The “imbalance of power between cloud consumers and cloud service...

to a September European Commission strategy that aims to make Europe the leader in cloud computing (CD Sept 28 p14). The chief issue is accountability, Hustinx said. Cloud services raise a “major risk of seeing responsibility evaporating” in data-processing operations handled by cloud service providers if EU privacy laws aren’t made clear enough and if providers’ role and responsibility aren’t defined, he said. “The use of cloud computing services cannot justify a lowering of data protection standards as compared to those applicable to conventional data processing operations,” he wrote. Without those definitions, the complexity and involvement of multiple service providers could lead to a serious lack of protection in practice, the opinion said. The power imbalance could be solved by standard commercial terms and conditions that respect data protection requirements for commercial contracts, public procurements and international data transfers, he said. The EC has proposed changes to data protection rules that would provide many clarifications and tools that could help ensure a satisfactory level of privacy in cloud services, Hustinx said. But he recommended additional changes to take into account the specifics of the cloud. These include: (1) Specifying that processing of Europeans’ personal data by non-EU-based cloud companies that offer services in Europe is subject to the EU legislation. (2) Adding a provision to make clear under what conditions access to data stored in the cloud by non-European Economic Area countries’ law enforcement agencies should be allowed. (3) Developing standards and certification regimes that fully incorporate data protection criteria. Hustinx stressed the need to address cloud computing challenges at the international level, saying many could be tackled in international or bilateral agreements such as mutual assistance or trade agreements.