International data transfers: EU urged to scrap use of binding corporate rules and model contract clauses in cloud computing amidst concerns over US surveillance of data
The report, ordered by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), said that the EU had created “derogations” from traditional rules governing international transfers of #personal_data that, in a #cloud_computing context, could not adequately protect the #privacy of that information. It said BCRs and model contract clauses were examples of the ’derogations’ created and that both are were “equally unsuitable to prevent the use of #cloud #data for #surveillance purposes”.
“Both the [Article 29 Working Party] and the Commission place great faith in ’audit’ procedures to ensure Cloud services are compliant, but no commercial audit methodology can seek to uncover secret surveillance which is ’lawful’ under the national security rubric of a third country (especially if that audit is conducted by a company from that country). There is no way that an EU DPA can know whether this is happening or not, if the Cloud software fabric is designed and controlled from outside EU jurisdiction.”