Today, the European Data Protection Supervisor (EDPS) adopted his opinion on the Commission Communication on “Unleashing the potential of Cloud Computing in Europe” in which the Commission proposes key actions and policy steps to speed up the use of cloud computing services in Europe. The EDPS Opinion not only reacts to the Communication but also highlights the data protection challenges created by cloud computing and how the proposed Data Protection Regulation will tackle them when the reformed rules come into effect.
While many businesses, public authorities and consumers expect to benefit from a reduction in IT services costs and/or access to better services when using cloud computing, the main issue of concern for cloud customers is whether the system is reliable and trustworthy and that data processing operations can be carried out in compliance with data protection rules. Here to read more.
Peter Hustinx, EDPS, says: “Cloud computing can bring enormous benefits to individuals and organisations alike but it must also provide an adequate level of protection. Currently, many cloud customers, including members of social media, have little influence over the terms and conditions of the service offered by cloud providers. We must ensure that the cloud service providers do not avoid taking responsibility and that cloud customers are able to fulfil their data protection obligations. The complexity of cloud computing technology does not justify any lowering of data protection standards.”
Accountability is a cornerstone of data protection and the responsibilities of all parties involved in cloud computing must be clearly defined in law. Without such definitions, the complexity and the involvement of multiple service providers in cloud computing could lead to an attribution of data protection obligations and responsibilities between cloud customers and cloud service providers that do not reflect their roles and actual influence on the service and a serious lack of protection in practice. The risk that no one takes full responsibility for data protection in this complex environment is of real concern.
In the EDPS’ view, the imbalance of power between cloud customers and cloud service providers could be addressed by developing standard commercial terms and conditions that respect data protection requirements for commercial contracts, public procurement and international data transfers.
This together with the proposed Data Protection Regulation that provides clear rules to ensure that cloud service providers are fully accountable for their processing, will guard against data protection responsibilities from being up in the air and evaporating in the cloud.