The European Data Protection Supervisor (EDPS), an independent authority dedicated to protecting personal data in the European Union, has adopted a European Commission opinion on Unleashing the Potential of Cloud Computing in Europe.

BACKGROUND

Cloud computing is a model for enabling access to a flexible network and pool of computing resources that can be made available, and released, rapidly. The European Commission appreciates the cost and convenience advantages offered by such services, recognising the potential benefits this technology holds for Europe. It also notes that uptake of cloud computing is already on the rise. On 27 September 2012, the European Commission published its communication on Unleashing the Potential of Cloud Computing in Europe (the communication). The communication proposed key measures and policy steps to accelerate the use of cloud computing services in Europe.

EDPS protects personal data by monitoring the processing of personal data by the European Union administration, advising on policies and legislation that affect privacy (by issuing opinions and comments) and cooperating with similar authorities to ensure consistency, chiefly via the Article 29 Working Party.

DISCUSSION

On 16 November 2012, the EDPS issued an opinion in relation to cloud computing, not only reacting to the EC Communication, but also highlighting the data protection challenges created by cloud computing.

While benefits, in the form of decreased IT services costs for better, more accommodating computer services, may be expected by individual and corporate users of cloud services, the EDPS emphasised that reliability and the integrity of the system, and whether processing can be carried out in accordance with data protection rules, was still the primary issue of concern for cloud customers. The EDPS stated explicitly that

The complexity of cloud computing technology does not justify any lowering of data protection standards.

Many cloud customers, including members of social media, have little influence over the terms and conditions of the service offered by cloud providers. We must ensure that the cloud service providers do not avoid taking responsibility and that cloud customers are able to fulfill their data protection obligations. The complexity of cloud computing technology does not justify any lowering of data protection standards.

The EDPS focused on the concept of accountability, commenting that responsibility for data protection must not be lost. As such, the responsibilities and obligations of all parties involved in cloud computing contacts, however multi-layered or complex, must be defined clearly in law. Without clear rules and definitions there is a risk that the data protection obligations and responsibilities will be ascribed between cloud customers and cloud service providers in such a way so as to inaccurately reflect their roles or influence or, worse, no party will be responsible, resulting in a severe lack of protection.

Bearing all this in mind, the EDPS has recommended that

  • The imbalance of power between cloud customers and service providers could be tackled by developing standard commercial terms and conditions, which respect the parties’ data protection obligations, for use in cloud computing contracts. This mirrors the strategy adopted by the European Commission.
  • Technical standards relating to data protection in the cloud should be introduced and accompanied by certification schemes that fully incorporate data protection criteria. This also mirrors directly one of the key action points adopted by the European Commission.
  • Further guidance on ensuring the effectiveness of data protection measures in practice should be made available.
  • There should be further guidance on the use of binding corporate rules (BCRs) in relation to cloud computing. The EDPS suggested that BCRs may be particularly suitable for use in relation to cloud computing services and that this mechanism for international data transfers should be promoted in this context.
  • Best practices should be developed in relation to key issues, including controller/processor responsibility, data portability and the retention of data in the cloud.
  • The notion of data transfer, and the conditions under which law enforcement bodies outside the European Economic Area can access data in the cloud, should be defined clearly.