EU Recommendation: Protect Your Personal Data in the Cloud!
Although storing data in the cloud is now routine, even for the average consumer, bear in mind what cloud computing actually means. It has nothing to do with the weather. Simply put, cloud computing refers to the process of transferring data from a computer to the “cloud” – typically the Internet or other network – where the data can be accessed from a desktop or laptop computer, smart phone, or any other device, whether you are at home, in your office, or on the road. Cloud computing is not just about public servers, though; companies can also establish their own private clouds.
Cloud computing has experienced a boom in recent years thanks mainly to the development of mobile computing devices. Many people today store documents, music, photos, etc. online, but cloud computing can offer much more. It can provide businesses access to software tools, mailboxes, databases, data storage facilities and more via an online interface. Thanks to cloud computing, you can even use someone else’s hardware. Cloud computing services are becoming increasingly popular and promise lower prices for IT services.
The Cloud Out of Control
When personal data is stored in the cloud, a number of security issues arise. Only the future will provide answers that will help balance the frequent clash between strict legal requirements and the rapidly changing world of IT.
The essential issue is the security of data stored in the cloud. Although data saved in a desktop computer is not entirely safe, as it can be stolen or destroyed, data in the cloud is safe in those respects as it is usually backed up. But it would be foolish to say that data transferred to the cloud is perfectly safe. In addition to the general risk of unauthorised access, cloud computing is prone to personal data protection risks. That is exactly what the Article 29 Working Party (the EC’s independent advisory body) addressed in its Cloud Computing Opinion.
Parties wanting to use cloud computing services should especially bear in mind the risks resulting from inadequate control over data transferred to the cloud. Data providers lose exclusive control over such data and cannot take sufficient safety measures in the cloud alone. At the same time, data providers should consider whether they have sufficient information on cloud service providers. The cloud can be operated by undisclosed entities and the data can be transferred abroad – unbeknownst to the data provider – where adequate security of personal information and data cannot be guaranteed.
Think Twice, Get It in Writing
The opinion offers several recommendations. First of all, businesses and others wishing to use cloud computing should conduct a comprehensive and thorough risk analysis, which should especially address sensitive data. In addition, users (data providers) must be aware that they are in fact personal data administrators. Hence, they should choose a cloud provider who fully complies with all statutory requirements.
Before transferring any data, cloud users should obtain, either themselves or through their cloud provider, information on any third parties cooperating with the cloud provider that could have access to the data. Cloud users should also ask their provider to guarantee at least the basic principles of personal data processing (cloud providers themselves should provide information on all aspects of data handling). Cloud users should also demand sufficient guarantees that the data will not be further processed and that when they delete the data it will in fact be removed from the cloud.
Preferably, anyone intending to transfer personal data to the cloud – whether an individual or a business – should enter into a written agreement that defines how the data will be secured. The agreement should also set forth the terms and conditions for transferring the data abroad and specify who will have access to it. This also applies to private clouds within a business if the cloud is provided by an outsourced provider. The company should make sure the cloud framework agreement includes a specific clause on personal data protection.
Last but not least, the unbalanced negotiating power between the weaker cloud user (especially an individual or small business) and the stronger cloud provider should not force the cloud user to accept terms and conditions that infringe its right to have its personal data protected.