31 July 2012

Cloudy Weather

The Article 29 Working Party - the EU data protection policy body that comprises representatives of the 27 EU data protection authorities, the European Data Protection Supervisor and the European Commission - has formally adopted a 27 page Opinion on cloud computing [PDF].

The Opinion is aimed at cloud providers (processors) and users of cloud services (data controllers), with an emphasis on greater understanding of their responsibilities. It features recommendations including requiring cloud providers to tell their clients where their data may be physically stored, to make sure cloud providers delete all personal data in the cloud if it's no longer necessary, and to inform clients about any sub-contractors they plan to use to process data. It also includes specific recommendations covering transfer of European data to the US, notably that cloud clients demand the implementation of data protection safeguards with model contract clauses or a legal agreement which imposes regular reporting and auditing requirements on cloud providers to prove that data is being handled according to EU law.

The Article 29 Working Party comments that -
In this Opinion the Article 29 Working Party analyses all relevant issues for cloud computing service providers operating in the European Economic Area (EEA) and their clients specifying all applicable principles from the EU Data Protection Directive (95/46/EC) and the e-privacy Directive 2002/58/EC (as revised by 2009/136/EC) where relevant. 
Despite the acknowledged benefits of cloud computing in both economic and societal terms, this Opinion outlines how the wide scale deployment of cloud computing services can trigger a number of data protection risks, mainly a lack of control over personal data as well as insufficient information with regard to how, where and by whom the data is being processed/sub-processed. These risks need to be carefully assessed by public bodies and private enterprises when they are considering engaging the services of a cloud provider. This Opinion examines issues associated with the sharing of resources with other parties, the lack of transparency of an outsourcing chain consisting of multiple processors and subcontractors, the unavailability of a common global data portability framework and uncertainty with regard to the admissibility of the transfer of personal data to cloud providers established outside of the EEA. Similarly, a lack of transparency in terms of the information a controller is able to provide to a data subject on how their personal data is processed is highlighted in the opinion as matter of serious concern. Data subjects must1 be informed who processes their data for what purposes and to be able to exercise the rights afforded to them in this respect. 
A key conclusion of this Opinion is that businesses and administrations wishing to use cloud computing should conduct, as a first step, a comprehensive and thorough risk analysis. All cloud providers offering services in the EEA should provide the cloud client with all the information necessary to rightly assess the pros and cons of adopting such a service. Security, transparency and legal certainty for the clients should be key drivers behind the offer of cloud computing services. In terms of the recommendations contained in this Opinion, a cloud client’s responsibilities as a controller is highlighted and it is thus recommended that the client should select a cloud provider that guarantees compliance with EU data protection legislation. Appropriate contractual safeguards are addressed in the opinion with the requirement that any contract between the cloud client and cloud provider should afford sufficient guarantees in terms of technical and organizational measures. Also of significance is the recommendation that the cloud client should verify whether the cloud provider can guarantee the lawfulness of any cross-border international data transfers. 
Like any evolutionary process, the rise of cloud computing as a global technological paradigm represents a challenge. This Opinion, as it stands, can be deemed to be an important step in defining the tasks to be assumed in this regard by the data protection community in the upcoming years..