On November 16, 2012, European Data Protection Supervisor Peter Hustinx published an Opinion on the European Commission’s Communication on cloud computing (part of the Commission’s broader cloud computing strategy). The Opinion focuses on the accountability principle and emphasizes the importance of clearly defining the responsibilities of all parties involved in cloud computing, and analyzes specific cloud computing issues in the context of both the current EU data protection framework, as well as the proposed General Data Protection Regulation.
The Opinion also endorses the European Commission’s proposal to develop specific model contract terms for cloud computing. In Hustinx’s view, these model contract terms should reflect a realistic apportionment of accountability given the respective bargaining powers of the users and providers of cloud services. In addition to the topics listed by the Commission, Hustinx’s Opinion suggests that model contract terms also should address:
- unfair disclaimers for loss or corruption of data or for failing to keep data confidential and secure (such disclaimers should be removed);
- issues of jurisdiction so that users may bring proceedings in their own member states;
- data retention post-termination of the service contract as well as subsequent obligations to erase data;
- providing a straightforward way for data subjects to enforce their rights, particularly with respect to effective access to, and portability of, personal data; and
- information on the jurisdictions in which cloud data will be processed and the legal implications of processing in those countries (such as potential access by local law enforcement).
With respect to standardization and certification schemes, the Opinion notes that any new standards should take into account service interoperability issues and data portability between cloud service providers.