Opinion EU Data protection supervisor
121. As described in the Communication, cloud computing offers many new opportunities to businesses, consumers, and the public sector for the management of data through the use of remote external IT resources. At the same time, it presents many challenges in particular as to the appropriate level of data protection offered to data processed therein.
122. The use of cloud computing services raises a major risk of seeing responsibility evaporating in relation to processing operations carried out by cloud service providers, if the criteria for applicability of EU data protection law are not sufficiently clear and if the role and the responsibility of cloud service providers are defined or understood too narrowly, or are not implemented effectively. The EDPS emphasizes that the use of cloud computing services cannot justify a lowering of data protection standards as compared to those applicable to conventional data processing operations.
123. In this respect, the proposed Data Protection Regulation, as it has been put forward, would provide many clarifications and tools that would help ensure that a satisfactory level of data protection is complied with by cloud service providers offering their services to clients based in Europe, in particular:
- Article 3 would clarify the territorial scope of the EU data protection rules and broaden its scope so that cloud computing services would be covered;
- Article 4(5) would introduce a new element of controllership, that is "conditions". This would be in line with the developing trend according to which, in view of the technical IT complexity underlying the provision of cloud computing services, it is necessary to expand the circumstances in which a cloud service provider may be qualified as the controller. This would better reflect the real level of influence on the processing operations;
- the proposed Regulation would increase the responsibility and accountability of data controllers and processors, by introducing specific obligations such as data protection by design and by default (Article 23), data security breach notifications (Articles 31 and 32), and data protection impact assessments (Article 33). Furthermore, it would require controllers and processors to implement mechanisms to demonstrate the effectiveness of the data protection measures implemented (Article 22);
- Articles 42 and 43 of the proposed Regulation would allow a more flexible use of international data transfer mechanisms, to help cloud clients and cloud service providers adduce appropriate data protection safeguards for the
transfers of personal data to data centres or servers located in third countries;
- Articles 30, 31 and 32 of the proposed Regulation would clarify the obligations of controllers and processors regarding the security of processing and information requirements in case of data breaches, laying the basis for a comprehensive and cooperative approach to the management of security between the different actors in a cloud environment;
- Articles 55 to 63 of the proposed Regulation would reinforce cooperation of supervisory authorities and their coordinated supervision over cross-border processing operations, which is particular crucial in an environment such as cloud computing.124. The EDPS nonetheless suggests that, after having taken into account the specificities of cloud computing services, further clarifications be made in the proposed Regulation on the following aspects:
- as concerns the territorial scope of the proposed Regulation, to amend Article 3(2)(a) to read "the offering of goods or services involving processing of personal data of such data subjects in the Union", or alternatively to add a new recital specifying that the processing of personal data of data subjects in the Union by non-EU based controllers offering services to EU based legal persons also falls within the territorial scope of the proposed Regulation;
- to add a clear definition of the notion of 'transfer', as stated in his Opinion on the Data Protection Reform package;
- to add a specific provision to clarify the conditions under which access to data stored in cloud computing services by non-EEA countries law enforcement bodies could be allowed. Such provision may also include the obligation for
the recipient of the request to inform and consult the competent supervisory authority in the EU in specific cases.125. The EDPS also underlines that further guidance will be necessary from the Commission and/or from supervisory authorities (in particular through the future European Data Protection Board) on the following aspects:
- to clarify which mechanisms should be put in place to ensure verification of the effectiveness of the data protection measures in practice;
- to assist processors with the use of BCRs and how they can comply with applicable requirements;
- to provide best practices on issues such as controller/processor's responsibility, the appropriate retention of data in the cloud environment, data portability, and the exercise of data subjects' rights.126. Furthermore, the EDPS acknowledges that codes of conduct drawn up by the industry and approved by the relevant supervisory authorities could be a useful tool to enhance compliance as well as trust among the various players.
127. The EDPS supports the development by the Commission, in consultation with supervisory authorities, of standard contractual terms for the provision of cloud computing services that respect data protection requirements, in particular:
- to develop model contractual terms and conditions to be included in the commercial terms of cloud computing service offerings;
- to develop common procurement terms and requirements for the public sector, taking into account the sensitivity of the data processed;
- to further tailor international data transfer mechanisms to the cloud computing environment, in particular by updating the current standard contractual clauses and by putting forward standard contractual clauses for the transfer of data from processors based in the EU to processors located outside the EU.128. The EDPS underlines that appropriate consideration must be given to data protection requirements in the development of standards and certification schemes, in particular:
- to apply the principles of privacy by design and privacy by default in the development of the standards;
- to integrate data protection requirements such as purpose limitation and storage limitation in the standards' design;
- the obligations of providers to provide their clients with the information necessary to perform a valid risk assessment and the security measures they implemented, as well as alerts about security incidents.129. Finally, the EDPS stresses the need to address the challenges raised by cloud computing at an international level. He encourages the Commission to engage in an international dialogue on the issues raised by cloud computing, including jurisdiction and access by law enforcement, and suggests that many of these issues could be addressed in different international or bilateral agreements, such as Mutual Assistance Agreements and also trade agreements. Global standards should be developed at international level to set forth minimum conditions and principles regarding the access to data by law enforcement bodies. He also supports the development by the supervisory authorities of effective international cooperation mechanisms, in particular as relates to cloud computing issues.
