The European Data Protection Supervisor (EDPS) adopted on 16 November its opinion on the Commission Communication on "Unleashing the potential of Cloud Computing in Europe”, which establishes key actions and policy steps to promote and accelerate the use of cloud computing services across Europe.
Besides, because the relationship between cloud computing and data protection is currently being discussed, the supervisory authority also highlights the challenges generated by this new communication system and how the proposed Data Protection Regulation will tackle them. Likewise, the EDPS identifies areas that require further action at EU level.
Cloud computing and mobile computing services can benefit businesses and consumers by reducing costs in IT, but the main issue of concern for cloud customers is whether the system is reliable and trustworthy and that data processing operations can be carried out in compliance with data protection rules.
"Cloud computing can bring enormous benefits to individuals and organisations alike but it must also provide an adequate level of protection”, said Peter Hustinx, member of EDPS. The complexity of these services is increasing and both cloud providers and costumers should be also responsible, “The complexity of cloud computing technology does not justify any lowering of data protection standards."
In the EDPS view, accountability is a cornerstone of data protection and all parties involved must be clear when defining the law. A lack of a good definition could carry consequences, such as wrong interpretation and bad protection of personal data.
In addition, the fact that providers also act as regulators has its consequences, because they have to demonstrate and verify how are they applying the necessary control, Hutnix explained. For instance, Facebook is both provider and controller, but it has still a long list of activities to complete before comply with the European law, he added.
Balance between costumers and providers can be achieved by developing standard commercial terms and conditions that respect data protection requirements for commercial contracts, public procurement and international data transfers, the supervisor includes on its document.
EDPS' opinion also recommends to provide clear guidance on how ensure effectiveness of data protection measures and also define the notion of transfer and the criteria under which access to data in the cloud by law enforcement bodies outside the EEA countries could be allowed. Furthermore, Peter Hustinx highlighted that an investment on a good analysis of the cloud services is a must before use them.