Cloud providers eyeing up EU institutions for business could be hit with more rigorous data protection controls.
The European Data Protection Supervisor (EDPS) has issued advice on transferring data via the cloud from EU institutions to non-EU countries and international organisations via the cloud and mobile devices.
Its position paper said that personal data shared with cloud services could be subject to extra checks.
Technology's quickening pace "creates new challenges, which have to be addressed to ensure that the fundamental rights of individuals are fully respected," the report said.
Data processed by cloud services may be scrutinised by the EDPS to check whether the transfer abides with EU rules, if "the processing operations are likely to present specific risks to the rights and freedoms of data subjects."
The fact that data can end up in a data centre far across the world means that it may not comply with EDPS rules, and chiefly Article 9, which seeks to maintain the "principle of adequate protection" in cases of international data transfer.
Checks would only be carried out "in certain specific situations to be defined in subsequent guidance, due to the complexity and sensitivity of the data," said the EDPS.
It's about guaranteeing the fundamental right to data protection "even when personal data [is] transferred to a party outside the scope of the Regulation and the Directive", it added, concluding that "before a transfer to a third country or international organisation takes place, the controller should ensure that data subjects are adequately protected."