The Spanish data protection authority, Agencia Española de Protección de Datos (AEPD), has issued three new guidance documents dealing with (1) the use of cookies, (2) cloud computing from a customer perspective and (3) cloud computing from a service provider perspective. The guides provide useful information on how to use modern IT solutions in conjunction with data protection compliance requirements.
The guide on cookies is the first such document in Europe prepared jointly by a data protection authority and industry representatives, whilst so addressing the main controversies on the application of the EU cookies regulation in Spain. It is an important step, in so far as the law was considered unclear and often ignored. The guide discusses the various ways in which the statutorily required information can be provided, including website headers, footers or banners with links to more detailed sources. Privacy notices should define the type and function of all cookies used, identify any third-party cookies, and provide instructions on how they can be removed. The guide confirms that user consent to cookies may be implied, provided that it is based on an affirmative action that could be as little as scrolling the page where the information on cookies is visible, or could be implied through browser settings. The AEPD has also specified that both the website owner and third-party processors are responsible for cookie law compliance.
The cloud computing guidance note aimed at users of cloud computing, i.e., cloud customers, sets out the main data protection issues to consider when using the cloud. In particular, the guide considers the implications of services being provided from countries not recognised as having adequate data protection laws and discusses the principle provisions to include in a contract to allow the cloud provider to subcontract part of the services, which should be read in conjunction with the standard clauses for cross-border transfers of data to subcontractors previously published by the AEPD. The main risks associated with using cloud and issues relating to accountability and data portability are also covered in the ‘cloud customers’ guide.
The second guide is almost supplemental to the ‘cloud customers’ guide, but is directed at cloud service providers who should aim to provide services that minimise compliance risk for their customers. The guide focuses on the fact that most providers will be deemed data processors even though they will be responsible for the maintenance of their information systems. The guide also provides basic data protection compliance guidelines, in particular that providers should, amongst other things, review their contracts to take into account the criteria set out in the guide, adapt to comply, and remember that liability for non-compliance may not purely lie with customers, but also with the cloud provider.