Organisations need to be provided with further guidance over how to ensure that the cloud computing providers they wish to contract with deal with personal data in a manner that complies with EU data protection laws, a privacy watchdog has said.
Full text here.
Certainly, personal data protection covers storing and processing within the cloud, therefore compliance with EU data protection laws is required.
I think there's an issue of where responsibility should sit here. I can fully understand why the data controller should be responsible for its actions, and its use of third parties. Conversely, we have to recognise that perhaps things are not as simple as they were, and that the world of data handling is no longer one in which the controller has complete control over the actions of those who are nominally processors. I may be a data controller, but my choice in using, say, Amazon's cloud service limits me to exactly what Amazon offers — I am certainly not going to be in a position to dictate Amazon's backup practices and the like. In many ways, I am paying Amazon so I do not have to worry about things like that even though, as a controller, perhaps, legally, I should.
ReplyDeleteGiving controllers guidance is all well and good, but far better, in my mind, would be to conduct an appraisal of common cloud providers and issue a "compliant" or "non-compliant" ruling (a bit like whether a third country is approved for data export). In the light of the shifting power relationship between a controller and a substantial processor such as Amazon, this may ensure a better protection for personal data than giving controllers even more things to consider?
the need for the controller to ensure the security of the processing (and sub-processing) is not new to the proposed regulation (as hinted by the article) but was already an obligation under the 95/46 Directive.
ReplyDeleteHowever, I agree with Neil (and Peter Hustnix). the real issue is that with the cloud (and in general with new internet technologies) ensuring that sub-processing is done withing the rules has a new taste. checking how processing is done may be physically difficult (or impossible) and contracting power is reduced by the cloud-model (cloud customers are usually small companies with little leverage to change standard clauses).
A regulation on the processors (as anticipated by the regulation) may be a valid tool to enforce the rules "bottom-up" and reversing the burden to abide by the laws directly on the ones processing. the "Practical way" to do may well be the "compliant logo" to put on the rules-savvy providers.
Also, compulsory insurances for the controllers may be a way to go ..
Salva
> compulsory insurances for the controllers may be a way to go ..
ReplyDeleteBear in mind that the scope of data processing is very wide, and, in a time of austerity, requiring those processing personal data to pay more than a nominal notification fee would see challenging, to my mind. I think it's fair to say that the interpretation of the "domestic purposes" exception in Lindqvist is unlikely to be construed so narrowly in the future, with the increasing using of online tools and sites such as Facebook for domestic uses, but, even so, I'd be fearful that this approach would cost a lot of people quite a lot of money.