21 November 2011
Current European data protection laws could leave Flickr, Google and Amazon and other online businesses exposed to legal action, warn law experts at Queen Mary, University of London.
These companies provide IT services over the internet, a term known as cloud computing. In a series of four papers, subtitled the ‘Cloud of Unknowing’, the QM School of Law cite specific issues with the EU Directive on Data Protection, with implications for both cloud computing users and cloud computing providers.
“The Directive, which regulates the processing of personal data, is outdated for the internet age, let alone for advancements in cloud computing,” explains Professor Christopher Millard, Principal investigator on the Cloud Legal Project.
“The Directive is currently undergoing review, with reform measures expected to be announced in early 2012. Our papers make recommendations to ensure the revised Data Protection Directive caters better for technological advancements such as cloud computing.”
At present, cloud computing service providers can become subject to the Directive’s complex rules purely through their customers’ choices, of which they may not even be aware. Non-European cloud computing users may also be affected by the Directive, if they use European cloud resources or interact with European customers. The current laws may discourage non-European users from using EU-based cloud computing providers or making use of European data centres.
Professor Millard says: “Cloud computing can be very attractive as a means of achieving financial savings, productivity improvements and the flexibility that accompanies Internet hosting of data and applications. However, the Data Protection Directive has given rise to many legal uncertainties, so cloud computing users are unsure if they are complying or not.
“Concerns over privacy and security are often cited as reasons why potential users hesitate to move into cloud computing. Greater legal clarity is essential to unlocking the benefits of cloud computing for consumers, businesses and governments and to securing Europe’s future position in the global IT industry.”
This paper considers what information is treated as ‘personal data’ in the cloud. As the Directive stands, the scope of the definition of ‘personal data’ is unclear, and information may be ‘personal data’ or not depending on how thoroughly it is encrypted or anonymised before being uploaded to the cloud.
“When the Directive is updated, the ‘personal data’ definition should be based on the realistic risk of identification. Which data protection rules apply should be based on the situation, the risk of harm and its likely severity,” says Professor Christopher Millard, paper co-author.
“Cloud computing providers may not even know if information processed using their services is ‘personal data’. Therefore, it seems inappropriate for certain cloud providers, many of which are based outside Europe, to become arbitrarily subject to EU data protection regulation due to their customers’ choices. The status of procedures to encrypt or anonymise personal data should also be clarified in the updated Directive.”
The Directive fails to acknowledge that, in cloud computing, roles of customers and providers can vary or overlap. Cloud computing service providers may be unaware that the data they process or store on behalf of a customer is classified as ‘personal data’. However, under the present Directive, a lack of knowledge is not a legitimate excuse, and they could still be considered ‘processors’ under the Directive, with obligations as such.
Co-author of the paper, Ian Walden, Professor of Information and Communications Law, says: “The law should be updated to treat cloud computing service providers, in certain circumstances, as neutral intermediaries with immunities from data protection obligations.
“If they unwittingly store ‘personal data’ they should have defences based on lack of knowledge or control. There should be different levels of responsibility depending on the nature of the service being provided.”
The third paper considers when cloud computing service providers or users based outside Europe may become subject to the Directive. Current legal uncertainties may discourage the use of European data centres or European cloud computing service providers, potentially putting EU e-commerce at a competitive disadvantage.
“Data protection laws may differ between EU member states. There are also practical issues relating to whether the Directive can be enforced in non-EU countries. Clarification is therefore needed in the updated Directive on which country’s security requirements and other rules apply to a cloud computing user or provider,” explains paper co-author Dr Julia Hornle, Senior Lecturer in Internet Law. “We suggest that data protection obligations should apply to entities based on the rules of the country of origin, within the EU, and based on directing or targeting their services to EU consumers, for non-EU providers.”
This paper considers data export restrictions under the Directive, and the implications for the use of cloud computing. The Directive places restrictions on personal data being exported out of the EU, which seems outdated, particularly as remote access is now the norm on the Internet.
“We suggest that the Directive’s focus on data location and the restriction on exporting data outside the EU should be replaced by requirements on accountability, transparency and security. It is not where information is stored, but how securely it is stored, and who can access it, that matters most,” says Kuan Hon, paper co-author and researcher on the Cloud Legal Project.
Queen Mary, University of London