On 25 February 2016, the Belgian Privacy Commission (Commissie voor de bescherming van de persooonlijke levenssfeer/Commission de la protection de la vie privée "Privacy Commission") published an opinion on cloud computing by data controllers (Opinion 10/2016 – the "Opinion"). The Opinion offers guidelines on how to comply with the Belgian Privacy Law of 8 December 1992 (Wet tot bescherming van de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens / Loi relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel) (the "Law") when using cloud computing services. The Opinion follows an earlier opinion of the Article 29 Working Party on the same subject (see, VBB on Belgian Business Law, Volume 2012, No 7, p. 7, available at www.vbb.com ).

The Opinion (i) explains how the obligations of the Law apply to cloud services; (ii) highlights the specific risks for the protection of personal data in this context; and (iii) provides specific recommendations on contractual terms, technical protection measures and the selection of cloud services.

Obligations under the Law

In its Opinion, the Commission starts by recalling the main principles and obligations under the Law. Unfortunately, the Opinion does not assess the impact of the recently adopted General Data Protection Regulation on the provision of cloud services.

The Opinion explains that, in general, the cloud service customer will be deemed to be the controller and therefore must choose a processor providing sufficient guarantees with respect to technical and organisational security measures governing processing activities. In addition, the responsibility of the cloud provider towards the controller must be determined by a contract.

The controller must require a list of physical locations where the data can be stored or processed. The cloud service customer must ensure that the data are processed in countries providing an adequate level of data protection. In this regard, the Privacy Commission indicates that the European Commission's Standard Contractual Clauses or approved Binding Corporate Rules can be used to ensure adequate protection for transfers to third countries outside the EEA.

Access to data by the cloud service provider should be limited to what is necessary to ensure the provision and maintenance of the service. The Opinion also discusses access by foreign authorities for national security reasons and notification of such access to the cloud service customer.

Risks

In its Opinion, the Privacy Commission discusses various risks to personal data in the context of cloud computing services.

The physical fragmentation of data across servers and data centers, which can be located in different countries, entails potential risks for data protection such as data breach, loss, abuse, consultation by third parties or access by foreign authorities.

In addition, the Privacy Commission points out that several countries, including the U.S., have the ability to access cloud data located outside of their territories when data is considered as being important to their interests. This access can take place without the possibility for the cloud service provider to inform his client.

Moreover, in cloud environments, infrastructure such as a storage space, memory and networks are shared with several clients. This creates new risks relating to unlawful access and/or processing for purposes other than those agreed between the cloud service customer and cloud service provider.

Guidelines

Finally, the Opinion provides specific recommendations on the selection of cloud services and sets out (minimal) contractual guarantees and technical requirements for cloud service contracts.

In order to cope with these risks of unauthorised treatment or access, the Commission recommends an adequate data isolation. This requires an adequate management of access rights and roles for access to personal data, which should be reviewed regularly. Furthermore, when granting access rights, the principle of "least privilege" according to which users and administrators only have access to information necessary for their legitimate purposes should be applied.

The above risks may also be limited by the use of encryption techniques provided that only the cloud customer has access to the encryption key. Encryption should in any case be used when transferring data and, where possible, during storage in the cloud.

Finally, the Commission recommends that a risk analysis be conducted by an independent body specialised in information security.

Companies that wish to retain cloud service providers or plan to reopen existing cloud service agreements are advised to take account of the guidance provided by the Privacy Commission. The Opinion contains clear recommendations on what contracts with cloud service providers must guarantee. However and as noted, the Opinion does not take account of the upcoming General Data Protection Regulation which contains significant changes for contracts between controllers and processors.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.