International Cloud Computing and the Protection of Personal Data

The cloud computing model can be attractive for small and medium-size companies that don’t want to invest in and manage computer platforms or infrastructure. Cloud computing is also of interest because it can enable file synchronisation. But the cloud model entails some risks involving personal data protection.

This was highlighted in a 2012 opinion rendered by the group representing personal data protection authorities of the EU, and it’s an opinion shared by the data protection authority in France (the CNIL) and the Information Commissioner’s Office, or the ICO, in Great Britain.

These authorities underlined the two main risks related to cloud computing: loss of control of personal data, and lack of transparency by the service provider concerning the processing of personal data. Although the cloud services provider is the best informed about its level of security, the entity or person using the services is primarily liable for compliance with personal data processing regulations.

The likely imbalance of power between a small client and a large service provider does not free the client from its liability vis a vis personal data protection. Thus the client must obtain from the service provider, in a written contract, assurance of compliance with personal data protection regulations, especially with regard to data integrity, confidentiality, transparency towards data subjects, data isolation, intervention on behalf of data subjects and portability. The client must also ensure that it has a way of checking the service provider’s compliance.