EDPS: responsibility in the Cloud should not be up in the air
European Data Protection Supervisor - EDPS/12/15 16/11/2012
Brussels, Friday 16 November 2012
Today, the European Data Protection Supervisor (EDPS) adopted his opinion on the Commission Communication on "Unleashing the potential of Cloud Computing in Europe" in which the Commission proposes key actions and policy steps to speed up the use of cloud computing services in Europe. The EDPS Opinion not only reacts to the Communication but also highlights the data protection challenges created by cloud computing and how the proposed Data Protection Regulation will tackle them when the reformed rules come into effect.
While many businesses, public authorities and consumers expect to benefit from a reduction in IT services costs and/or access to better services when using cloud computing, the main issue of concern for cloud customers is whether the system is reliable and trustworthy and that data processing operations can be carried out in compliance with data protection rules.
Peter Hustinx, EDPS, says: "Cloud computing can bring enormous benefits to individuals and organisations alike but it must also provide an adequate level of protection. Currently, many cloud customers, including members of social media, have little influence over the terms and conditions of the service offered by cloud providers. We must ensure that the cloud service providers do not avoid taking responsibility and that cloud customers are able to fulfil their data protection obligations. The complexity of cloud computing technology does not justify any lowering of data protection standards."
Accountability is a cornerstone of data protection and the responsibilities of all parties involved in cloud computing must be clearly defined in law. Without such definitions, the complexity and the involvement of multiple service providers in cloud computing could lead to an attribution of data protection obligations and responsibilities between cloud customers and cloud service providers that do not reflect their roles and actual influence on the service and a serious lack of protection in practice. The risk that no one takes full responsibility for data protection in this complex environment is of real concern.
In the EDPS' view, the imbalance of power between cloud customers and cloud service providers could be addressed by developing standard commercial terms and conditions that respect data protection requirements for commercial contracts, public procurement and international data transfers.
This together with the proposed Data Protection Regulation that provides clear rules to ensure that cloud service providers are fully accountable for their processing, will guard against data protection responsibilities from being up in the air and evaporating in the cloud.
Other EDPS recommendations include:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
The European Commission published its Communication on "Unleashing the Potential of Cloud Computing in Europe" on 27 September 2012. Data Protection Authorities in Europe adopted an opinion on Cloud Computing on 1 July 2012 and the international Data Protection and Privacy Commissioners' conference adopted a resolution on cloud computing on 26 October 2012.
The European Data Protection Supervisor (EDPS) is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. He does so by:
EDPS - The European guardian of data protection