In 2011, the French data protection authority, the CNIL, launched a public consultation on cloud computing.
Using these contributions, on 25 June 2012, the CNIL published recommendations for French companies that want to use cloud services.
As the CNIL explains, many cloud-computing services are available on the market: infrastructure hosting (IaaS – Infrastructure as a Service), supplying of development platforms (PaaS - Platform as a Service) or online software (SaaS – Software as a Service). These services are proposed in public clouds (service shared between many clients), private clouds (cloud dedicated to one client) or hybrid clouds (combination of both models, public and private).
In order to comply with personal data protection law, businesses have to deal with matters such as security, applicable law, transfers of personal data, guarantees given by the service providers, etc.
As the CNIL points out, the service providers usually have standardised contracts and it is difficult for businesses, especially for small and medium-size companies, to negotiate clauses relating to security, liability, etc.
In the recommendations, the CNIL gives clear explanations in order to help businesses comply with the French personal data law, and provides ready-made clauses to cover most types of situations, which can be inserted in the contracts entered into with the service and hosting providers.
Read the CNIL's presentation (in English): The CNIL's presentation
Read the CNIL's recommendations (in French): The CNIL's recommendations