Clouds and the draft Data Protection Regulation

At the moment both cloud computing providers and their business customers in Europe have to deal with at least twenty-eight different interpretations of Data Protection law. And there are nearly as many different national rules and formalities when using non-European cloud providers (the UK approach is described in the Information Commissioner’s Guide to Cloud Computing). The current process to develop a European Data Protection Regulation should reduce this divergence as there will be a single law applicable across all member states and national regulators will be able to grant approvals that take effect across the EU. Getting to that stage is taking a long time, as it requires the European Commission, Parliament and Council of Ministers to agree on a complex legal text. Recent publications suggest that the Commission and Parliament have different ideas on how that law should deal with cloud computing.

When the Commission published their first draft last year they declared it “cloud-aware”, containing and developing most of the existing legal provisions that are used to support cloud computing. Indeed Binding Corporate Rules for Data Processors, which had been developed under the authority of the Article 29 Working Party, appeared for the first time in (draft) law.

By contrast the European Parliament’s recent response seems to foresee a different approach, suggested last year by the EU Data Protection Supervisor, which would rely much more on providers or contracts being approved in advance by national authorities. The process for obtaining continent-wide approval should be simpler, as it will no longer involve consulting every national regulator. But it will require providers to be willing to seek authorisation and regulators to find resources to grant it (a concern that has been expressed by the UK’s Information Commissioner). European businesses who are unable to obtain approval in the two years between the passing of the law and its coming into force (currently foreseen around 2017) may be trapped without a lawful source of the infrastructure they need to provide high-quality cloud-based services to their customers.

Fortunately NRENs such as Janet have already established relationships with major cloud providers, who have been willing to adapt their services and agreements to meet our customers’ requirements under current data protection law. The Commission have recently rejected any “fortress Europe” approach to cloud computing. So if a future Data Protection Regulation were to require a different approach to compliance we expect that our existing relationships and agreements would let us help both providers and customers find the best way to achieve it.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *