The Spanish data protection agency reports on international transfers in the context of cloud computing

05 December 2012

Alexander Benalal

The Spanish Data Protection Agency (AEPD) has released a report providing guidance on international transfers in the context of cloud computing. The report (0157/2012) was released following the proposals of the EU Commission on the reform of the legal framework for the protection of personal data. 

This report is the result of a consultation tailored for a cloud service provider, and provides guidance on the AEPD's stance on international transfers in the context of cloud computing, and the future directions that might be taken in that respect. 

Key Observations:

A third party audit could be an adequate guarantee:

The Controller to Processor Standard Contractual Clauses (“SCC”) approved in the EU Commission Decision 2010/87/UE, require individual audits by the exporter/data controller, however in the context of cloud computing a relevant third party audit chosen by the importer/cloud provider could be an adequate guarantee if such auditor is fully independent, is certified, and the controller can have access to the results of the audit.

A single (framework) agreement to cover all clients wouldn't imply fewer guarantees for the data controller:

Despite the fact that clause 11 of the SCC implies that the importer/cloud provider would need to sign with its sub processor(s) one agreement for each of its clients, the signature of a single (framework) agreement by the processor/cloud provider with the sub processors to cover all the clients would not necessarily imply fewer guarantees for the data controller. Also, the contract between the client and the cloud provider does not necessarily need to name all sub processors: it can just refer to a website where such sub processors (as well as the services they will provide and location) are clearly identified.

The above changes would not be considered SCCs of the same nature as those derived from Decision 2010/87/UE, but could be authorised by the AEPD:

The AEPD makes it clear that the above changes in the SCCs would imply that the provided clauses would not be considered of the same nature as the ones given by Decision 2010/87/UE. However, the new set of clauses could be authorised by the AEPD.

The AEPD may indeed authorise the transfer if the controller adduces adequate safeguards for the protection of privacy and fundamental rights of individuals, and as regards the exercise of the corresponding rights. In that case, the AEPD would allow such transfer, given the above considerations that the third party audit and the signature of a single (framework) agreement by the processor with the sub processors provides adequate guarantees for the data transfer.

Additionally, the AEPD explicitly says that, apart from allowing such a transfer, it could also adopt a resolution to authorise the international transfer of data in the context of the provided set of clauses. If this was adopted, data controllers would not need to request authorisation from the AEPD to make international data transfers in each case: they would only need to notify the modifications in their data files, making reference to the above mentioned AEPD's resolution.

Therefore, as per the above, the AEPD appears  to open the door to the cloud providers adopting sets of clauses that, once authorized by the AEPD, could be used by their clients as a passport to transfer the data without seeking further authorisations. If confirmed, this would be an important and positive advance in the way of dealing with cloud computing data transfers.

If you have any questions, please contact us:

Alexander Benalal
Senior Associate