Cloud computing, whose whole point is to be independent of geography, does not fit comfortably into current data protection law. The Commission’s new proposal at least shows signs that clouds were a use case that was considered during drafting, so it is more obvious which provisions apply to them. These seem to offer a mixture of carrots and sticks to try to bring clouds within the European data protection regime.
UPDATE: A speech by Commissioner Kroes confirms that the Regulation is ‘cloud-aware’
The most obvious benefit to cloud providers is that the Regulation would create a consistent law across all the Member States, so providers would only need to design their services and contracts to satisfy that single set of rules. At the moment a provider may have to satisfy 27 different data protection laws and formalities, without being completely clear which of these applied to which users. Under the current law a provider that wishes to store or process data outside the EC is supposed to incorporate a very specific set of provisions into its contract – it’s not clear that any actually do so – but under the proposal there would be much more flexibility, with the opportunity to combine contract terms and technical measures to deliver the required level of protection for the data. There is even a justification in Article 44(1)(c) that seems specifically designed to cover outsourcing arrangements: “the transfer is necessary for … a contract concluded in the interest of the data subject between the controller and another natural or legal person”. Finally it would even seem possible for a cloud provider (which would presumably qualify as an “international company”) to have its systems formally recognised by a data protection authority as providing adequate protection; under the current rules only a country can be the subject of such a declaration which leaves the position very unclear for those cloud providers that have data centres in many different countries.
Bringing cloud services within the EC legal framework also appears likely to increase the regulatory demands on them. Article 3(2) is explicit that even services based outside Europe will be required to comply with EC law if they “offer goods or services to [individuals] within the Union” or have contracts with them or monitor their behaviour. Whereas at present an outsourcing contract is allowed to give the outsourcing organisation all liability, under the proposal even a service with a data processor contract can become directly liable if it does not protect information as the law requires. And if a cloud provider does fail to comply with the law then the penalties under the Regulation are significantly higher than at present: according to Article 80 supervisory authorities will be able to impose fines up to one million Euros or 4% of the organisation’s turnover for intentional or negligent breach of the Regulation.
The new Regulation therefore seems to offer cloud providers the opportunity to design and offer services that fully comply with European law. It remains to be seen whether this possibility will be sufficiently attractive for international providers to take it up.
UPDATE: Prof Chris Millard (Queen Mary, University of London) is less optimistic
UPDATE: QMUL Cloud Legal Project submission includes an interesting comparison of clauses of the Directive and Regulation relevant to clouds.