‘Cloud computing’ refers to the storage of data (such as text files, pictures and video) and software on remote computers, which users access over the internet on the device of their choice.
According to the European Data Protection Supervisor (herein after also “EDPS”), cloud computing is evolving and includes a wide range of technological solutions and business practices. In fact, the term is used with different meanings in different contexts (Opinion of the European Data Protection Supervisor on the Commission’s Communication on “Unleashing the potential of Cloud Computing in Europe”, 16 November 2012). The most widely used definition is that published by the US National Institute of Standards and Technology (NIST), which states that “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”.
Hence, under the characteristics mentioned above, it cannot be a surprise that the EC expects that the diffusion of cloud computing is going to generate substantial direct and indirect impacts on economic and employment growth in the EU, thanks to the migration to a new IT paradigm enabling greater innovation and productivity. However, EU needs a swift adoption of the new data protection framework, which is expected to take place by 2014, when the new Data Protection General Regulation (COM(2012)11) proposed by the European Commission is likely to come into force.
In the meantime, in the context of the general policy debate in the EU on cloud computing, on 27 September 2012, the European Commission issued the Communication on “Unleashing the potential of Cloud Computing in Europe”, which highlighted the key actions of the European strategy on this topic that include:
- cutting through the jungle of technical standards so that cloud users get interoperability, data portability and reversibility; necessary standards should be identified by 2013;
- support for EU-wide certification schemes for trustworthy cloud providers;
- development of model ‘safe and fair’ contract terms for cloud computing contracts including Service Level Agreements;
- a European Cloud Partnership with Member States and industry to harness the public sector’s buying power (20% of all IT spending) to shape the European cloud market, boost the chances for European cloud providers to grow to achieve a competitive scale, and deliver cheaper and better eGovernment (Press Realease, Digital Agenda: New strategy to drive European business and government productivity via cloud computing, Brussels, 27 September 2012).
As described in the Communication, cloud computing offers many new opportunities to businesses, consumers, and the public sector for the management of data through the use of remote external IT resources. At the same time, it presents many challenges in particular as to the appropriate level of data protection offered to data processed therein.
The European Data Protection Supervisor (EDPS), in its opinion on the Commission’s Communication on “Unleashing the potential of Cloud Computing in Europe”, issued on November 16, 2012, supported the development by the Commission, in consultation with supervisory authorities, of standard contractual terms for the provision of cloud computing services that respect data protection requirements (Opinion of the European Data Protection Supervisor on the Commission’s Communication on “Unleashing the potential of Cloud Computing in Europe, 16 November 2012).
In this regard, the European Data Protection Supervisor pointed out that it essential in order to protect personal data on cloud computing systems:
- to develop model contractual terms and conditions to be included in the commercial terms of cloud computing service offerings;
- to develop common procurement terms and requirements for the public sector, taking into account the sensitivity of the data processed;
- to further tailor international data transfer mechanisms to the cloud computing environment, in particular by updating the current standard contractual clauses and by putting forward standard contractual clauses for the transfer of data from processors based in the EU to processors located outside the EU.
In addition, the EDPS underlines that appropriate consideration must be given to data protection requirements in the development of standards and certification schemes, in particular:
- to apply the principles of privacy by design and privacy by default in the development of the standards;
- to integrate data protection requirements such as purpose limitation and storage limitation in the standards’ design;
- the obligations of providers to provide their clients with the information necessary to perform a valid risk assessment and the security measures they implemented, as well as alerts about security incidents.
Finally, the EDPS stresses the need to address the challenges raised by cloud computing at an international level.
Further to this issue, it is important to remember the Resolution on cloud computing, of 26 October 2012, which was adopted – under the opinion on Cloud Computing (hereafter the “WP29 Opinion”) of the Article 29 Working Party (issued on 1 July 2012) – by the Data Protection and Privacy Commissioners during their 34th International Conference, that analyzed the application of the current data protection rules set forth in Directive 95/46/EC to cloud computing service providers operating in the European Economic Area (EEA) and their clients. In particular, this Resolution recommends that:
- cloud computing should not lead to a lowering of privacy and data protection standards as compared with other forms of data processing;
- data controllers carry out the necessary privacy impact and risk assessments (if necessary, by using trusted third parties) prior to embarking on CC projects;
- cloud service providers ensure that they provide appropriate transparency, security, accountability and trust in CC solutions in particular regarding information on data breaches and contractual clauses that promote, where appropriate, data portability and data control by cloud users;
- cloud service providers, when they are acting as data controllers, make available to users, where appropriate, relevant services;
- further efforts be put into research, third party certification, standardisation, privacy by design technologies and other related schemes in order to achieve a desired level of trust in CC;
- legislators assess the adequacy and interoperability of existing legal frameworks to facilitate cross-border transfer of data and consider additional necessary privacy safeguards in the era of CC, and Privacy and Data Protection Authorities continue to provide information to data controllers, cloud service providers and legislators on questions relating to privacy and data protection issues.
In conclusion, cloud computing offers many new opportunities to consumers and undertakings, but it presents many challenges related to the protection of personal data, which require the adoption of all the required EU and international reforms in respect of the actions on standardization and certification for cloud computing, the development of safe and fair contract terms and conditions in order to deal with the security issues arisen from the development and the diffusion of the cloud computing.