European Parliament resolution of 10 December 2013 on unleashing the potential of cloud computing in Europe (2013/2063(INI))
The European Parliament,
– having regard to the Commission communication of 27 September 2012 entitled ‘Unleashing the potential of cloud computing in Europe’ (COM(2012)0529) and the accompanying working document,
– having regard to the Commission communication of 3 March 2010 entitled ‘Europe 2020: a strategy for smart, sustainable and inclusive growth’ (COM(2010)2020),
– having regard to the Commission communication of 19 May 2010 entitled ‘A digital agenda for Europe’ (COM(2010)0245),
– having regard to its resolution of 5 May 2010 on a new digital agenda for Europe: 2015.eu(1),
– having regard to Decision No 243/2012/EU of the European Parliament and of the Council of 14 March 2012 establishing a multiannual radio spectrum policy programme,
– having regard to the Commission’s proposal of 25 January 2012 for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM(2012)0011),
– having regard to the Commission’s proposal of 19 October 2011 for a Regulation of the European Parliament and of the Council establishing the Connecting Europe Facility (COM(2011)0665),
– having regard to Directive 1999/5/EC of the European Parliament and of the Council of 9 March 1999 on radio equipment and telecommunications terminal equipment and the mutual recognition of their conformity,
– having regard to the work by the European Telecommunications Standards Institute (ETSI) on a cloud standards mapping,
– having regard to Directive 2011/83/EU of Parliament and of the Council of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of Parliament and of the Council, and repealing Council Directive 85/577/EEC and Directive 97/7/EC of Parliament and of the Council
– having regard to Directive 1999/44/EC of Parliament and of the Council of 25 May 1999 on certain aspects of the sale of consumer goods and associated guarantees(2),
– having regard to Directive 95/46/EC of Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(3),
– having regard to Directive 2000/31/EC of Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market(4),
– having regard to Directive 2001/29/EC of Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society(5),
– having regard to Rule 48 of its Rules of Procedure,
– having regard to the report of the Committee on Industry, Research and Energy and the opinions of the Committee on Legal Affairs, the Committee on Civil Liberties, Justice and Home Affairs and the Committee on the Internal Market and Consumer Protection (A7-0353/2013),
A. whereas while remote computing services in various forms, now commonly known as ‘cloud computing’, are not new, the scale, performance and content of cloud computing constitute a significant advancement in information and communication technologies (ICT);
B. whereas cloud computing has nonetheless attracted attention in recent years owing to the development of new and innovative large-scale business models, a strong push by cloud vendors, technological innovations and increased computing capabilities, lower prices and high-speed communications, as well as to the potential economic and efficiency benefits, including in terms of energy consumption, that cloud services offer all kinds of users;
C. whereas the deployment and development of cloud services in sparsely populated and remote areas can contribute to reducing their isolation, while at the same time pose particularly serious challenges given the insufficient availability of necessary infrastructure;
D. whereas the vendor benefits of cloud services consist of e.g. service fees, monetisation of underutilised and excess computing resources, economies of scale, the possibility of a captive customer base (so called lock-in effect) and secondary uses of user information, such as for advertising, with due regard for the requirements of personal data privacy and protection; whereas a lock-in effect can have competitive disadvantages that nevertheless can be dealt with through reasonable standardisation measures and better transparency on intellectual property licensing agreements;
E. whereas the user benefits of cloud services consist of potentially lower costs, ubiquitous access, convenience, reliability, scalability and security;
F. whereas cloud computing also entails risks for users, in particular as regards sensitive data, and users need to be aware of those risks; whereas if cloud processing is done in a particular country, the authorities of that country can have access to the data; whereas this should be taken into account by the Commission when issuing proposals and recommendations regarding cloud computing;
G. whereas cloud services oblige users to hand over information to the cloud storage provider, a third party, raising issues relating to the continued control over and access to the information of individual users and its protection against the provider itself, other users of the same service and other parties; whereas encouragement of services which allow for the user and only the user to hold keys to the information stored, without the cloud storage providers themselves being able to access that information, could solve some of the issues pertaining to this problem;
H. whereas the increased use of cloud services provided by a limited number of large providers means that increasing amounts of information is aggregated in the hands of those providers, thus magnifying their efficiencies but also increasing the risks of catastrophic losses of information, of centralised points of failure that could undermine the stability of the internet and of access to the information by third parties;
I. whereas the responsibilities and liabilities of all the stakeholders involved in cloud computing services should be clarified, in particular as they apply to security and to respect of data protection requirements;
J. whereas the market for cloud services appears bifurcated along consumer and business lines;
K. whereas for business users, standardised cloud services can, if they meet the particular needs of the user, be an attractive means of converting capital cost to operating expense and of enabling fast availability and scaling of additional storage and processing capacity;
L. whereas for consumers, the fact that providers of operating systems for various types of consumer devices, in particular, are increasingly steering consumers – through the use of default settings, etc. – towards using proprietary cloud services, means that these providers are creating a captive consumer-base and aggregating the information of their users;
M. whereas the use of external cloud services in the public sector has to be weighted carefully against any increased risks with regard to information on citizens and against the ensured performance of public service functions;
N. whereas, from a security perspective, the introduction of cloud services means that the responsibility for maintaining the security of information belonging to each individual user is shifted from the individual to the provider, thereby raising the need to ensure that service providers have the legal ability to provide secure and robust solutions for communication;
O. whereas the development of cloud services will increase the amount of transmitted data and the demand for bandwidth, higher upload speeds and more available high-speed broadband;
P. whereas the achievement of Europe’s digital agenda targets, in particular broadband uptake and access for all, cross-border public services and research and innovation goals, is a necessary step if the EU is fully to reap the benefits that cloud computing has to offer;
Q. whereas there have recently been developments involving security breaches, in particular the PRISM spying scandal;
R. whereas there is a lack of server farms on European soil;
S. whereas the Digital Single Market is a key factor in attaining the targets of the Europe 2020 strategy, which would provide a significant boost in efforts to meet the objectives of the Single Market Act and respond to the economic and financial crisis affecting the EU;
T. whereas EU-wide broadband provision, universal and equal access to internet services for all citizens, and a guarantee of network neutrality are the essential prerequisites for the development of a European cloud computing system;
U. whereas the Connecting Europe Facility is intended, among other things, to increase broadband uptake in Europe;
V. whereas cloud computing should stimulate the integration of SMEs through the reduction of market entry barriers (e.g. by decreasing IT infrastructure costs);
W. whereas it is essential for a European cloud computing system that EU legal standards on data protection are guaranteed;
X. whereas the development of cloud computing should help promote creativity for the benefit of both rights-holders and users; whereas, furthermore, distortions in the Single Market should be avoided in the process and consumer and business confidence in cloud computing should be boosted;
General
1. Welcomes the Commission’s communication on unleashing the potential of cloud computing in Europe and approves the Commission’s ambition to develop a coherent approach to cloud services, but considers that, in order to achieve the ambitious goals set out by the strategy, a legislative instrument would have been more adequate for some aspects;
2. Underlines that policies enabling high-capacity and secure communications infrastructure are a crucial element for all services relying on communications, including cloud services, but highlights that, owing to the limited budget of the Connecting Europe Facility, support for broadband deployment needs to be supplemented with assistance provided under other Union programmes and initiatives, including the European Structural and Investment Funds;
3. Underlines that cloud services must offer security and reliability commensurate to the increased risks flowing from the concentration of data and information in the hands of a limited number of providers;
4. Underlines that Union law should be neutral and, absent compelling reasons of public interest, not be adapted to either facilitate or hinder any legal business model or service;
5. Stresses that a strategy on cloud computing should encompass collateral aspects such as the energy consumption of data centres and related environmental issues;
6. Emphasises the vast possibilities that having access to data from any device connected to the internet offers;
7. Stresses the obvious interest, from a dual perspective, for the EU in having more server farms on its soil: in terms of industrial policy, it would allow for enhanced synergies with the roll-out objectives for Next Generation Access Networks (NGA) set out in the digital agenda, and in terms of the Union’s data protection regime, it would foster trust by ensuring EU sovereignty over the servers;
8. Underlines the importance of digital literacy among all citizens, and urges the Member States to develop concepts of how to promote the safe use of internet services, including cloud computing;
The cloud as an instrument for growth and employment
9. Emphasises that, given the economic potential of the cloud for increasing Europe’s global competitiveness, it can become a powerful instrument for growth and employment;
10. Stresses, therefore, that the development of cloud services, in the absence or insufficient availability of broadband infrastructure, risks widening the digital divide between urban and rural areas, which will make territorial cohesion and regional economic growth still harder to achieve;
11. Highlights that the Union faces multiple, simultaneous pressures on GDP growth at a time when the scope to stimulate growth from public funds is limited by high debt and deficit levels, and calls on the European institutions and the Member States to mobilise every possible growth lever; notes that cloud computing can become a transformative development in all sectors of the economy, with special relevance in areas such as health care, energy, public services and education;
12. Stresses that unemployment, including youth and long-term unemployment, has reached unacceptably high levels in Europe and is likely to remain high in the near future, and that determined and urgent action is needed at all political levels; notes that e-skills and digital education actions in cloud computing development can, consequently, be of extraordinary importance in order to tackle the rising unemployment, especially among young people;
13. Underlines the need for greater e-skills among users and for training to show the benefits that cloud computing can offer; recalls the need to create more qualification schemes for specialists managing cloud computing services;
14. Highlights that SMEs are at the heart of the EU’s economy and that more actions are needed to promote the global competitiveness of EU SMEs and to set the best possible environment for the uptake of new promising technological developments, such as cloud computing, which can have a high impact on the competitiveness of EU businesses;
15. Insists on the positive impact of cloud computing services on SMEs, in particular those established in remote or outermost areas or facing economic difficulties, as such services contribute to the reduction of fixed costs for SMEs by allowing the rental of computing power and storage, and calls on the Commission to consider an appropriate framework allowing SMEs to increase their growth and productivity, as SMEs can benefit from reduced upfront costs and better access to analytics tools;
16. Encourages the Commission and the Member States to communicate the economic potential of cloud computing to SMEs in particular;
17. Points out that the EU must take advantage of the fact that this technology is at a relatively early stage and must work towards developing it in order to benefit from the economies of scale which it is expected to offer, thereby revitalising the Union’s economy, particularly in the ICT sector;
The EU market and the cloud
18. Stresses that the internal market should remain open to all providers complying with Union law, as the global free flow of services and information increases the competitiveness of and opportunities for Union industry and benefits Union citizens;
19. Regrets the indications of massive, pervasive and indiscriminate governmental access to information related to Union users stored in third-country clouds, and calls for cloud service providers to be transparent about how they manage the information that consumers make available to them through the use of cloud services;
20. Insists that, in order to counter the risk that information is accessed directly or indirectly by foreign governments, where such access is not allowed under Union law, the Commission shall:
(i)
ensure that users are aware of this risk, including by supporting the European Network and Information Security Agency (ENISA) in activating the public interest information platform in the Universal Service Directive;
(ii)
sponsor research in and commercial deployment or public procurement of relevant technologies, such as encryption and anonymisation, enabling users to secure their information in an easy way; and
(iii)
involve ENISA in verifying the minimum security and privacy standards of cloud computing services offered to EU consumers and, in particular, to the public sector;
21. Welcomes the Commission’s intention to establish an EU-wide certification system that would provide an incentive for developers and providers of cloud computing services to invest in better privacy protection;
22. Calls on the Commission, in cooperation with Union industry and other stakeholders, to identify areas where a specific Union approach could prove particularly attractive globally;
23. Emphasises the importance of ensuring a competitive and transparent Union market in order to provide all Union users with secure, sustainable, affordable and reliable services; calls for a simple, transparent method to identify security flaws in such a way that service providers on the European market have a sufficient and appropriate incentive to remedy such flaws;
24. Underlines that all cloud providers operating in the Union must compete on an even playing field, with the same rules applicable to all;
Public procurement, and procurement of innovative solutions, and the cloud
25. Stresses that the take-up of cloud services by the public sector has the potential to reduce costs for public administrations and provide more efficient services to citizens, whilst the digital leverage effect to all sectors of the economy would be extremely beneficial; points out that the private sector can also take advantage of those cloud services for the procurement of innovative solutions;
26. Encourages public administrations to consider safe, reliable and secure cloud services in IT procurement, while underlining their particular responsibilities with respect to protection of information relating to citizens, accessibility and continuity of service;
27. Calls, in particular, on the Commission to consider making use of cloud services, where appropriate, in order to provide an example to others;
28. Calls on the Commission and the Member States to speed up the work of the European Cloud Partnership;
29. Calls on the Commission and the Member States to make cloud computing a priority area for research and development programmes, and to promote it in the public administration sector as an innovative e-government solution of public interest, as well as in the private sector as an innovative tool for business development;
30. Stresses that the use of cloud services by public authorities, including by law enforcement authorities and EU institutions, requires special consideration and coordination between the Member States; recalls that data integrity and security must be guaranteed and unauthorised access, including by foreign governments and their intelligence services without a legal basis under Union or Member State law, prevented; stresses that this also applies to the specific processing activities of certain essential non-governmental services, in particular the processing of specific categories of personal data, such as by banks, insurance companies, pension funds, schools and hospitals; stresses, furthermore, that all of the aforementioned is of particular importance if data is being transferred (outside the European Union between different jurisdictions); takes the view, therefore, that public authorities, as well as non-governmental services and the private sector, should, as far as possible, rely on EU cloud providers when processing sensitive data and information until satisfactory global rules on data protection have been introduced, ensuring the security of sensitive data and of data bases held by public entities;
Standards and the cloud
31. Calls on the Commission to take the lead in promoting standards and specifications supporting privacy-friendly, reliable, highly interoperable, secure and energy-efficient cloud services as an integral part of a future Union industrial policy; stresses that reliability, security and protection of data is needed for consumer confidence and competitiveness;
32. Stresses that standards are based on examples of best practices;
33. Insists that standards should enable easy and complete data and service portability, and a high degree of interoperability between cloud services, in order to increase rather than limit competitiveness;
34. Welcomes the mapping of standards that has been entrusted to ETSI, and highlights the importance of continuing to follow an open and transparent process;
Consumers and the cloud
35. Calls on the Commission to ensure that consumer devices do not make use of cloud services by default and are not restricted to specific cloud service provider;
36. Calls on the Commission to ensure that any commercial agreements between telecommunications operators and cloud providers are fully compliant with EU competition law and that they allow consumers full access to any cloud service, using an internet connection offered by any telecommunications operator;
37. Reminds the Commission of its as yet unexploited prerogative, under Directive 1999/5/EC (the RTTE Directive), to require that equipment incorporates safeguards protecting users’ information;
38. Calls on the Commission and the Member States to raise consumer awareness of all risks related to the use of cloud services;
39. Calls on the Commission to ensure that consumers, when prompted to accept or otherwise offered a cloud service, are first given the information necessary for an educated decision, particularly when it comes to the jurisdiction covering the data stored in these cloud services;
40. Stresses that the information thus provided should identify, among other things, who the ultimate provider of the service is and how the service is financed; stresses, furthermore, that if the service is financed by using users’ information to target advertising or enable others to do so, this should be disclosed to the user;
41. Stresses that the information should be in a standardised, portable, easily comprehensible and comparable format;
42. Calls on the Commission to explore appropriate measures to develop a minimum acceptable level of consumer rights in relation to cloud services, covering issues such as privacy, data storage in third countries, liability for data losses and other matters of significant interest to consumers;
43. Calls on the Commission and the Member States to adopt specific measures on the use and promotion of cloud computing in relation to open access and open educational resources;
Intellectual property, civil law etc. and the cloud
44. Urges the Commission to take action to further harmonise laws across the Member States in order to avoid jurisdictional confusion and fragmentation and to ensure transparency in the digital single market;
45. Calls on the Commission to review other EU legislation to address gaps related to cloud computing; calls, in particular, for clarification of the intellectual property rights regime and for a review of the Unfair Commercial Practices Directive, the Unfair Contract Terms Directive and the E-Commerce Directive, which are the most relevant pieces of EU legislation that apply to cloud computing;
46. Calls on the Commission to establish a clear legal framework in the field of copyright content in the cloud, especially with regard to licensing regulations;
47. Acknowledges that the advent of the storage of copyright works by cloud computing services should not compromise the right of European right holders to receive fair compensation for the use of their work, but questions whether these services can be considered to be on par with traditional and digital recording and storage media and equipment;
48. Calls on the Commission to investigate the different types of cloud computing services, how the cloud storage of copyrighted works affects the royalties systems and, more specifically, the ways in which private copying levies that are relevant for certain types of cloud computing services are imposed;
49. Calls on the Commission to promote the development, jointly with stakeholders, of decentralised services based on free and open-source software that would help harmonise practices across cloud providers and enable EU citizens to regain control over their personal data and communication, for example by means of point-to-point encryption;
50. Stresses that, owing to uncertainties regarding applicable law and jurisdiction, contracts are the main tools for establishing relations between cloud providers and their customers, and that there is therefore a clear need for common EU guidelines in that field;
51. Calls on the Commission to work together with the Member States to develop EU best practice models for contracts, or ‘model contracts’, that will ensure complete transparency by providing all terms and conditions in a very clear format;
52. Calls on the Commission to develop, together with stakeholders, voluntary certification schemes for provider security systems which would help to harmonise practices across cloud providers and which would make clients more aware of what they should expect from cloud service providers;
53. Stresses that, owing to jurisdiction problems, EU consumers are in practice unlikely to be able to seek redress from cloud services providers in other jurisdictions; calls, therefore, on the Commission to provide adequate means of redress in the consumer services area, since there is a strong imbalance of power between consumers and providers of cloud computing;
54. Calls on the Commission to ensure the speedy implementation of Alternative Dispute Resolution and Online Dispute Resolution and to make sure that consumers are equipped with adequate means of collective redress against security and privacy breaches as well as against illegal contract provisions for cloud services;
55. Regrets the current lack of effective remedies for users in case of breach of contract;
56. Calls for systematic consumer information regarding the processing activities of personal data to be included in contract proposals, as well as for users’ consent to be compulsory before the terms of a contract may be changed;
57. Calls on the Commission, within the framework of its expert group discussions, to require cloud providers to include in contracts certain key clauses guaranteeing the quality of the service, such as obligations to update software and hardware where necessary, to determine what happens if data is lost, and to determine the time it would take to resolve a problem, or how rapidly the cloud service could take down offending materials, should the cloud user make such a request;
58. Recalls that where a cloud provider uses the data for a purpose other than that agreed on in the service agreement, or communicates data or uses it in a way contrary to the terms of the contract, he should be considered data controller and should be held liable for the infringements and breaches incurred;
59. Stresses that cloud services agreements must set out, in a clear and transparent manner, the duties and rights of the parties concerning data processing activities by cloud providers; points out that the contractual arrangements shall not entail a waiver of the safeguards, rights and protections afforded by Union data protection law; urges the Commission to come forward with proposals to restore the balance between cloud service providers and their customers as regards the terms and conditions used by cloud services, including provisions to:
–
ensure protection against arbitrary cancellation of services and deletion of data;
–
guarantee a reasonable chance for customers to recover stored data in cases of cancellation of service and/or removal of data;
–
provide clear guidelines for cloud providers to facilitate the easy migration of their customers to other services;
60. Highlights that the role of the cloud service provider under current Union legislation needs to be determined on a case-by-case basis, as providers can be both data processors and data controllers; calls for the terms and conditions for all users to be improved through the development of international best practice models for contracts and through the clarification of where the service provider stores data and under which area of law within the EU;
61. Highlights that particular attention must be given to situations in which the imbalance in the contractual situation between the customer and the cloud provider leads the customer to enter into contractual arrangements imposing standard services and a contract to be signed in which the provider defines the purposes, conditions and means of the processing(6); stresses that, in such circumstances, the cloud provider should be considered data controller and become jointly liable with the customer;
Data protection, fundamental rights, law enforcement and the cloud
62. Takes the view that access to a safe internet is a fundamental right of every citizen and that cloud computing will continue to play an important role in this aspect; reiterates, therefore, its call on the Commission and the Council unequivocally to recognise digital freedoms as fundamental rights and as indispensable prerequisites for enjoying universal human rights;
63. Reiterates that, as a general rule, the level of data protection in a cloud computing environment must not be inferior to that required in any other data-processing context;
64. Stresses that Union data protection law, since it is technologically neutral, already now fully applies to cloud computing services operating in the EU and must, therefore, be fully respected; stresses that the opinion of the Working Party of the Article 29 (WP29) on Cloud Computing(7) should be taken into account as it provides clear guidance for the application of Union data protection law principles and rules to cloud services, such as the concepts of controller/processor, purpose limitation and proportionality, integrity and data security, the use of subcontractors, allocation of responsibilities, data breaches and international transfers; underlines the need to close any gaps in the protection as regards cloud computing in the ongoing review of the Union data protection legal framework based on further guidance by the European Data Protection Supervisor and the WP29;
65. Recalls its serious concern about the recent unveiling of US National Security Agency surveillance programmes, and of similar programmes operated by intelligence agencies in various Member States, in the recognition that, should the information available up to now be confirmed, these programmes entail a serious violation of the fundamental right of EU citizens and residents to privacy and data protection, as well as of the right to private and family life, the confidentiality of communications, the presumption of innocence, freedom of expression, freedom of information, and the freedom to conduct business;
66. Reiterates its serious concerns about the compulsory direct disclosure of EU personal data and information, processed under cloud agreements, to third country authorities by cloud providers subject to third country laws or using storage servers located in third countries, and about direct remote access to personal data and information processed by third-country law enforcement authorities and intelligence services;
67. Regrets that such access is usually attained by means of direct enforcement by third countries authorities of their own legal rules, without recourse to international instruments established for legal cooperation such as mutual legal assistance (MLA) agreements or other forms of judicial cooperation;
68. Stresses that such practices raise questions of trust as regards non-EU cloud and online service providers, and as regards third countries that do not rely on international instruments for legal and judicial cooperation;
69. Expects the Commission and the Council to take such measures as are necessary to solve this situation and to ensure the respect of the fundamental rights of EU citizens;
70. Recalls that all companies providing services in the EU must, without exception, comply with EU law and are liable for any breaches;
71. Stresses that cloud services that fall under third country jurisdiction should provide users located in the EU with a clear and distinguishable warning of the possibility that their personal data may be subject to intelligence and law enforcement surveillance by third country authorities under secret orders or injunctions, followed, where applicable, by a request for the data subject’s explicit consent for the processing of personal data;
72. Urges the Commission, when negotiating international agreements that involve the processing of personal data, to take particular note of the risks and challenges that cloud computing poses to fundamental rights, in particular – but not exclusively – the right to private life and to the protection of personal data, as laid down in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union; urges, furthermore, the Commission to take note of the negotiating partner’s domestic rules governing the access of law enforcement and intelligence agencies to personal data processed through cloud computing service, in particular by demanding that such access for law enforcement and intelligence authorities only be granted with full respect for the due process of law and on an unambiguous legal basis, as well as the requirement that the exact conditions of access, the purpose of gaining such access, the security measures put in place when handing over data and the rights of the individual, as well as the rules for supervision and for an effective redress mechanism, be specified;
73. Stresses its serious concerns about the work carried out within the Council of Europe’s Cybercrime Convention Committee with a view to developing an additional protocol on the interpretation of Article 32 of the Convention on Cybercrime of 23 November 2001 on ‘trans-border access to stored computer data with consent or where publicly available’(8) in order to ‘facilitate its effective use and implementation in the light of legal, policy and technological developments’; calls on the Commission and the Member States, in view of the forthcoming consideration by the Committee of Ministers of the Council of Europe, to ensure the compatibility of the provision of Article 32 of the Convention on Cybercrime, and its interpretation in the Member States, with fundamental rights, including data protection and, in particular, the provisions on trans-border flows of personal data, as enshrined in the EU Charter of Fundamental Rights, the EU data protection acquis, the European Convention of Human Rights and the Council of Europe Convention on the Protection of Individuals with Regard to Automatic Processing (‘Convention 108’), which are legally binding upon the Member States; calls on the Commission and the Member States to reject firmly any measure that would put the application of these rights at risk; is alarmed by the fact that should such an additional protocol be endorsed, its implementation could result in unfettered remote access by law enforcement authorities on servers and computer systems located in other jurisdictions, without recourse to MLA agreements and other instruments of judicial cooperation put in place to guarantee the fundamental rights of the individual, including data protection and due process;
74. Underlines that particular attention must be paid to SMEs which increasingly rely on cloud computing technology when processing personal data, and which may not always have the resources or the expertise to address security challenges adequately;
75. Stresses that the qualification of data controller or processor needs to be reflected in an appropriate manner by the actual level of control it has over the means of processing, in order that the responsibilities for the protection of personal data with the use of cloud computing are clearly allocated;
76. Stresses that all the principles laid down in EU data protection law, such as fairness and lawfulness, purpose limitation, proportionality, accuracy and limited data retention periods, must be taken fully into account by cloud computing service providers when processing personal data;
77. Underlines the importance of having effective, proportionate and dissuasive administrative sanctions that may be imposed on cloud computing services that do not comply with EU data protection standards;
78. Stresses that, in order to define the most appropriate safeguards to implement, the data protection impact of each cloud computing service must be assessed on an ad hoc basis;
79. Stresses that a European cloud service provider should always act in conformity with EU data protection law, even if this conflicts with instructions by a client or controller established in a third country, or when the data subjects concerned are (solely) residents of third countries;
80. Stresses the need to address the challenges raised by cloud computing at an international level, in particular as regards government intelligence surveillance and necessary safeguards;
81. Stresses that EU citizens subject to intelligence surveillance by third country authorities should benefit from at least the same safeguards and remedies as are available to citizens of the third country concerned;
82. Regrets the approach in the Commission’s communication whereby it fails to mention the risks and challenges attached to cloud computing, and urges the Commission to continue its work on cloud computing by developing a more holistic communication on cloud computing that takes into account the interests of all stakeholders, and that contains, alongside a standard reference to the protection of fundamental rights and compliance with data protection requirements, at least the following:
–
guidelines to ensure full compliance with the EU’s fundamental rights and data protection obligations;
–
limitative conditions under which cloud data may or may not be accessed for law enforcement purposes, in compliance with the EU Charter of Fundamental Rights and with EU law;
–
safeguards against illegal access by foreign and domestic entities, for instance by amending procurement requirements and applying Council Regulation (EC) No 2271/96(9) to counteract foreign laws that may result in massive illegal transfers of the cloud data of EU citizens and residents;
–
proposals on how to define the ‘transfer’ of personal data and on how to update standard contractual clauses that are tailored to the cloud environment, as ‘cloud computing’ often involves massive flows of data from cloud clients to cloud providers’ servers and data centres, involving many different parties and crossing borders between EU and non-EU countries;
83. Calls on the Commission to explore the adequacy of a review of the EU-US Safe Harbour Agreement, in order to adapt it to technological developments, especially with regard to aspects linked to cloud computing;
o o o
84. Instructs its President to forward this resolution to the Council and the Commission.
Council Regulation (EC) No 2271/96 of 22 November 1996 protecting against the effects of the extra-territorial application of legislation adopted by a third country, and actions based thereon or resulting therefrom (OJ L 309, 29.11.1996, p. 1.).