EDPS Opinion on Cloud Computing

November 16, 2012

On 16 November, the European Data Protection Supervisor adopted his opinion on the Commission Communication on ‘Unleashing the potential of Cloud Computing in Europe’ in which the Commission proposes key actions and policy steps to speed up the use of cloud computing services in Europe. The EDPS Opinion not only reacts to the Communication but also highlights the data protection challenges created by cloud computing and how the proposed Data Protection Regulation will tackle them when the reformed rules come into effect.

The Opinion can be seen in full here.

While many businesses, public authorities and consumers expect to benefit from a reduction in IT services costs and/or access to better services when using cloud computing, the main issue of concern for cloud customers is whether the system is reliable and trustworthy and that data processing operations can be carried out in compliance with data protection rules.

Peter Hustinx, the EDPS, said:

‘Cloud computing can bring enormous benefits to individuals and organisations alike but it must also provide an adequate level of protection. Currently, many cloud customers, including members of social media, have little influence over the terms and conditions of the service offered by cloud providers. We must ensure that the cloud service providers do not avoid taking responsibility and that cloud customers are able to fulfil their data protection obligations. The complexity of cloud computing technology does not justify any lowering of data protection standards.’

The reference to ‘members of social media’ might suggest that he has not taken adequate account of the impending universality of cloud computing but the Opinion itself is more reassuring.

Accountability is a cornerstone of data protection and the responsibilities of all parties involved in cloud computing must be clearly defined in law. Without such definitions, the complexity and the involvement of multiple service providers in cloud computing could lead to an attribution of data protection obligations and responsibilities between cloud customers and cloud service providers that do not reflect their roles and actual influence on the service and a serious lack of protection in practice. The risk that no one takes full responsibility for data protection in this complex environment is of real concern.

In the EDPS’ view, the imbalance of power between cloud customers and cloud service providers could be addressed by developing standard commercial terms and conditions that respect data protection requirements for commercial contracts, public procurement and international data transfers.

This together with the proposed Data Protection Regulation that provides clear rules to ensure that cloud service providers are fully accountable for their processing, will guard against data protection responsibilities from being up in the air and evaporating in the cloud.

Other EDPS recommendations include:

·         clarifying and providing further guidance on how to ensure the effectiveness of data protection measures in practice and the use of binding corporate rules

·         developing best practices on issues such as controller/processor responsibility, retention of data in the cloud environment, data portability and the exercise of data subjects’ rights

·         developing standards and certification schemes that fully incorporate data protection criteria

·         clearly defining the notion of transfer and the criteria under which access to data in the cloud by law enforcement bodies outside the EEA countries could be allowed.