On 1 July 2012, the Article 29 Working Party issued an opinion on cloud computing in which it analyzes the possible privacy issues which have to be taken into account by the cloud computing service providers and their customers in the European Economic Area.

Cloud computing is a generic term for different kinds of technologies and service models which are directed at providing their services and making available their applications through the internet, and by which the end users have the benefit of the service online. These services are easy to set up and are just as easily adapted or extended, and as such lead to significant economic advantages. It also brings security benefits especially for small and medium-sized organisations, because they can acquire top-class technologies which otherwise might be too expensive.

However, the rise of cloud computing also represents a challenge to data protection. The wide scale deployment of cloud computing services can trigger a number of risks, such as the lack of control over personal data and insufficient information regarding how, where and by whom data is being processed. By submitting personal data to the systems managed by a cloud provider, cloud clients may no longer be in exclusive control of this data. This means that they may not be able to deploy the technical and organizational measures necessary to ensure for example the availability and confidentiality of data, for which the user of cloud computing services remains legally responsible under EU law.

In addition, insufficient information about a cloud service’s processing operations poses a risk to data controllers as well as to data subjects, because they might not be aware of potential threats and risks and thus cannot take measures they deem appropriate to mitigate those risks.

One of the key conclusions of the opinion is therefore that organizations wishing to use cloud computing services should, as a first step, conduct a comprehensive and thorough risk analysis. All cloud providers offering services in the European Economic Area should provide the cloud client with all the information necessary to rightly assess the pros and cons of using such a service. Security, transparency and legal certainty for the clients should be the key drivers behind offering cloud computing services. (LL)

The opinion can be found on