This post was written by Cynthia O’Donoghue.

The Article 29 Working Party (the “Working Party”) issued an Opinion on cloud computing that analyses the applicable law, obligations and other relevant issues for cloud service providers operating in the European Economic Area (“EEA”). The Opinion outlines how the wide-scale deployment of cloud computing services could trigger a number of data protection concerns.

The Article 29 Working Party Opinion discusses two main risks. The first relates to the lack of control by the data controller over the personal data processed in a cloud system, which may result in that controller no longer having exclusive control of the data. The second relates to a lack of transparency if the data controller receives insufficient information about the cloud provider’s processing operations. Without adequate information, a data controller may not be aware of the potential threats or risks to the personal data, especially if there is a chain of sub-processing or transfers outside the EEA. This would leave the data controller in a situation where it may be unable to take appropriate action.

The Opinion identifies the Data Protection Directive 95/46/EC as the relevant legal framework for cloud computing, with the legislation of the country in which the data controller is established, rather than the place in which the cloud computing providers are located, being the applicable legislation. If the controller is located outside the EEA, but the cloud provider is located in the EEA, then the provider exports the data protection legislation to the client. The Working Party also confirms that the customer of the cloud services is typically the data controller, with the cloud provider being the data processor.

The Working Party lists a number of data protection requirements that must govern the relationship between the cloud customer (or data controller) and the cloud provider. These are divided into three key areas:

  • Compliance with basic principles such as specific purpose, transparency and erasure of data
  • Safeguards put in place in contract for cloud computing services
  • Responsibility of the data controller to choose a cloud provider that will implement adequate technical and organisational security measures to protect personal data put in the cloud

Finally, the Opinion closes with recommendations aimed at data controllers seeking to put personal data in the cloud, such as conducting a comprehensive and thorough risk analysis which is underpinned by the cloud provider supplying all necessary information for a data controller to assess the pros and cons of using the cloud.

We will be issuing a detailed Client Alert on this important subject.