions for returning data or destroying personal data. Include a confidentiality clause binding the service provider so that only authorized personnel have access to personal data. Obligate the service provider to assist the customer in providing the ability for personal information to be corrected, updated, or deleted. Prohibit the cloud service provider from sending personal data to any third parties, unless specifically provided for in the agreement. Obligate the service provider to specify and name subcontractors and ensure that confidentiality extends to subcontractors. Require the service provider to notify the customer in case of a data security breach. Specify where data may be processed and stored. Ensure the cloud customer s rights to monitor, and specify the duty of service provider to ensure that security requirements are met. Obligate the service provider to inform the customer in case of major technical changes.
5 Acquia Comments on EU Recommendations for Data Processing in the Cloud Specify processing activities used during the logging of personal data. Require the cloud service provider to inform the cloud customer about any legally binding request for disclosure of personal data by law enforcement, unless otherwise prohibited. Require the service provider to represent that its internal organization and data processing processes are compliant with applicable national and international legal requirements. For guidance on contractual addendums that meet the above criteria see model clause 2010/87/EC: http://eur-lex.europa.eu/lexuriserv/lexuriserv.do?uri=oj:l: 2010:039:0005:0018:EN:PDF Conclusion Acquia advocates that EU organizations, which are considering a cloud investment, should weigh privacy and regulatory issues that can arise when storing and processing personal data in the cloud. The Working Party has detailed the pertinent risks when privacy data will be processed or stored by cloud service providers. Organizations should conduct risk assessments of cloud service providers and should be assured that the Working Party s recommended contract provisions are included in agreements with cloud vendors. Acquia supports the Working Party opinion of Article 29 and can provide documentation upon request to provide assurances that Acquia meets all risk assessment criteria. Copyright 2013, Acquia, Inc. Acquia, Inc. 25 Corporate Drive, 4th Floor Burlington, MA 01803 USA www.acquia.com sales@acquia.com +1.781.238.8600