EU News
Printable version | E-mail this to a friend |
EDPS: responsibility in the Cloud should not be up in the air
Recently, the European Data Protection Supervisor (EDPS) adopted his opinion on the Commission Communication on "Unleashing the potential of Cloud Computing in Europe" in which the Commission proposes key actions and policy steps to speed up the use of cloud computing services in Europe. The EDPS Opinion not only reacts to the Communication but also highlights the data protection challenges created by cloud computing and how the proposed Data Protection Regulation will tackle them when the reformed rules come into effect.
While many businesses, public authorities and consumers expect to benefit from a reduction in IT services costs and/or access to better services when using cloud computing, the main issue of concern for cloud customers is whether the system is reliable and trustworthy and that data processing operations can be carried out in compliance with data protection rules.
Peter Hustinx, EDPS, says: "Cloud computing can bring enormous benefits to individuals and organisations alike but it must also provide an adequate level of protection. Currently, many cloud customers, including members of social media, have little influence over the terms and conditions of the service offered by cloud providers. We must ensure that the cloud service providers do not avoid taking responsibility and that cloud customers are able to fulfil their data protection obligations. The complexity of cloud computing technology does not justify any lowering of data protection standards."
Accountability is a cornerstone of data protection and the responsibilities of all parties involved in cloud computing must be clearly defined in law. Without such definitions, the complexity and the involvement of multiple service providers in cloud computing could lead to an attribution of data protection obligations and responsibilities between cloud customers and cloud service providers that do not reflect their roles and actual influence on the service and a serious lack of protection in practice. The risk that no one takes full responsibility for data protection in this complex environment is of real concern.
In the EDPS' view, the imbalance of power between cloud customers and cloud service providers could be addressed by developing standard commercial terms and conditions that respect data protection requirements for commercial contracts, public procurement and international data transfers.
This together with the proposed Data Protection Regulation that provides clear rules to ensure that cloud service providers are fully accountable for their processing, will guard against data protection responsibilities from being up in the air and evaporating in the cloud.
Other EDPS recommendations include:
-
Clarifying and providing further guidance on how to ensure the effectiveness of data protection measures in practice and the use of binding corporate rules
-
Developing best practices on issues such as controller/processor responsibility, retention of data in the cloud environment, data portability and the exercise of data subjects' rights
-
Developing standards and certification schemes that fully incorporate data protection criteria
-
Clearly defining the notion of transfer and the criteria under which access to data in the cloud by law enforcement bodies outside the EEA countries could be allowed.
Background information
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
The European Commission published its Communication on "Unleashing the Potential of Cloud Computing in Europe" on 27 September 2012. Data Protection Authorities in Europe adopted an opinion on Cloud Computing on 1 July 2012 and the international Data Protection and Privacy Commissioners' conference adopted a resolution on cloud computing on 26 October 2012.
The European Data Protection Supervisor (EDPS) is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. He does so by:
-
monitoring the EU administration's processing of personal data;
-
advising on policies and legislation that affect privacy;
-
cooperating with similar authorities to ensure consistent data protection.
The opinion is available on the EDPS website. For more information: press@edps.europa.eu
EDPS - The European guardian of data protection
Follow us on Twitter: @EU_EDPS
Show additional information