The European Commission's draft Data Protection Regulation is intended to be ‘cloud friendly’. Will it work?
Professor Christopher Millard, leader of the Cloud Legal Project at Queen Mary, University of London, gives his views.
1 February 2012
"Commissioner Kroes stated that the proposals will 'make it easier to operate a cloud across the EU, with a single point of contact' and 'make it easier to operate outside the EU, too, with simplified and more consistent rules'.
"However, unless further changes are made to clarify and harmonise data protection rules across the EU, the draft Regulation may drive business away from Europe, and still fail to deliver effective protection for individuals.
"Uncertainty will persist as to whether particular non-European cloud providers and cloud users are regulated in the EU and, if so, which law(s) will apply to them. This may discourage the development of EU data centres and the use of EU cloud services generally."
"Furthermore, the draft Regulation fails to close a loophole which may undermine protection for some EU residents when they use services provided by non-EU cloud providers.
"The use of cloud computing may also be inhibited by additional restrictions on the transfer of personal data outside Europe, including cumbersome regulatory approval requirements.
“Given the ease of global data transmission and remote access over the Internet, and the increasingly fragmented nature of data storage, what matters most for privacy and security is who can access the data in intelligible form. This is now more important for privacy than data location.
“In our recommendations, we proposed a more radical solution, namely abolishing the restriction on data export, focusing instead on appropriate measures to ensure security, transparency and accountability, regardless of the geographical location of personal data.
"The draft Regulation will impose substantial new compliance obligations on businesses, as well as greatly expanding the roles of the European Commission and national regulators, all of whom will need extra resources.
“It is unclear how this will be financed, especially in the current economic climate. The proposed abolition of registration fees is a step towards reducing red tape, but proper provision for the adequate funding of supervisory authorities in performing their expanded duties will be essential if the draft Regulation is to protect individuals and facilitate the free flow of data."
For further comments see the "Cloud of Unknowing" series of papers on data protection law issues in cloud computing, summarised at the end of /qmpublic/media/news/items/hss/59481.html and available in free full text form via the Cloud Legal Project web site at http://www.cloudlegal.ccls.qmul.ac.uk (or http://cloudlegalproject.org/Research).
For media information, contact:Paul Jordan