On 1 July 2012, the Article 29 Data Protection Working Party (the "Working Party"), the independent European advisory body on data protection and privacy, adopted an opinion on cloud computing (WP196) (the "Opinion"). The Opinion analyses all relevant issues for cloud computing service providers and their clients under the EU Data Protection Directive 95/46/EC (the "Data Protection Directive"). The Opinion highlights a number of data protection risks triggered by the deployment of cloud computing services and provides guidelines and recommendations for clients and providers of cloud computing services. It also considers future changes in the European data protection regulatory framework.
Cloud computing basically consists of a set of technologies and service models that focus on the Internet-based use and delivery of IT applications, processing capability, storage and memory space. The Opinion emphasises two specific data protection risks associated with cloud computing, namely (i) the lack of control over the data (i.e., the cloud client may no longer be in exclusive control of his data and cannot deploy the technical and organisational measures necessary to ensure the availability, integrity, confidentiality, isolation, intervenability and portability of the data); and (ii) the absence of transparency or insufficient information regarding the processing operation. This poses a risk to the data subjects as well as the cloud client who might not be aware of all the potential threats and risks associated with the use of cloud computing such as the use of multiple processors or sub-processors).
The Opinion considers the Data Protection Directive as the main legal framework for assessing cloud computing in regard of data protection, whereas the e-Privacy Directive 2002/58/EC could also be relevant if publicly available electronic communications services in public communications networks are provided by means of a cloud solution. According to the Opinion, the cloud client should be considered as the data controller while the cloud provider will typically act as the data processor, save in cases where the provider processes the personal data for its own purposes. Pursuant to Article 4 of the Data Protection Directive, the applicable law will therefore usually be the legislation of the country in which the cloud client is established, rather than the place where the cloud computing providers are located.
The Opinion examines the key data...