Cloud computing : CNIL's recommendations for companies using these new services
The expression "Cloud computing" stands for the offset to the "Internet cloud" of personal data and applications previously stored into servers and computers of companies, organisations or individuals. The associated economic model is similar to the rental of computing resources with a "pay per use" billing system.
The range of services has experienced strong growth over the past four years, particularly through storage and online editing of documents or even social networks for instance.
Many Cloud computing services are now available on the market: infrastructure hosting (IaaS – Infrastructure as a Service), supplying of development platforms (PaaS - Plateform as a Service) or online software (SaaS – Software as a Service). These services are proposed in public Clouds (service shared between many clients), private Clouds (Cloud dedicated to one client) or hybrid Clouds (combination of both models, public and private).
A necessary clarification of the legal framework
For businesses, Cloud computing is a major development of the IT services and offers many benefits, in particular by sharing both hosting and processing costs.
Matters such as security, providers' qualification, applicable law and data transfers are extremely delicate in the Cloud computing context. Then, companies considering using these services need to clarify the responsibility that lies upon them.
The offers standardization and the use of adhesion contracts by Cloud providers to formalize contractual relationships with their clients do not leave space for negotiating the terms of use of Cloud services. In addition, it appears that providers generally provide very few information to their clients about the technical and organizational measures implemented to guarantee data security and confidentiality of data processed on behalf of clients. This transparency insufficiency and the lack of control mean that they do not have all necessary information to comply with their duties as data controllers.
On the basis of the 49 answers to its public consultation, the CNIL clarifies today its analysis on the legal framework of the Cloud computing. It supports businesses that consider using Cloud computing services and particularly small and medium-sized companies, by offering practical recommendations. The CNIL also suggests them some model contractual clauses, which can be included in Cloud computing agreements.