On July 1st, 2012, the Article 29 Working Party (WP29), a group consisting of data protection authorities of all EU Member States, adopted a long-awaited opinion on cloud computing. While acknowledging the advantages of cloud computing, the opinion sets out a number of data protection issues that may arise from the wide-scale deployment of cloud computing services by both businesses and administrations. The opinion highlights that, in most scenarios, the cloud client is the controller of the personal data stored in the cloud and, therefore, it is the responsibility of the client to select a cloud service provider that can guarantee compliance with EU data protection legislation. The opinion then sets out a number of recommendations that cloud clients should bear in mind when selecting a cloud service provider.
The recommendations include, among other things:
- Transparency. Since the cloud client is responsible for complying with data protection legislation, the WP29 points out that the client should require the cloud provider to inform the client about all data protection relevant aspects of their services, including being transparent about all subcontractors and the location of all data centres where the client’s personal data is being processed.
- Purpose limitation. The WP29 explains that the client is responsible for ensuring that personal data is not processed for further incompatible purposes by the cloud provider or one of his subcontractors. Therefore, the service agreement between the client and provider should include technical and organisational measures that mitigate such risk and provide for penalties against the provider or subcontractor if data protection law is breached.
- Security. The WP29 emphasises that cloud clients should ensure that their service providers are willing to specify in the service agreements concrete technical and organization measures to protect the data stored in the cloud. Such measures include, among other things, establishing reasonable means for timely and reliable access to personal data, encryption, authorization mechanisms controlling access to personal data and proper management of shared resources.
- International transfers. Since cloud computing often involves flows of data across borders, the WP29 stresses that cloud clients must ensure that their service providers protect the data when it is transmitted to countries that do not provide adequate level of data protection. The WP29 concludes that some measures, such as the Safe Harbor scheme, may not by themselves be sufficient to guarantee adequate level of security for the transferred data as required by national laws implementing the EU data protection directive.
- Audits. According to the WP29, cloud clients should have the power to audit the providers’ processing operations, however, the WP29 also recognizes that independent verification or certification by a reputable third-party can be a credible means for cloud providers to demonstrate their compliance with data protection obligations.