The European Data Protection Authorities, assembled in the
Article 29 Working Party, adopted an opinion on cloud computing
in which they analyse relevant data protection issues for cloud
computing customers and cloud computing service providers operating
in the European Economic Area.
According to the Opinion, cloud computing can generate
significant benefits in both economic and societal terms. However,
the rise of cloud computing also represents a challenge to data
protection. The main risks identified in the Opinion include
lack of control over personal data, and
insufficient information regarding how, where and by whom data
is being processed.
Cloud computing customers may not be in exclusive control of
their data. This means that they may not be able to deploy the
measures necessary to ensure for example the availability and
confidentiality of data, for which they still remain legally
responsible under EU law and applicable national legislation.
In addition, insufficient information about a cloud service's
processing operations poses a risk to data controllers as well as
to data subjects, because they might not be aware of potential
threats and risks.
The Opinion concludes that organisations wishing to use cloud
computing services should always conduct a comprehensive and
thorough risk analysis. Clients should choose a cloud provider that
guarantees compliance with EU data protection legislation. The
Opinion states that any contract between the cloud computing
customer and the provider should include sufficient guarantees in
terms of technical and organisational measures.
The Opinion hardly offers any new information for professionals in
this field of law, but the recommendations of the Working Party are
likely to lead the way with regard to future changes in the
European data protection framework.
The Opinion highlights the fact that it is essential for every
organisation wishing to outsource the processing of personal data
to ensure, that:
The planned processing of personal data is legal; and
The contract between the cloud provider and the client includes
sufficient terms with respect to data protection and data
It should also be noted that in order to meet legal
requirements, certain notifications of such outsourcing to Data
Protection Authority may be needed.
For instance, pursuant to the Finnish Personal Data Act, a data
controller who has outsourced the processing of personal data (e.g.
contracted cloud computing services) is under an obligation to
notify the Data Protection Ombudsman of such data processing.
Furthermore, anyone who is engaged in computing on the behalf of
another and processes personal data in this activity, must notify
the same to the Data Protection Ombudsman.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
A US district court in New York has recently ruled that ReDigi, the operator of an online marketplace for pre-owned music downloads, is liable for copyright infringement.
In a decision earlier this month, a US district court in New York has ruled that ReDigi, the operator of an online marketplace for pre-owned music downloads, is liable for copyright infringement.
The processing of personal data is regulated by the Federal Act on Data Protection, its ordinances and by other laws.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”