ANALYSIS: Cloud Computing Under The European Commission’s Proposed Regulation To Revise The EU Data Protection Framework
By Renzo Marchini, of Dechert LLP, London.
The European Commission’s recently proposed Regulation to replace the EU Data Protection Directive is designed to “enhance opportunities for companies that want to do business in the EU’s internal market, while ensuring a high level of data protection for individuals” (see analysis in this issue).
The Current Situation
The new Regulation forms part of the European Commission’s overall strategy for the so-called “digital economy”, which it unveiled in its 2010 paper, A Digital Agenda for Europe. The broad aim, as described by Commission Vice-President and Justice Commissioner Viviane Reding, is to make “the Digital Single Market more accessible for both businesses and consumers”, allowing the European Union to become more competitive, as well as setting the standard for data protection regulation worldwide.
To further this aim, the proposed Regulation has three objectives: to create legal certainty; to simplify the regulatory environment; and to provide clear rules for international data transfers.
Two recent examples in the context of cloud computing provide a timely illustration of the types of problems faced by users of cloud computing which could be resolved by the new Regulation.
Firstly, in February 2011, the Danish Data Protection Agency rejected Odense Municipality’s application to use the cloud service “Google Apps” to store data in relation to its public schools (see analysis at WDPR, April 2011, page 13). Odense Municipality stated that data would be transferred initially to Google Ireland Limited; Google subsequently informed the Agency that it holds all data in numerous data centres worldwide, including in the United States and Europe. Thus, data would be shared between Denmark and Ireland; then between Ireland and potentially every other country in which Google operates data centres (be it the United States, within the European Economic Area or others).
However, the Agency decided it must assume that data would be transferred not only to Ireland and the United States, but also to all the other countries in which Google maintains data centres, including those neither in the European Economic Area nor the United States (and covered by Safe Harbor). It therefore deemed that Odense Municipality would not comply with current legislation because it was not proposing to enter into a contract based on the European Commission’s standard contractual clauses with Google’s individual data centres.
A second recent example of current strictures comes from the attitude taken by the Dutch government. In September 2011 it took a hard line against U.S. cloud providers: Government departments were severely restricted in using such providers to process government IT data. The Dutch government’s reasoning is that the U.S. Patriot Act requires U.S. companies to provide data to the U.S. authorities if requested under the Act.
Whilst the Commission undoubtedly wants to promote the establishment and operation of cloud servers within the European Economic Area, currently many substantial data centres are located elsewhere. This poses a challenge to the Commission: balancing the Digital Agenda and opening the digital economy to EU businesses with the need to have in place adequate safeguards for data transferred outside the European Union.
The legal issues for EU undertakings (whether public sector or private enterprises) wishing to entrust their data to cloud providers are well known and centre around two main issues: 1) whether it is appropriate for the cloud customer to entrust security of the personal data to a cloud provider; and 2) whether it can do so when the data might be stored outside the European Union.
The question explored here is whether the proposed new Regulation will make these compliance issues easier to navigate…