The Article 29 Working Party established under the EU data privacy legislation published an opinion on 1 July 2012 addressing the data privacy compliance concerns associated with the use of cloud computing solutions.
The Working Party identified the concerns as falling into two categories:
The opinion is a reminder of the key contractual safeguards that must be put in place between the controller and the cloud service provider. The cloud service provider must agree to follow the instructions to the controller and must implement technical and organisational measures that are adequate to protect the personal data being put into the cloud-based solution. Among the particular provisions specified by the Working Party are:
These two requirements are sometimes problematic for the customer, and the fact that they are specifically referred to in the opinion will strengthen the negotiating position of controllers wishing to put in place arrangements for the processing of personal data by cloud service providers.
Working Party recommendations include:
The specific contractual protections include:
The opinion also raises the possibility that independent verification or certification of compliance with the requirements specified in the opinion could be provided by an independent third party, such as ISO, the IAASB or the Auditing Standards Board of the American Institute of Certified Public Accountants.
Data controllers who deploy or plan to deploy cloud computing solutions should review the Working Party recommendations and treat them as a checklist of the issues to cover in any cloud services contractual arrangement.
You have no pages selected. Please select pages to email then resubmit.