EDPS Opinion on EC communication on cloud computing
This article is also available in:
Deutsch: EDSB-Stellungnahme zu Cloud Computing
On 16 November 2012, the European Data Protection Supervisor (EDPS) published his opinion on the European Commission’s communication on "Unleashing the potential of Cloud Computing in Europe" issued on 27 September 2012, in which the Commission proposes key actions and policy steps for the use of cloud computing services in Europe. In his opinion, the EDPS draws the attention upon the data protection challenges brought forth by cloud computing and on how the proposed Data Protection Regulation will deal with these challenges when the reformed rules come into effect.
The EDPS believes that, while cloud computing can bring large advantages such as a decreased cost of IT services and better access to these services, one of the main issues related to cloud computing is the necessity of having reliable and trustworthy systems for the cloud customers and of complying with data protection rules when dealing with data processing.
"Currently, many cloud customers, including members of social media, have little influence over the terms and conditions of the service offered by cloud providers. We must ensure that the cloud service providers do not avoid taking responsibility and that cloud customers are able to fulfil their data protection obligations. The complexity of cloud computing technology does not justify any lowering of data protection standards."
In Peter Hustinx’s opinion, all parties involved in cloud computing must have precise responsibilities, clearly defined by the law, to avoid the unbalance of power between cloud customers and cloud service providers. Therefore, standard commercial terms and conditions that respect data protection requirements for commercial contracts, public procurement and international data transfers should be developed. The EDPS also recommends a clearer and more complete guidance on the mechanisms that would ensure the effectiveness of data protection measures.
According to the proposed new EU data protection rules data controllers would be necessary to verify that the mechanisms put in place by the cloud providers to protect personal data are efficient enough to provide that data processing and storing complies with these rules. "Especially in the context of cloud computing, more specific guidance is required to clarify which mechanisms should be put in place to ensure verification of the effectiveness of data protection measures in practice” says Hustinx
The opinion recommends the development of best practices on issues such as controller/processor responsibility, retention of data in the cloud environment, data portability and the exercise of data subjects' rights as well as the development of standards and certification schemes to fully incorporate data protection criteria.
Cloud computing implies that data may be stored on servers all around the world. Presently, the EU data protection laws do not allow companies to transfer personal data outside of the European Economic Area (EEA) countries unless adequate protections are in place (or unless the destination country has been pre-approved as having adequate data protection).
Hustinx also believes a clear definition is needed for the data transfer and the criteria allowing access to the data in the cloud by law enforcement bodies outside the EEA countries, especially having in view that, with cloud computing, the data is not only transferred but "made available to a number of recipients located in various countries (often unknown to the cloud customer/end user)."
While welcoming the EC plans to develop a new contract model for companies to use in service level agreements with cloud computing providers, the EDPS said that the new contracts should contain terms to prevent cloud providers from denouncing their responsibility for data confidentiality and security, or their liability for data loss or corruption. He also considers that the new contract model should contain provisions to force cloud providers to tell clients whether it is possible to store data in a single country or region as well as to obtain their clients’ consent before changing the terms of their cloud computing service contracts. The terms of contracts should also include information about the personal data processing activities, such as "where the data may be processed, compliance with certification scheme/standards, guarantees that there are appropriate safeguards in place at all levels of the infrastructure and wherever the data are transmitted or stored, specific safeguards for sensitive data, identification of the relevant supervisory body," says the EDPS in his opinion.
This opinion comes in line with that of the Article 29 Working Party which, in its opinion of July 2012, said that businesses wishing to use cloud services to store and process personal data, should select a cloud provider that guarantees compliance with EU data protection legislation.”
EDPS: responsibility in the Cloud should not be up in the air (16.11.2012)
Opinion of the European Data Protection Supervisor on the Commission's
Communication on "Unleashing the potential of Cloud Computing in Europe"
Businesses need more guidance on how to verify cloud providers' data
protection compliance, says EU watchdog (16.11.2012)
Unleashing the Potential of Cloud Computing in Europe (27.09.2012)
Article 29 Data Protection Working Party - Opinion 05/2012 on Cloud