The European Data Protection Authorities, assembled in the Article 29 Working Party, adopted an opinion on cloud computing in which they analyse relevant data protection issues for cloud computing customers and cloud computing service providers operating in the European Economic Area.
According to the Opinion, cloud computing can generate significant benefits in both economic and societal terms. However, the rise of cloud computing also represents a challenge to data protection. The main risks identified in the Opinion include
- lack of control over personal data, and
- insufficient information regarding how, where and by whom data is being processed.
Cloud computing customers may not be in exclusive control of
their data. This means that they may not be able to deploy the
measures necessary to ensure for example the availability and
confidentiality of data, for which they still remain legally
responsible under EU law and applicable national legislation.
In addition, insufficient information about a cloud service's
processing operations poses a risk to data controllers as well as
to data subjects, because they might not be aware of potential
threats and risks.
The Opinion concludes that organisations wishing to use cloud
computing services should always conduct a comprehensive and
thorough risk analysis. Clients should choose a cloud provider that
guarantees compliance with EU data protection legislation. The
Opinion states that any contract between the cloud computing
customer and the provider should include sufficient guarantees in
terms of technical and organisational measures.
The Opinion hardly offers any new information for professionals in
this field of law, but the recommendations of the Working Party are
likely to lead the way with regard to future changes in the
European data protection framework.
The Opinion highlights the fact that it is essential for every
organisation wishing to outsource the processing of personal data
to ensure, that:
- The planned processing of personal data is legal; and
- The contract between the cloud provider and the client includes sufficient terms with respect to data protection and data security.
It should also be noted that in order to meet legal
requirements, certain notifications of such outsourcing to Data
Protection Authority may be needed.
For instance, pursuant to the Finnish Personal Data Act, a data
controller who has outsourced the processing of personal data (e.g.
contracted cloud computing services) is under an obligation to
notify the Data Protection Ombudsman of such data processing.
Furthermore, anyone who is engaged in computing on the behalf of
another and processes personal data in this activity, must notify
the same to the Data Protection Ombudsman.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.