Privacy watchdog the European Data Protection Supervisor has released new guidelines for EU bodies looking to transfer data out of the region which could compel cloud providers to offer extra safeguards.
The ‘position paper’ released this week claims EU institutions increasingly need to transfer personal data to non-EU countries and organizations, but that the “principle of adequate protection” must be respected when doing so.
This means that citizens’ right to data protection is guaranteed no matter where that information ends up.
However, advances in cloud and mobile technology have created “new challenges” in ensuring that this is the case, the paper noted.
The European data protection watchdog said it may also need to use “supervision and enforcement tools” to ensure cloud providers are compliant.
These include prior checks if a particular “processing operation” is likely to “present specific risks to the rights and freedoms of data subjects”.
Consultations, complaints handling and inspections are also on the cards, it said.
More importantly for cloud providers, the EDPS has the power to impose a “temporary or definitive ban” on data processing or to refer a case to the Court of Justice.
Bob West, chief trust officer at cloud security provider CipherCloud, welcomed the report as an attempt to improve data protection standards.
“The EDPS’s signal to strengthen existing privacy mandates is a win for enterprises invested in cloud and also for consumers. In the past year, large-scale data breaches and confirmed cases of government surveillance underscored the frailty of online privacy,” he told Infosecurity by email.
“Trust took a big hit when it became clear that customers can’t just rely on providers and their traditional security tools. Companies also need tools that allow them to protect the data itself for the worst case scenario where computer networks are compromised.”
However, he urged the watchdog to produce more prescriptive guidelines.
“Based on previous customer conversations, there is a fair amount of confusion when new regulations are published because the language tends to be too general,” said West.
“Companies actually need more specific recommendations because cloud itself is new territory and a wide open space. What technologies qualify as ‘adequate’ protection?”