Since launching its consultation in October 2011, France’s Commission nationale de l' informatique et des libertés (CNIL) has bided its time in issuing its long awaited Guidelines. Businesses have had a tough time negotiating with cloud providers over the various compliance issues raised by the data protection legislation. The Guidelines should clarify a number of issues, even if they fail to ease the pressure on cloud providers.
The Guidelines were published on 25 June 2012, shortly after the release of WP 29’s checklist for Processor BCRs. They contain recommendations and a list of essential elements that a cloud service agreement should contain (as well as corresponding draft clauses).