The European Commission recently announced a €10 million campaign aimed at establishing standards and voluntary certification programs to make cloud computing services better aligned with European data protection laws. The EC intends to leverage the purchasing power of national and local governments throughout Europe to persuade cloud providers to adapt their services to meet European levels of data security and portability, as well as improving transparency to end users concerning how and where their data are processed. Although the EC stresses that compliance will be voluntary, it’s clear that there will be significant commercial pressure on cloud providers to meet the EC standards, which are to be defined by the end of 2013.
In a nutshell, the EC wants to ensure that individuals, governmental entities, companies and other organizations that want to use cloud services will not need to be concerned that cloud service providers will fail to meet the relatively stringent European data protection requirements. The EC sees this concern as an obstacle to wider adoption of cost-saving cloud services in Europe. The EC solution will include both technical (standard setting) and legal elements. The EC has already signaled that it intends to develop model contract terms covering data preservation after a cloud service contract ends, data disclosure and integrity, data location, data transfer, ownership of data and liability.
EU Press Release: Digital Agenda: New strategy to drive European business and government productivity via cloud computing
EU Memo: Unleashing the Potential of Cloud Computing in Europe – What is it and what does it mean for me?
ICO Guidance on Personal Data and Cloud Computing
The recent announcements from the EC concerning cloud computing are complemented by useful guidance published by the United Kingdom’s Information Commissioner’s Office on personal data and cloud computing. None of the recommendations in the UK’s new guidance are startling – the basic proposition is that data controllers remain responsible for the processing of personal data whether done via the cloud or more traditional means. However, there are examples that could be useful in determining how the UK’s data protection laws can be satisfied in the context of cloud services. The ICO has also provided a helpful checklist of things to consider when using cloud services – this list could be particularly useful when reviewing a new contract for cloud services, or doing a contract audit to check whether current arrangements are adequate. And to its credit, the ICO managed to fit the checklist on a single, user-friendly page.