European Data Protection Supervisor Weighs In On The Cloud Debate By Issuing An Opinion

Author:Ms Marianne Le Moullec
Profession:Proskauer Rose LLP

It has been reported that Google will give EU businesses the opportunity to store personal data exclusively on servers in the EU. This appears to have been prompted by compliance difficulties with the current EU data protection Directive when cloud computing service providers store personal data on servers or in data centres based outside the EU. Such compliance difficulties encountered by cloud clients were highlighted by Peter Hustinx, the European Data Protection Supervisor (EDPS), in his opinion issued on November 16, 2012 ( mySite/shared/Documents/Consultation/Opinions/2012/12-11-16_Cloud_Computing_EN.pdf).

The EDPS is an independent supervisory authority devoted to protecting personal data. Hustinx monitors the EU administration's processing of personal data, advises on policies and legislation that affect privacy and cooperates with other authorities to ensure consistent data protection. The EDPS Opinion's analysis of the main challenges that cloud computing brings and how the future European Data Protection Regulation could answer such challenges is particularly interesting. The major issues and proposals included in the Opinion are summarized below. Hustinx posited that issues such as the applicability of the EU data protection law, the allocation of responsibility between the client and the provider, and the international transfers of data need to be addressed in order to ensure cloud clients that cloud computing can be carried out in compliance with high standards of data protection.

As the specific location of the cloud data is usually not known by the client, the applicability of EU law is indeed one of the first major issues that come to mind. The proposed EU Regulation would broaden the jurisdiction to which the EU law would apply as it would be based on whether either the service provider or the data subject is located in the EU. As this second criteria appears to be limited to individuals, the EDPS argues for its extension to businesses, as cloud clients are often companies.

Another major issue is the allocation of responsibility among the various market participants. Cloud computing is complex, as different players cooperate in order to deliver the service to the client. In this chain, it can be difficult to allocate responsibilities for compliance with data protection rules. The cloud client is usually the data controller, and must ensure that the cloud service provider abides...

To continue reading