The International Working Group on Data Protection in Telecommunications (“the Working Group”) released a working paper on privacy and data protection issues surrounding cloud computing, specifically examining the processing of personal data. The paper recognises the growing popularity of cloud computing; however, the Working Group advises that caution should be taken because of the fact that cloud computing is still relatively new. The paper sets out a number of recommendations on how to minimise the risk of data loss, and how certain precautions should be taken in cloud computing environments.

The National Institute of Standards and Technology defines ‘cloud computing’ in its Special Publication 800-145, which the Working Group describes as “an excellent starting point for the further investigation” of cloud computing and how it can be used. However, there is still a level of uncertainty around cloud computing, in particular in relation to privacy and data protection issues; and the evolution of cloud computing has raised a number of important issues which are discussed in the paper, including the fact that:

  • The technology is still in progress
  • The technology is boundless and trans-boundary
  • Data processing has become global as a result of cloud computing
  • There is a general lack of transparency around cloud service providers

As a result, these issues may lead to an increased risk of breaches of:

  • Information security going unnoticed by a data controller
  • Data being transferred to jurisdictions that do not have adequate data protections in place
  • A data controller losing control of the data

The Working Group makes a number of recommendations on the subject of the relationship between data protection and cloud computing, including that:

  • Cloud computing must not lead to a lowering of data protection standards
  • Data controllers should carry out privacy impact and risk assessments (as necessary) before embarking on cloud computing projects
  • Data protection regulatory authorities (DPAs) should continue to provide information on the privacy and data protection issues affecting cloud computing

In addition to the recommendations, the Working Group lists 27 guidance points on best practice, and an additional 17 points on the background to the recommendations.

On best practice guidance, the key points include:

  • Cloud computing implementation should take place in measured steps, starting with non-sensitive and non-confidential information
  • Processing sensitive data via cloud computing raises additional concerns and therefore requires additional safeguards
  • Location audit trails should be automatically made available to data controllers and DPAs
  • Effective technical measures should be developed to prevent personal data from being transferred illegally to jurisdictions without adequate data protection
  • Personal data at rest and in transit should be encrypted. Encryption keys should not be available to anyone other than the data controller and cloud service provider.