Recently, the Swedish Data Protection Authority (“DPA”) published a review of the use of cloud services, informed by the practices of three Swedish municipalities’ use of services from leading cloud providers. Based on the study, the DPA has published guidelines (currently only available in Swedish) that clarify the requirements of Swedish data protection law with regard to cloud services. They contain a checklist that organizations using the cloud to provide services of their own should follow to ensure compliance. The guidelines stress the importance of negotiating contractual provisions that reflect the personal data processing practices of cloud providers, so that data controllers outsourcing to the cloud can ensure these are in line with their intentions. In summary, the Swedish DPA asserts that while it is possible for organizations to outsource processing of personal data to the cloud, it is under no circumstances possible for them to renounce responsibility for the manner in which personal data is processed.
This initiative follows decisions by other European DPAs, earlier this year, to reject the use of cloud services by public authorities because of security risks. In February 2011, The Danish DPA rejected the Municipality of Odense’s planned use of Google’s cloud computing services within schools. More recently, on September 29, 2011, the German federal and state DPAs issued a resolution on cloud computing and compliance with data protection law. In their statement, they urge cloud service customers to use cloud services only if they are in a position to fulfil their obligations as data controllers and have verified that the appropriate data security requirements are in place.