Privacy & Information Security Law Blog

On June 26, 2014, the European Commission issued guidelines on the standardization of service level agreements for cloud services providers (the “Guidelines”). In the context of the European Cloud Computing Strategy, launched by the European Commission in September 2012, the Guidelines focus on security and data protection in the cloud. They are based on the understanding that standardization will improve the clarity of service level agreements (“SLAs”) for cloud services in the European Union.

The Guidelines were prepared by an expert group set up by the European Commission in February 2013. The Cloud Select Industry Group - Subgroup on Service Level Agreements (C-SIG-SLA) includes representatives of the cloud services industry such as Alcatel-Lucent, Google, Salesforce.com Inc. and Symantec Corporation.

The Guidelines provide definitions of the legal and technical terms used in SLAs, as well as specific service level objectives (“SLOs”) designed to achieve standardization for several aspects of SLAs. Personal data protection SLOs are developed with reference to situations where the cloud service provider acts as a data processor on behalf of its customer acting as the data controller (e.g., B2B services). The Guidelines provide specific SLOs in terms of (1) codes of conduct, standards and certification mechanisms; (2) purpose specification; (3) data minimization; (4) limitations on the use, retention and disclosure of personal data; (5) openness and transparency; (6) accountability; (7) geographical location of cloud services’ customer data and (8) intervenability (i.e., the effectiveness of exercising the rights to access, rectify, erase, block or object the processing of one’s personal data). This chapter of the Guidelines may soon be revised after the adoption of the “Data Protection Code of Conduct for Cloud Services Providers” which was prepared by another expert group set up by the European Commission (the Cloud Select Industry Group - Data Protection Code of Conduct), and currently is being reviewed by the Article 29 Working Party.

In a letter attached to the Guidelines and addressed to Vice President of the European Commission Neelie Kroes, the C-SIG-SLA indicated that the Guidelines will form the basis of its submission to the ISO/IEC JTC1 Working Group on Cloud Computing, which is in the process of developing an international standard for cloud SLAs, to ensure maximum impact of the European position to be taken into account at the international level.