A new Opinion on Cloud Computing from the Article 29 Working Party highlights a number of difficulties in applying current data protection law to the cloud computing model and suggests that changes are needed both to cloud contracts and to European law. The main concerns are over lack of control by the client using the service and lack of information about what the service will involve. Interestingly, these concerns apply whether or not the cloud provider is established in the European Economic Area. Indeed the working party note that one possible solution, the use of standard contract clauses, currently works better for providers who are not in the EEA as that is the application for which the current model clauses were developed.
The Opinion sets out a detailed list of provisions that ought to be in cloud contracts and encourages all cloud providers to work towards these. The Opinion also calls for changes in the law, not all of which are in the proposed Data Protection Regulation, and for the consideration of a pan-EU Government cloud to ensure that sensitive information about EU citizens does not need to be exported from the continent.