In 2011, the French data
protection authority, the CNIL, launched a public consultation on cloud
computing.
Using these contributions, on
25 June 2012, the CNIL published recommendations for French companies that want
to use cloud services.
As the CNIL explains, many cloud-computing
services are available on the market: infrastructure hosting
(IaaS – Infrastructure as a Service), supplying of development platforms (PaaS
- Platform as a Service) or online software (SaaS – Software as a Service).
These services are proposed in public clouds (service shared between many
clients), private clouds (cloud dedicated to one client) or hybrid clouds
(combination of both models, public and private).
In order to comply with
personal data protection law, businesses have to deal with matters such as
security, applicable law, transfers of personal data, guarantees given by the
service providers, etc.
As the CNIL points out, the
service providers usually have standardised contracts and it is difficult for
businesses, especially for small and medium-size companies, to negotiate
clauses relating to security, liability, etc.
In the recommendations, the
CNIL gives clear explanations in order to help businesses comply with the
French personal data law, and provides ready-made clauses to cover most types
of situations, which can be inserted in the contracts entered into with the
service and hosting providers.
Read the CNIL's presentation
(in English): The CNIL's presentation
Read the CNIL's recommendations (in French): The CNIL's recommendations