EDPS Opinions are usually required when a legislative proposal may have an impact on personal privacy. In this instance the EC Communication is more a policy rather than a legislative proposal. Although the EDPS was informally consulted by the EC prior to the Communication – and he notes that some of his comments were taken into account – he was not asked to provide a formal opinion.
Today, “In view of the importance of cloud computing... the EDPS has decided to issue this Opinion on his own initiative,” adding, “this Opinion is not limited to the subjects addressed in the Communication.” In a large part the Opinion addresses cloud implications as relevant to the proposed Data Protection Regulation.
The Opinion has three purposes. Firstly he wants to highlight the relevance of privacy and data protection to cloud computing. “The level of data protection in a cloud computing environment must not be inferior to that required in any other data processing context,” he stresses.
The second purpose is to analyze the main challenges to privacy highlighted by the cloud – such as, he suggests, the difficulties in establishing “unambiguously the responsibilities of the different actors and the notions of controller and processor.”
The third purpose is to identify areas that require further action at EU level in light “of the cloud strategy put forward by the Commission in the Communication.”
Access to EU data by non-EU law enforcement agencies, and by definition outside of EU due process, is an example of the privacy complications. Here the EDPS refers to the cloud and the proposed new EC Data Protection Regulation rather than the cloud Communication. He calls “for the inclusion of a specific provision in the proposed Regulation to clarify the conditions under which access from non-EEA countries could be allowed. Such provision may also include the obligation for the recipient of the request to inform and consult the competent supervisory authority in the EU in specific cases.” Such provisions, he suggests, should be integrated into “the various international agreements (including trade agreements)” with non-EU countries.
In its conclusion the Opinion makes a number of suggestions, including, for example, that it be made clear that the processing of EU personal data by non-EU based controllers “also falls within the territorial scope of the proposed Regulation.” His biggest concern is that the complexity of cloud computing may lead to a dilution of privacy controls, and the Opinion contains numerous requests for greater clarification of the issues. “We must ensure that the cloud service providers do not avoid taking responsibility and that cloud customers are able to fulfill their data protection obligations. The complexity of cloud computing technology does not justify any lowering of data protection standards,” said Peter Hustinx, the European Data Protection Supervisor this morning.