Out-Law / Your Daily Need-To-Know

Security of personal data in the cloud more important than where it is stored, EU official says

Out-Law News | 18 Jun 2012 | 2:09 pm | 3 min. read

The security of personal data on cloud computing servers is more important than where the information itself is physically stored, an official at the European Commission has said.

Megan Richards, acting deputy director-general of the Information Society and Media Directorate-General at the European Commission, said that personal data should not have to be located within the EU in order for EU rules governing its processing and storage to apply.

“The cloud does not stop at national boundaries," Richards said at a cloud computing conference in London last week, according to a report by Techworld.

"You shouldn’t care where the data is as long as it is secure and meets regulatory requirements, so now the question is how to ensure that – how to make sure that when we use cloud resources, personal data does meet those requirements,” Richards said.

Cloud computing refers to the use of computers and software on an internet-based network to do information processing rather than the use of local computing resources. It allows internet users to access or store information without owning the software to do it and many online companies, such as Google, operate huge servers that store the data and deliver it to users.

In January the European Commission published draft legislation aimed at reforming the EU data protection framework. Its proposed General Data Protection Regulation would introduce a single data protection law across all 27 EU member states which companies based outside the EU borders would be subject to if they process personal data of EU citizens.

Richards said that the European Parliament is currently assessing the plans and that "it usually takes a year" for legislation to be passed by the Parliament, according to a report by The Register news website.

However, the current data protection framework in Europe is creating problems for researchers who store information in the cloud, an IT expert at the European Organisation for Nuclear Research (CERN) has said.

CERN's openlab project sees private sector firms invest in research by scientists working on the Large Hadron Collider. The physics experiments produce a mass of data that CERN shares with its private sector investors.

Bob Jones, head of openlab at CERN, said though that capacity issues were a problem. He said that the body is to conduct a pilot scheme that would see cloud computing utilised to move data produced from the experiments between CERN's own systems and 'data centres' in the cloud operated by its commercial partners.

However, current EU data protection laws are a hindrance to CERN's collaboration plans, Jones said.

“We are working with high-tech companies, industrial companies and European agencies, and the key point is the regulatory framework is creating a barrier," Jones said at the Cloud Computing World Forum, according to a report by Techworld.

The European Commission has labeled the current data protection regime in Europe as fragmented and outdated. EU member states have introduced their own national laws implementing the 1995 Data Protection Directive, and created their own standards in applying those rules. The Commission previously said that the fragmented approach has caused "legal uncertainty" for businesses.

In addition, complicated rules govern international transfers of personal data. The Commission has said that businesses view the rules as a "substantial impediment to their operations."

Current EU data protection laws prevent companies sending personal data outside of the EEA except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection. The EEA includes all 27 EU member states, Iceland, Norway and Liechtenstein.

When a company wants to send personal data to other non-EEA countries, that company must ensure that adequate protections are in place, even when the transfer is from one group company to another.

However, under the proposed data protection reforms it would become easier for companies to establish a single set of legally-binding corporate rules (BCRs) that could be used to legitimise international transfers of personal data.

BCRs are legally-binding commitments companies draw up over the transfer and processing of personal data outside of the European Economic Area to a country that is not a European Commission pre-approved country.

Currently BCRs are assessed on an individual basis by regulators in member states prompting most companies to use simpler European Commission model contractual clauses instead in order to legalise overseas transfers of data. However, under the draft Regulation proposed BCRs approved by one regulator will apply in all other EU countries.