It has been reported that Google will give EU businesses the opportunity to store personal data exclusively on servers in the EU. This appears to have been prompted by compliance difficulties with the current EU data protection Directive when cloud computing service providers store personal data on servers or in data centres based outside the EU. Such compliance difficulties encountered by cloud clients were highlighted by Peter Hustinx, the European Data Protection Supervisor (EDPS), in his opinion issued on November 16, 2012 (http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2012/12-11-16_Cloud_Computing_EN.pdf).
The EDPS is an independent supervisory authority devoted to protecting personal data. Hustinx monitors the EU administration’s processing of personal data, advises on policies and legislation that affect privacy and cooperates with other authorities to ensure consistent data protection. The EDPS Opinion’s analysis of the main challenges that cloud computing brings and how the future European Data Protection Regulation could answer such challenges is particularly interesting. The major issues and proposals included in the Opinion are summarized below. Hustinx posited that issues such as the applicability of the EU data protection law, the allocation of responsibility between the client and the provider, and the international transfers of data need to be addressed in order to ensure cloud clients that cloud computing can be carried out in compliance with high standards of data protection.
As the specific location of the cloud data is usually not known by the client, the applicability of EU law is indeed one of the first major issues that come to mind. The proposed EU Regulation would broaden the jurisdiction to which the EU law would apply as it would be based on whether either the service provider or the data subject is located in the EU. As this second criteria appears to be limited to individuals, the EDPS argues for its extension to businesses, as cloud clients are often companies.
Another major issue is the allocation of responsibility among the various market participants. Cloud computing is complex, as different players cooperate in order to deliver the service to the client. In this chain, it can be difficult to allocate responsibilities for compliance with data protection rules. The cloud client is usually the data controller, and must ensure that the cloud service provider abides with data protection rules. But the cloud service provider usually drafts the contracts offered to the cloud client. The contractual asymmetry between service providers and clients may make it difficult for clients to comply with their obligations as data controllers. In addition, the service provider is in charge of the IT infrastructure and its security. The cloud client may not have effective control over issues such as security, data breach notification, etc. To address this balance of power between the cloud client and cloud service provider, the EDPS opined that the service provider’s responsibility should be greater, and that qualifying the cloud service provider as a co-controller might be more appropriate. The EDPS also emphasized that guidance from the EU Commission, including the provision of best practices on controller/processor’s responsibility, will be necessary.
Finally, cloud computing is obviously an international issue. Data are being conveyed from cloud clients to cloud service providers’ servers and data centres located in various parts of the world. The current EU data protection Directive imposes conditions on the transfer of personal data to non-EU countries. But the compliance with such rules is challenging, in particular because the cloud client (data controller) has little or no knowledge of the cloud architecture and of the places where the service provider or its sub-processors are processing the data. The proposed EU Regulation has provisions that would improve the international transfers in cloud computing through standard contractual clauses or Binding Corporate Rules (BCRs) that will apply to the processor’s group. The EDPS opined that the notion of transfer should be more clearly defined, that further guidance from the EU Commission will be necessary to assist processors with the use of BCRs and to develop standard contractual clauses tailored for the transfer of data from processors based in the EU to processors located outside the EU. The EDPS also stressed the need for international dialogue and, if relevant, for the conclusion of multilateral or bilateral agreements with non-EU countries on issues such as jurisdiction and access to cloud data by law enforcement authorities around the world.