Cloud providers seeking business from EU institutions could become subject to more scrutiny from the European Data Protection Supervisor (EDPS).
The supervisor is preparing guidance on the use of cloud computing and mobile devices for data transfers by EU institutions to non-EU countries and international organisations.
Part of that guidance could require extra checks for personal data shared with cloud computing services, the supervisor said in a position paper published yesterday.
"The rapid development of technology, including cloud computing and mobile applications, creates new challenges, which have to be addressed to ensure that the fundamental rights of individuals are fully respected," the supervisor said.
When information is to be processed by cloud computing services, the EDPS may conduct prior checks to see if the data transfer complies with EU regulations.
"In this environment, clients' data are often transferred to cloud providers' servers and data centres located in various parts of the world. As there is no stable location for the data, the EDPS might have to verify that any adequate safeguards effectively comply" with EU regulation, it said.
This might be the case if the processing operations are likely to present specific risks to the rights and freedoms of the person whose personal data are collected, held or processed, it said. However, this might only apply in specific situations to be defined in subsequent guidance, due to the complexity and sensitivity of the data.