CNIL Issues Cloud Computing Recommendations

Cloud computing services offers have recently increased. However, according to the French data protection authority (CNIL), most cloud computing providers do not give much information about the types of security measures that are in place to protect information. It’s also not clear that there are sufficient technical or procedural measures in place to protect data. According to CNIL, “this transparency insufficiency and the lack of control mean that [those that use cloud computing services] do not have all necessary information to comply with their duties as data controllers.”

To help companies better understand obligations and protect data when using cloud computing services, CNIL recently issued a set of recommendations. These include:

1. making sure that the cloud computing client clearly identifies the data that will be in the cloud;
2. having the cloud service provider define what security measures it uses;
3. make sure a an analysis has been conducted to identify risks and security measures in place;
4. look at what type of cloud/technological platform will be used and if it is appropriate for the type of information that will be stored in the cloud;
5. make sure that the cloud services provider provides sufficient contractual and procedural guarantees in place to protect information;
6. review internal security policies and procedures; and
7. monitor the services and relationship with the cloud computing vendor over time to ensure that the foregoing are still appropriate.

With respect to the sufficiency of contractual clauses, CNIL provided sample model clauses for contracts with cloud computing service providers.

Tip: The recommendations can be helpful for companies considering using cloud computing services, even if not subject to French requirements.