EC Data Protection Regulation: Is It Cloud Friendly?

Data Protection

Commissioner Kroes stated that the proposals will ‘make it easier to operate a cloud across the EU, with a single point of contact’ and ‘make it easier to operate outside the EU, too, with simplified and more consistent rules.

However, unless further changes are made to clarify and harmonise data protection rules across the EU, the draft Regulation may drive business away from Europe, and still fail to deliver effective protection for individuals.

It will be difficult for non-European cloud providers to determine which EU country will supervise them for data protection purposes across Europe. This may discourage the building or use of EU data centres or EU service providers for cloud computing.

Furthermore, the draft Regulation fails to close a loophole which may undermine protection for some EU residents when they use services provided by non-EU cloud providers.

The use of cloud computing may also be inhibited by additional restrictions on the transfer of personal data outside Europe, including cumbersome regulatory approval requirements.

Given the ease of global data transmission and remote access over the Internet, and the increasingly fragmented nature of data storage, what matters most for privacy and security is who can access the data in intelligible form. This is now more important for privacy than data location.

In my recommendations, I proposed a more radical solution, namely abolishing the restriction on data export, focusing instead on appropriate measures to ensure security, transparency and accountability, regardless of the geographical location of personal data.

The draft Regulation will impose substantial new compliance obligations on businesses, as well as greatly expanding the roles of the European Commission and national regulators, all of whom will need extra resources.

It is unclear how this will be financed, especially in the current economic climate. The proposed abolition of registration fees is a step towards reducing red tape, but proper provision for the adequate funding of supervisory authorities in performing their expanded duties will be essential if the draft Regulation is to protect individuals and facilitate the free flow of data.

Christopher Millard is a member of the Centre for Commercial Law Studies (CCLS). He has been teaching in the Centre on a visiting basis since 1986 and joined the faculty as a Professor in 2008. He has over 25 years experience in the technology and communications law fields and has led many multi-jurisdictional information governance and data protection compliance projects. His first book, Legal Protection of Computer Programs and Data (1985), was one of the first comparative studies in the technology law field. He is a General Editor of the International Journal of Law and Information Technology and of International Data Privacy Law (both published by Oxford University Press). He was a founding editor of Data Protection Laws of the World. In addition to his role at CCLS, Christopher is a Senior Research Fellow of the Oxford Internet Institute at the University of Oxford, is a Solicitor of the Supreme Court of England and Wales and is a consultant to the law firm Bristows. Before he joined Bristows in 2008, Christopher was a partner at Linklaters for six years and head of that firm’s global privacy practice. Prior to that he was at Clifford Chance for 18 years, including 10 years as a partner. He was a member of the OECD’s Steering Group on Contractual Solutions for Transborder Data Flows (2000-01) and since 2002 has been a member of the International Chamber of Commerce’s Task Force on Privacy and Protection of Personal Data. He has served as Chairman of the Society for Computer & Law (1994-96), as President of the International Federation of Computer Law Associations (1994-96) and as Co-Chair of the Technology & E-Commerce Committee of the International Bar Association (2002-04). In 2008 and 2009, the International Who’s Who of Business Lawyers designated him Internet & eCommerce Lawyer of the Year.

  • This incident highlights the fact that data protection needs to
    encompass physical and electronic storage and handling, and that DPA
    breaches are often the result of human errors.