On 1 July 2012, the Article 29 Data Protection Working Party (the "Working Party"), the independent European advisory body on data protection and privacy, adopted an opinion on cloud computing (WP196) (the "Opinion"). The Opinion analyses all relevant issues for cloud computing service providers and their clients under the EU Data Protection Directive 95/46/EC (the "Data Protection Directive"). The Opinion highlights a number of data protection risks triggered by the deployment of cloud computing services and provides guidelines and recommendations for clients and providers of cloud computing services. It also considers future changes in the European data protection regulatory framework.

Cloud computing basically consists of a set of technologies and service models that focus on the Internet-based use and delivery of IT applications, processing capability, storage and memory space. The Opinion emphasises two specific data protection risks associated with cloud computing, namely (i) the lack of control over the data (i.e., the cloud client may no longer be in exclusive control of his data and cannot deploy the technical and organisational measures necessary to ensure the availability, integrity, confidentiality, isolation, intervenability and portability of the data); and (ii) the absence of transparency or insufficient information regarding the processing operation. This poses a risk to the data subjects as well as the cloud client who might not be aware of all the potential threats and risks associated with the use of cloud computing such as the use of multiple processors or sub-processors).

The Opinion considers the Data Protection Directive as the main legal framework for assessing cloud computing in regard of data protection, whereas the e-Privacy Directive 2002/58/EC could also be relevant if publicly available electronic communications services in public communications networks are provided by means of a cloud solution. According to the Opinion, the cloud client should be considered as the data controller while the cloud provider will typically act as the data processor, save in cases where the provider processes the personal data for its own purposes. Pursuant to Article 4 of the Data Protection Directive, the applicable law will therefore usually be the legislation of the country in which the cloud client is established, rather than the place where the cloud computing providers are located.

The Opinion examines the key data protection requirements that must be ascertained in the cloud client-provider relationship, in particular compliance with the requirements of transparency, purpose specification and limitation, contractual safeguards, technical and organisational security measures (which the Opinion discusses in detail) and international data transfers. Most importantly, the Opinion recommends that cloud clients wishing to use cloud computing conduct as a first step a comprehensive and thorough risk analysis. For this purpose, the Opinion sets out a checklist for data protection compliance by cloud clients and providers.

The Opinion also puts special emphasis on the contractual arrangements that should govern the relationship between a cloud client and a cloud provider and sets out a number of issues that such contracts should address. Moreover, the Opinion discusses in detail the requirements governing the use of subcontractors. It is noteworthy that, according to the Working Party, cloud providers can only subcontract their activities with the consent of the cloud client (although such consent may be generally given) with a clear duty for the cloud provider to inform the cloud client of any intended changes concerning the addition or replacement of subcontractors and an obligation to name all the subcontractors commissioned.

As regards international data transfers, the Working Party takes the view that the traditional legal instruments providing a framework for data transfers to non-EU third countries not providing adequate protection have limitations. In particular, self-certification with Safe Harbour may not be sufficient and may have to be complemented by additional measures. In the Working Party's opinion, it is almost impossible to rely on the statutory derogations provided by Article 26 of the Data Protection Directive in the context of cloud computing. Whilst the European Commission's standard contractual clauses offer adequate safeguards, they do not apply to a situation where the cloud provider acting as a processor is established in the EU and uses non-EU subcontractors. Binding Corporate Rules for processors on which the Working Party is currently working will also provide adequate safeguards. The Working Party is particularly concerned about data protection risks arising from international law enforcement requests and calls for a prohibition of corresponding disclosures of personal data to be included in the future General Data Protection Regulation, subject to specific exceptions.

Finally, the Opinion also highlights some of the issues that need to be addressed in the future, in particular a better balancing of responsibilities between controller and processor and special precautions to be taken by the public sector. The Working Party supports the European Cloud Partnership (ECP) strategy presented by the Vice-President of the European Commission, Neelie Kroes, which provides that public IT procurement should stimulate a European cloud market.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.