The European Data Protection Supervisor (EDPS) will soon decide what extra checks are necessary for cloud services under contract to EU institutions. The EDPS released a position paper this week to provide guidance on applying EU data privacy regulation to cloud computing and mobile applications.
Data protected under Regulation (EC) No 45/2001 can be transferred outside of the EU, for instance to a cloud service provider’s data center “when an adequate level of protection is guaranteed.” How the EDPS will determine that adequate level of protection for the transfer, storage, and processing of the data is the focus of the position paper.
The position paper, titled “The transfer of personal data to third countries and international organisations by EU institutions and bodies,” (PDF) cites the uneven degree of data protection among companies and nations.
“In many cases, the level of data protection offered by third parties and international organizations is much lower than that of the European Union, or does not exist at all,” the paper says. “For this reason, before a transfer to a third country or international organization takes place, the controller should ensure that data subjects are adequately protected.”
The EDPS suggests that adequate protection is defined by six principles. Data should be processed only for a specific purpose, kept accurate and up to date, kept transparently and securely. The “data subject” should be able to access “all data relating to him/her” and deal with inaccuracies, and service providers should only transfer data to other parties which also meet the regulatory requirements.
The EDPS will perform checks and consultations to ensure cloud service providers comply with the rules in this way.
While the data security elements of “adequate protection” are likely easily met by service providers, those clauses relating to subject access and transparency may create some extra work for cloud companies working in the EU.