On 25 June 2012, the CNIL published on its website a summary article and a 10 page conclusion paper, along with a 21-page “recommendations” document, which constitute the French Data Protection Authority’s new guidance in that regard.
Aimed to target small- to medium-sized companies considering using cloud computing services, and aimed at helping them make more informed decisions regarding such services, these “recommendations” are in fact seven principles applicable to all cloud computing service agreements, to which the CNIL connects five “essential elements that have to be part to a Cloud computing services agreement”. In addition, the CNIL provides a 10-page document of “model clauses” aimed to implement the aforementioned “essential recommendations”.
Another essential point that the CNIL outlines in its guidance is that, in its view, the cloud computing service provider can hardly escape the legal qualification of data controller, since the presumption that the cloud computing service provider is a simple data processor can easily be reversed in its view.
This new guidance shows the CNIL’s will to impose in the short-term, new contractual standards.
For a more detailed analysis, please click here to read the issued Client Alert.