Cloud computing has been described as: ‘…an elastic executing environment of resources involving multiple stakeholders and providing a metered service at multiple granularities for a specified level of quality (of service).’ What this means in practice is that data is transferred to a cloud provider who processes the data on behalf of the cloud customer. Cloud computing is not really a new technology, which has led some to dismiss it as a marketing gimmick, but rather a different business model. Whatever the technological significance of the shift to cloud computing, this shift had manifold consequences for the data protection rights of subjects. Cloud computing means outsourcing data storage to the cloud, this may mean a data centre in a neighbouring street or a neighbouring continent. This move gives rise to a number of concerns from a data protection perspective:
Firstly, the provider of cloud computing services will be the data processor; the owner of the data will remain the controller. The controller will remain liable for the actions of the processor. The controller remains obliged to ensure the security of the data and the contract between the contractor and processor must contain certain specific terms. Security measures for personal data must be appropriate and must take into account the risks posed by transmission across networks.
Secondly, if the cloud computing provider is based in a jurisdiction outside the EU then the issue of trans-border data flows will arise.
Other issues identified by the European Network and Information Security Agency (ENISA) poses some problems include service portability, security issues, incomplete data deletion, data protection risks and law enforcement access.
The Article 29 Working Party has set out the data protection issues arising in the ‘cloud’ in its Opinion 5/2012.
The Data Protection Commissioner has also recently set out the legal issues in ‘Data Protection in the Cloud’ (July 2012).