Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Unleashing the potential of cloud computing in Europe

2013/2063(INI)

Opinion of the European Data Protection Supervisor (EDPS)

The EDPS welcomes the Communication presented by the Commission on 27 September 2012.

The opinion focuses especially on the challenges that cloud computing poses for data protection and how the proposed data protection regulation would tackle them.

This EDPS’ opinion has three goals:

1) Highlight the relevance of privacy and data protection in the current discussions on cloud computing: the opinion underlines that the level of data protection in a cloud computing environment must not be inferior to that required in any other data processing context.

2) Analyse the difficulty of establishing unambiguously the responsibilities of the different actors and the notions of controller and processor: in this respect, the proposal for a regulation on data protection should:

·        expand the circumstances in which a cloud service provider may be qualified as the controller;

·        increase the responsibility and accountability of data controllers and processors, by introducing specific obligations such as data protection by design and by default, data security breach notifications, and data protection impact assessments ;

·        require controllers and processors to implement mechanisms to demonstrate the effectiveness of the data protection measures implemented ;

·        help cloud clients and cloud service providers adduce appropriate data protection safeguards for the transfers of personal data to data centres or servers located in third countries ;

·        clarify the obligations of controllers and processors regarding the security of processing and information requirements in case of data breaches ;

·        reinforce cooperation of supervisory authorities and their coordinated supervision over cross-border processing operations, which is particularly crucial in an environment such as cloud computing.

3) Identify areas that require further action at EU level from a data protection and privacy perspective. They include, amongst others:

  • providing further guidance ;
  • standardisation efforts ;
  • carrying out further risks assessments for specific sectors (such as the public sector) ; developing standard contract terms and conditions;
  • engaging in international dialogue on issues related to cloud computing and ensuring effective means of international cooperation.