The European Data Protection Authorities, assembled in the Article 29 Working Party, adopted an opinion on cloud computing in which they analyse relevant data protection issues for cloud computing customers and cloud computing service providers operating in the European Economic Area. (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf)
According to the Opinion, cloud computing can generate significant benefits in both economic and societal terms. However, the rise of cloud computing also represents a challenge to data protection. The main risks identified in the Opinion include
- lack of control over personal data, and
- insufficient information regarding how, where and by whom data is being processed.
Cloud computing customers may not be in exclusive control of their data. This means that they may not be able to deploy the measures necessary to ensure for example the availability and confidentiality of data, for which they still remain legally responsible under EU law and applicable national legislation.
In addition, insufficient information about a cloud services processing operations poses a risk to data controllers as well as to data subjects, because they might not be aware of potential threats and risks.
The Opinion concludes that organisations wishing to use cloud computing services should always conduct a comprehensive and thorough risk analysis. Clients should choose a cloud provider that guarantees compliance with EU data protection legislation. The Opinion states that any contract between the cloud computing customer and the provider should include sufficient guarantees in terms of technical and organisational measures.
The Opinion hardly offers any new information for professionals in this field of law, but the recommendations of the Working Party are likely to lead the way with regard to future changes in the European data protection framework.
The Opinion highlights the fact that it is essential for every organisation wishing to outsource the processing of personal data to ensure, that:
- The planned processing of personal data is legal; and
- The contract between the cloud provider and the client includes sufficient terms with respect to data protection and data security.
It should also be noted that in order to meet legal requirements, certain notifications of such outsourcing to Data Protection Authority may be needed.
For instance, pursuant to the Finnish Personal Data Act, a data controller who has outsourced the processing of personal data (e.g. contracted cloud computing services) is under an obligation to notify the Data Protection Ombudsman of such data processing. Furthermore, anyone who is engaged in computing on the behalf of another and processes personal data in this activity, must notify the same to the Data Protection Ombudsman.