Archive for June, 2012

French CNIL Cloud Guidelines Address Controller vs. Processor Issues

25 June 2012 – The French CNIL’s new guidelines on cloud computing revisit the tricky question of whether a cloud provider is a data processor or a data controller. The CNIL says that a cloud provider will generally be considered the data processor, but that the provider will become joint controller with the customer if the cloud customer lacks any real autonomy in the negotiation of the contract and in defining how the data are processed.

If the cloud customer is not able to give instructions to the cloud provider and must accept the cloud provider’s proposal “as is,” the CNIL will consider the cloud provider as joint controller, jointly liable with the customer for compliance with French data privacy laws. The CNIL’s guidelines indicate that providers of private clouds will generally be deemed processors, but that providers of public SaaS or PaaS cloud services will often be deemed joint controllers.

For more from the Hogan Lovells Chroncile of Data Protection click here.… Read more