The new European Cloud Partnership and UK ICO Guidance on Personal Data and Cloud Computing


[authors: Cynthia Larose and Susan Foster]

EC Cloud Partnership

The European Commission recently announced a €10 million campaign aimed at establishing standards and voluntary certification programs to make cloud computing services better aligned with European data protection laws.  The EC intends to leverage the purchasing power of national and local governments throughout Europe to persuade cloud providers to adapt their services to meet European levels of data security and portability, as well as improving transparency to end users concerning how and where their data are processed.  Although the EC stresses that compliance will be voluntary, it’s clear that there will be significant commercial pressure on cloud providers to meet the EC standards, which are to be defined by the end of 2013.

In a nutshell, the EC wants to ensure that individuals, governmental entities, companies and other organizations that want to use cloud services will not need to be concerned that cloud service providers will fail to meet the relatively stringent European data protection requirements.  The EC sees this concern as an obstacle to wider adoption of cost-saving cloud services in Europe.  The EC solution will include both technical (standard setting) and legal elements.  The EC has already signaled that it intends to develop model contract terms covering data preservation after a cloud service contract ends, data disclosure and integrity, data location, data transfer, ownership of data and liability.

EU Press Release:  Digital Agenda: New strategy to drive European business and government productivity via cloud computing

EU Memo: Unleashing the Potential of Cloud Computing in Europe – What is it and what does it mean for me? 

ICO Guidance on Personal Data and Cloud Computing

The recent announcements from the EC concerning cloud computing are complemented by useful guidance published by the United Kingdom’s Information Commissioner’s Office on personal data and cloud computing.  None of the recommendations in the UK’s new guidance are startling – the basic proposition is that data controllers remain responsible for the processing of personal data whether done via the cloud or more traditional means.  However, there are examples that could be useful in determining how the UK’s data protection laws can be satisfied in the context of cloud services.  The ICO has also provided a helpful checklist of things to consider when using cloud services – this list could be particularly useful when reviewing a new contract for cloud services, or doing a contract audit to check whether current arrangements are adequate.  And to its credit, the ICO managed to fit the checklist on a single, user-friendly page.

ICO Guidance on the Use of Cloud Computing (see page 23 for the useful checklist)


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz Levin - Privacy & Security Matters | Attorney Advertising

Written by:


Mintz Levin - Privacy & Security Matters on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.