EDPS Opinion on EC communication on cloud computing

By EDRi · November 21, 2012

This article is also available in:
Deutsch: [EDSB-Stellungnahme zu Cloud Computing | https://www.unwatched.org/EDRigram_10.22_EDSB-Stelungnahme_zu_Cloud_Computing?pk_campaign=edri&pk_kwd=20121107]

On 16 November 2012, the European Data Protection Supervisor (EDPS)
published his opinion on the European Commission’s communication on
“Unleashing the potential of Cloud Computing in Europe” issued on 27
September 2012, in which the Commission proposes key actions and policy
steps for the use of cloud computing services in Europe. In his opinion,
the EDPS draws the attention upon the data protection challenges brought
forth by cloud computing and on how the proposed Data Protection
Regulation will deal with these challenges when the reformed rules come
into effect.

The EDPS believes that, while cloud computing can bring large advantages
such as a decreased cost of IT services and better access to these
services, one of the main issues related to cloud computing is the
necessity of having reliable and trustworthy systems for the cloud
customers and of complying with data protection rules when dealing with
data processing.

“Currently, many cloud customers, including members of social media,
have little influence over the terms and conditions of the service
offered by cloud providers. We must ensure that the cloud service
providers do not avoid taking responsibility and that cloud customers
are able to fulfil their data protection obligations. The complexity of
cloud computing technology does not justify any lowering of data
protection standards.”

In Peter Hustinx’s opinion, all parties involved in cloud computing must
have precise responsibilities, clearly defined by the law, to avoid the
unbalance of power between cloud customers and cloud service providers.
Therefore, standard commercial terms and conditions that respect data
protection requirements for commercial contracts, public procurement and
international data transfers should be developed.
The EDPS also recommends a clearer and more complete guidance on the
mechanisms that would ensure the effectiveness of data protection measures.

According to the proposed new EU data protection rules data controllers
would be necessary to verify that the mechanisms put in place by the
cloud providers to protect personal data are efficient enough to provide
that data processing and storing complies with these rules. “Especially
in the context of cloud computing, more specific guidance is required to
clarify which mechanisms should be put in place to ensure verification
of the effectiveness of data protection measures in practice” says Hustinx

The opinion recommends the development of best practices on issues such
as controller/processor responsibility, retention of data in the cloud
environment, data portability and the exercise of data subjects’ rights
as well as the development of standards and certification schemes to
fully incorporate data protection criteria.

Cloud computing implies that data may be stored on servers all around
the world. Presently, the EU data protection laws do not allow companies
to transfer personal data outside of the European Economic Area (EEA)
countries unless adequate protections are in place (or unless the
destination country has been pre-approved as having adequate data

Hustinx also believes a clear definition is needed for the data transfer
and the criteria allowing access to the data in the cloud by law
enforcement bodies outside the EEA countries, especially having in view
that, with cloud computing, the data is not only transferred but “made
available to a number of recipients located in various countries (often
unknown to the cloud customer/end user).”

While welcoming the EC plans to develop a new contract model for
companies to use in service level agreements with cloud computing
providers, the EDPS said that the new contracts should contain terms to
prevent cloud providers from denouncing their responsibility for data
confidentiality and security, or their liability for data loss or
corruption. He also considers that the new contract model should contain
provisions to force cloud providers to tell clients whether it is
possible to store data in a single country or region as well as to
obtain their clients’ consent before changing the terms of their cloud
computing service contracts. The terms of contracts should also include
information about the personal data processing activities, such as
“where the data may be processed, compliance with certification
scheme/standards, guarantees that there are appropriate safeguards in
place at all levels of the infrastructure and wherever the data are
transmitted or stored, specific safeguards for sensitive data,
identification of the relevant supervisory body,” says the EDPS in his

This opinion comes in line with that of the Article 29 Working Party
which, in its opinion of July 2012, said that businesses wishing to use
cloud services to store and process personal data, should select a cloud
provider that guarantees compliance with EU data protection legislation.”

EDPS: responsibility in the Cloud should not be up in the air (16.11.2012)

Opinion of the European Data Protection Supervisor on the Commission’s
Communication on “Unleashing the potential of Cloud Computing in Europe”

Businesses need more guidance on how to verify cloud providers’ data
protection compliance, says EU watchdog (16.11.2012)

Unleashing the Potential of Cloud Computing in Europe (27.09.2012)

Article 29 Data Protection Working Party – Opinion 05/2012 on Cloud
Computing (1.07.2012)