Tech savvies and business people have been juggling with the term ‘cloud computing’ for quite some time. In layman’s terms, cloud computing involves the provision of information-technology-as-a-service, with the ability to access, change and interact with data on any platform with an internet connection, including on smart phones.

Cloud computing is internet-based computing, where all the IT resources like software, data and other devices are provided on-demand.

It is a new way of delivering computing resources, where the services may range from data storage and processing, to software packages such as email handling. These services are available instantly and, loosely said, commitment-free. This new economic model for computing has found solid ground and is seeing massive global investment, given that the new paradigm shift for business is now going mainstream.

International cloud fans claim a number of key benefits from the implementation of a cloud computing strategy.

It’s cheap as the IT provider hosts the services and the sharing of complex infrastructure which delivers positive results in terms of cost-efficiency; it’s up-to-date as most providers constantly update their software to painstakingly meet the demand and expectations of the users; it is scaleable, depending on the business’s performance; it’s quick since basic cloud services work out of the box, and for more complex software and database solutions cloud computing provides the facility to skip hardware procurement resulting in a perfect option for start-up businesses; and it’s mobile since cloud services are designed to be used remotely and thus, access to the systems can be granted on the go.

Having said this, security concerns remain a dominant issue which, cloud service providers, should push further up on their business agenda. What legal and technical comfort do cloud users enjoy when it comes to data protection matters, given that the notion of cloud computing revolves around the concentration of corporate risk in one single place? In the light of such risks, data protection authorities are likely to impose more systematic restrictions and requirements on both cloud computing and other outsourcing arrangements involving personal data.

When a data controller engages the services of a cloud provider, such provider, similar to any other provider from whom a service is acquired, is deemed to be a processor in terms of the provisions of the data protection legislation. A processor is a third party who processes personal data on behalf of the controller.

The law requires that the relationship between the two parties should be governed by means of a legally binding contract laying down the conditions which the processor should abide by, inter alia, that the provider should only act upon the instructions of the controller and should implement all the necessary technical and organisational safeguards to protect data against any accidental or unlawful forms of processing.

Given that the processor’s processing operations might be possibly based outside the country of the controller, consideration must be also given to the privacy obligations concerning the transfer of personal data to the other country. In cases where the data is transferred to an EU member state, a member country of the EEA, a third country recognised by the European Commission as enjoying an adequate level of protection or an organisation complying with the US Department of Commerce’s Safe Harbour’s privacy principles, the data controller may transfer the personal data without having been requested, to follow the prescribed restrictions or other formalities, stipulated by the EU directive.

On the flipside, the transfer of personal data to a third country that does not ensure an adequate level of protection requires an authorisation by the data protection authority. In order to approve the transfer, national commissioners need to ascertain that the controller has provided adequate safeguards, particularly by means of appropriate contractual provisions in accordance with the requirements emanating from the directive.

In analysing such contractual provisions reference has to be made to the European Commission’s decisions on standard contractual clauses which regulate the transfer of personal data to a third country. The use of standard contractual clauses is recommended in order to ensure that the rights of individuals are safeguarded even in countries which do not ensure an adequate level of protection.

This notwithstanding, a transfer of personal data to such third country may still be affected by a data controller if the individual has given the unambiguous consent allowing the proposed transfer to be made.

The advent of cloud computing is another milestone in the information technology area and is rapidly gaining fertile ground. The importance of data privacy, as one major part of corporate compliance in various countries, particularly in European member states, has increased substantially during the last few years. Therefore, it can be safely assumed that this trend will continue. As a consequence, data controllers need to stay current with these developments, and review their data privacy compliance programmes.

A recent communication issued by the European Commission provides a comprehensive approach on personal data protection in the EU. The objective of the communication is to set out a strategy targeted at reviewing the fifteen year old privacy directive, in view of the rapid technological developments and globalisation which have profoundly changed the world around us and brought new challenges for the protection of personal data, one of which being cloud computing.

Mr Deguara is the head of the technical unit in the Office of the Data Protection Commissioner.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.