Out-Law / Your Daily Need-To-Know

Privacy watchdog envisages additional checks on EU institutions' transfers of personal data to the cloud

Out-Law News | 17 Jul 2014 | 10:09 am | 1 min. read

EU institutions that wish to transfer personal data to a cloud computing provider based outside of the trading bloc may have to obtain sign-off from a privacy watchdog to proceed with the transfer in future.

The European Data Protection Supervisor (EDPS), which is responsible for monitoring EU bodies' compliance with data protection laws, said it could conduct a "prior check" of prospective data transfer arrangements between EU institutions and cloud providers (33-page / 396KB PDF) in future.

The watchdog said that in cases where personal data processing operations "are likely to present specific risks to the rights and freedoms of data subjects" EU institutions may, under existing rules governing those bodies, have to notify it of those activities in advance. It said the rules may be said to apply in a cloud context if new guidance is issued.

"A prior check notification may also have to be submitted … if the processing operations are likely to present specific risks to the rights and freedoms of data subjects," the EDPS said. "This might apply, for instance, to information processed by cloud computing services, in certain specific situations to be defined in subsequent guidance, due to the complexity and sensitivity of the data."

"In this environment, clients' data are often transferred to cloud providers’ servers and data centres located in various parts of the world. As there is no stable location for the data, the EDPS might have to verify that any adequate safeguards effectively comply with [data protection rules for EU bodies], and cover all the potential recipients that might be involved in the cloud environment. However, this also depends on the conditions to be agreed with cloud computing service providers more generally. At this stage, there are therefore no additional requirements for prior checking," it said.

Under general EU data protection laws for businesses, the transfer of personal data from the EU to so-called 'third' countries is governed by strict rules designed to ensure the adequate protection of EU citizens' privacy in accordance with EU standards even when that data is held outside of the trading bloc.

A number of countries have been designated as providing adequate protection for personal data transferred from the EU, however in other cases organisations are obliged to make sure themselves that there is adequate protection for that data. A number of legal mechanisms, including model contract clauses, have been created to assist organisations in meeting their obligations to adequacy.

Similar restrictions are placed on EU institutions' transfer of personal data to third countries in a separate that applies only to those bodies.