The following article excerpt on “Tempest in Cloud Computing Market: Will EU Article 29 Working Party’s Opinion Force a Rethink of the Safe Harbor Principles?” was written by the external legal counsel of the CSA, Ms. Francoise Gilbert of the IT Law Group. We repost it here with her permission. Please download the PDF version to read it in full.
In its Opinion 05/2012 on Cloud Computing (Opinion), published July 2 as document WP 196, the Article 29 Working Party analyzes the applicable data protection laws and obligations for companies providing or using cloud computing services in the European Economic Area (EEA). The Opinion identifies data protection risks that are likely to result from the use of cloud computing services, such as lack of control over personal data and lack of information about how, where, and by whom the data are being processed or sub-processed in the cloud. It also stresses the importance of informing data subjects about who processes their data, for what purposes, and in which locations, and how they can exercise the rights afforded to them in this respect when their data are hosted or processed in the cloud. The Opinion examines the issues associated with the sharing of resources with other parties, the lack of transparency of outsourcing chains with multiple cloud processors and subcontractors, and the transfer of personal data to cloud providers established out of the EEA. In this regard, the most significant aspect of the Opinion is its negative evaluation of the ability of the Safe Harbor self-certification to meet the requirements of the national laws implementing the 1995 European Union Data Protection Directive. The Article 29 Working Party thinks that the loss of governance, insufficient audit trails, insecure or incomplete data deletion are not sufficiently addressed in the existing Safe Harbor principles to provide adequate assurance that the necessary security measures are met. Download the PDF version to read in full.