By using cloud computing, companies cut costs by outsourcing data storage tasks, which means they no longer have to maintain expensive servers. However, this technological advance represents “one of the biggest challenges to data protection and data security of EU citizens” according to EU Justice Commissioner Viviane Reding. As a result, reform of the current European legislation on data protection is necessary.
Speaking at the GSM Association’s Round-table High Level Conference on “Mobilising the Cloud” on 7 December 2011, during a speech entitled “Privacy in the Cloud: Data Protection and Security in Cloud Computing”, Commissioner Reding referred to the potential of cloud computing for economic growth and said that cloud computing has created new business opportunities and “liberated us from our desktop computers”. The benefits of storing digital files on remote servers and retrieving them via the internet are “enormous”, she said, “we save space, time, and money”.
However, Commissioner Reding also referred to the proposed new EU data protection framework and stressed that under the data protection reforms, businesses will have to pay “utmost attention to security of information and privacy by design”.
According to Commissioner Reding, Europe must ensure that its citizens do not lose control of their data in the cloud, and that their data is protected. In particular, internet companies must ensure transparency, providing people with appropriate information about the processing of their data: which data is collected, for what purposes, and by whom, not least so that individuals know which authority to address if their rights are violated.
Commissioner Reding also said that she wants to “reinforce the incentives to ensure security in the cloud”. Businesses must take the security of personal data more seriously, she said. She recognised that it is possible to argue that personal information is not secure on the hard drive of a home PC and therefore security is not just a problem in cloud computing, but, she warned, “we should not underestimate the risks in the cloud where the data of millions of people is stored”. She expressed concern over the fact that large internet companies holding vast quantities of personal data are coming increasingly under attack from hackers. As a result, Commissioner Reding emphasised “security of information and privacy by design”, features which she said “must be well-integrated in the design of cloud computing products and services”.
She spoke also of “data breaches on major online game services that have affected millions of users”. In relation to such breaches, Commissioner Reding reiterated her intention to introduce a general obligation for data controllers to notify users of breaches immediately, an intention that has been carried through to the Commission’s proposed Regulation for a new data protection framework that carries a mandatory breach notification regime for all sectors.
Commissioner Reding’s speech then turned to “data portability” as an essential element of the legislative reform. Users, she said, must have the freedom to take all their data with them when they choose to leave a cloud service, and to leave no digital traces behind. Therefore, if users wish to transfer from a cloud service, their photos, agendas, e-mails, and profiles should be given back to them in a widely-used format that makes it simple to transfer elsewhere. In addition, there should be “no downside risk if someone wants to cancel an account, erase a profile or move all of their data to a competitor. Companies should not erect hurdles when people want to change.”
Commissioner Reding also recognised that cloud services and mobile devices “are made to be combined”. Cloud computing and mobile devices both allow users to use information and communications technology resources, platforms, and services from anywhere in the world. The proposed reforms are therefore also designed to ensure the free flow of data across borders, by introducing “one single set of instruments and rules for transfers of personal data to third countries, with no national extra conditions any more”. Commissioner Reding also believes that the proposed reform of the system of Binding Corporate Rules, “where they cover also data processors [means that] all kinds of business models, including cloud computing, can be covered”.
Commissioner Reding’s speech echoes many of the sentiments expressed by the Commission in its report published on 5 December 2011, on responses received to its public consultation on cloud computing. The Commission referred to the widespread need for clarification on rights, responsibilities, data protection, and liability and said that industry would benefit from guidelines on good practice, model terms and conditions, and reasonable expectations for service level agreements would be appreciated. The public sector, it said, could set the requirements for standards in security, interoperability and data portability.
Nonetheless, the Commission also stressed that as cloud computing is global, the resolution of the single digital market is only a partial solution and therefore international agreements are needed. Commissioner Reding said that the Commission “will not stop to work on cloud computing after our data protection reform proposals”. Commissioner Reding confirmed that “thorough consultations with stakeholders have just been completed and first concrete announcements will follow in due course”. Neelie Kroes, EU Commissioner for the Digital Agenda, has also confirmed that she will propose a European Cloud Computing Strategy in 2012.
All eyes are on the new framework proposals. Concerns have been raised over the potential compliance impact on businesses, in particular in relation to fair processing and information requirements, privacy by design, data breach notification, and serious enhancement of data protection authorities’ enforcement powers. For cloud computing, however, the focus will be on the extent to which the new framework is aimed at facilitating the flow of data out of the European Union (and back again) by extending data transfer tools like the business continuity and resiliency services to cover data processors.