A new Opinion of the EU Data Protection Supervisor discusses some of the problems in applying the current Data Protection Directive to public cloud services, and how these might be done better under the proposed Data Protection Regulation. Particular challenges include
- Although the Directive claims to regulate “transfers” of personal data out of the EEA, it is not clear what constitutes a transfer. Although discussion sometimes concentrates on the location of disk drives, “from a service perspective, it is more relevant to consider from where the data can be accessed. However, the hosting location of data remains relevant with respect to the applicability of national law. This is even more obvious where (national) authorities would need physical access to data”;
- The Directive asks whether the country to which information is transferred has adequate protection, but for a cloud service with data centres around the globe, which country should be checked?
- The Directive expects the cloud client, as data controller, to select appropriate security measures even though when using a cloud “it is not realistic to expect from a large provider with many customers to tailor its technical infrastructure or organisation to meet the specific compliance requirements of each customer on the basis of individually negotiated contracts.”
The Opinion suggests that the draft Regulation might help with all of these:
- There is more scope to use contracts, rather than geography, to ensure adequate protection. These might use model clauses approved at EU or national level, or be individually negotiated. National regulators or the Commission might help by developing model contracts specifically designed for cloud services;
- Cloud providers with an establishment in an EU country could use Binding Corporate Rules to cover processing by their whole global organisation and might even extend these to external sub-contractors;
- The new requirements to notify regulators of security breaches and, if necessary, to implement minimum security measures will help cloud clients know what security measures they need to take and what they can rely on from their provider.
Finally the Opinion looks at the issue of access to personal data by law enforcement and other state authorities. Within Europe such access is governed by the Rule of Law and subject to scrutiny by regulators. The EU DPS suggests that these same requirements should be included in future bilateral and international negotiations of Mutual Legal Assistance and trade agreements.