On July 1, an influential European body released an opinion that offers guidance to companies trying to comply with European Union (EU) personal data-protection requirements in the context of cloud computing—the “global technological paradigm,” as the opinion calls it, that companies are turning to in an attempt to manage their data efficiently and affordably. In its opinion, the Article 29 Working Party (WP 29) identifies some of the key privacy and security risks related to storing and processing personal data in the cloud. Notably, it also recognizes the economic benefits of the cloud. The opinion also notes that cloud computing can offer security benefits: It allows small- to medium-size companies to acquire sophisticated data-security technologies that otherwise would be budgetary impossibilities.
The WP 29, mandated under Article 29 of the EU’s Data Protection Directive, consists of privacy experts and information commissioners from each EU member state who meet to discuss and publish opinions that aid in harmonizing the different states’ approaches to applying the directive. Although their opinion is not EU law, it has quite a bit of authority.
A key conclusion of the WP 29 opinion is that entities considering storing or processing their data with a cloud provider should conduct a thorough risk analysis (see “Risk Assessment”). The WP 29 opinion identifies two broad categories of data-protection risk related to cloud computing: lack of control over personal data and lack of transparency about a cloud’s processing operations. It goes on to outline guidelines for clients and providers of cloud-computing services.
In one section of the opinion, the Working Party notes that data transfers to U.S. organizations adhering to Safe Harbor principles are lawful; however, it says, “sole self-certification with Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment.”