![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
The French data protection authority (CNIL) launched a
on cloud computing on 17 October. The CNIL is seeking contributions on the notion and the privacy rules applicable to cloud computing.
Among the topics open to consultation are an attempt to define cloud computing as well as the characterization of the service provider as being presumably a data processor. This presumption could, however, be challenged taking into consideration a series of signs. The more standardized the service is and the lesser control the customer has over the data processing means the more chances of characterization of the cloud supplier as a data controller, in particular in the case of public clouds. This is the rationale that the CNIL submits to public comments. As a result, the data processing would have two controllers: the client and the service providers.
In addition, the CNIL is seeking comments on the criteria to determine applicable law. It also suggests legal and technical solutions to handle international data transfers and, in particular, recommends resorting to BCRs for processors.
As far as security issues are concerned, the authority is looking for feedback on contractual relationships between customers and service providers, in particular on how customers manage to comply with the security requirements of the Data Protection Act; the underlying question being: Do customers really have bargaining powers? The implementation of specific security measures (network and device protection, cryptography, tracking, access management, authentication, data retention, deletion and reversibility) is also a source of interest.
The consultation will end on 17 November.
