Cloud computing : CNIL's recommendations for companies using these new services

25 June 2012

Cloud computing services have considerably developped these last years. However, their use by companies raises new questions in terms of legal and risk management. In order to clarify the applicable legal framework, the CNIL launched at the end of 2011 a public consultation on Cloud computing. In consideration of the large number of contributions received, the CNIL updates its analysis on the applicable legal framework. It also publishes practical recommendations for French companies, in particular small and medium-sized ones, that are interested to use Cloud services.

The expression "Cloud computing" stands for the offset to the "Internet cloud" of personal data and applications previously stored into servers and computers of companies, organisations or individuals. The associated economic model is similar to the rental of computing resources with a "pay per use" billing system.

The range of services has experienced strong growth over the past four years, particularly through storage and online editing of documents or even social networks for instance.

Many Cloud computing services are now available on the market: infrastructure hosting (IaaS – Infrastructure as a Service), supplying of development platforms (PaaS - Plateform as a Service) or online software (SaaS – Software as a Service). These services are proposed in public Clouds (service shared between many clients), private Clouds (Cloud dedicated to one client) or hybrid Clouds (combination of both models, public and private).

A necessary clarification of the legal framework

For businesses, Cloud computing is a major development of the IT services and offers many benefits, in particular by sharing both hosting and processing costs.

Matters such as security, providers' qualification, applicable law and data transfers are extremely delicate in the Cloud computing context. Then, companies considering using these services need to clarify the responsibility that lies upon them.

The offers standardization and the use of adhesion contracts by Cloud providers to formalize contractual relationships with their clients do not leave space for negotiating the terms of use of Cloud services. In addition, it appears that providers generally provide very few information to their clients about the technical and organizational measures implemented to guarantee data security and confidentiality of data processed on behalf of clients. This transparency insufficiency and the lack of control mean that they do not have all necessary information to comply with their duties as data controllers.

On the basis of the 49 answers to its public consultation, the CNIL clarifies today its analysis on the legal framework of the Cloud computing. It supports businesses that consider using Cloud computing services and particularly small and medium-sized companies, by offering practical recommendations. The CNIL also suggests them some model contractual clauses, which can be included in Cloud computing agreements.

Document reference