The International Data Corporation recently reported that worldwide public cloud revenue reached £26.7 billion last year. Rapid developments in the sector present new challenges to EU data protection law, in particular, the way in which Cloud Service Providers (CSPs) transfer data across Europe and worldwide have prompted unease from European ministers.
Concerns regarding the cross-border flow of information are not a new phenomenon; many principles of modern data legislation, including use limitation, purpose specification and accountability of the controller can be traced back to the Organization for Economic Co-operation and Development’s 1980 guidelines. The growth of the information economy in the 1990s led to the 1995 Data Protection Directive, an attempt to harmonize pre-existing data protection laws. Almost twenty years later, data protection is of paramount interest to business and government, and the current legislation requires a serious overhaul. The EU’s tight regulations regarding the processing and transfer of personal data will become even stricter, and due to the uncertainty of where cloud vendors store data, customers may find themselves in breach.
CSPs could be subject to new checks and scrutiny, as the European Data Protection Supervisor prepares guidelines for the transferral of data from EU institutions to non EU countries and organizations worldwide. It has been suggested that the Cloud Industry Forum’s Code of Practice serve as a model to enable CSPs to comply with transparency, accountability and capability standards, as well as a leading resource for the implementation of relevant Information Security Controls.
The new Regulation is expected to concern the data aspects of cloud in isolation from cloud computing as a whole, which will likely remain under traditional contract law and current sector regulation, in order to ensure Europe remains an attractive and free market for global vendors and consumers. CSPs must ensure their services are transparent and compliant with relevant industry accreditations and that they are always aware of what data is held and where: those who do not comply risk slowing service, holding back growth in the market and hindering innovation.