In defence of the cloud
"This article was first published in Data Protection Law & Policy in September 2011."
In defence of the cloud
What should we make of recent reports about the banning by the Dutch government of non EU-based cloud services and the launch by leading providers of EU-only clouds? Is this fierce European protectionism or sensible data protection? If anything, these developments show a trend towards restricting cloud computing services geographically, so that the fuzzy Internet cloud becomes a series of neatly divided gas bubbles. However, instead of a technological uproar against such an aberration, there seems to be a quiet acceptance based on legal constraints and half baked security arguments. Is data protection being cited once again as the justification for stifling technological progress? That would not be surprising, but it is somewhat unfair and clearly unnecessary.
A Dutch government minister has been quoted saying that US cloud service providers will be excluded from public sector contracts due to fears that the USA Patriot Act may be used to obtain data unlawfully. So to avoid a potential conflict between the data demands of one country and the data protection obligations of another, a drastic decision appears to have been made. What this decision seems to forget is that European data protection law already has in place the necessary mechanisms to allow justifiable disclosures of data across jurisdictions and to mitigate the risk of data misuse by the recipient. It is actually not true that complying with a legal obligation to hand over data in an non-EU jurisdiction will automatically amount to a breach of data protection law.
A commonly stated barrier to engage cloud service providers is precisely those providers’ unwillingness to engage. A mighty cloud vendor may be a little more willing to sit at the negotiation table with a government department or a large corporation, but most other would-be clients will have no other option than agreeing to a set of standard terms and conditions. Will such terms provide sufficient safeguards to allow a European customer to comply with its own legal requirements? Frankly, a well drafted set of terms is quite likely to indicate the boundaries of the service and the level of security being adopted, which by and large will do the trick for European data controllers.
Beyond the contractual terms, the actual level of security in place is a critical aspect of data protection but, as it happens, it is invariably the most critical aspect for the service provider as well. This point was very simply addressed in an article by Vivek Kundra, President Obama’s former CIO and currently a Harvard academic, published in the New York Times. Kundra writes that cloud computing is often far more secure than traditional computing, because companies like Google and Amazon can attract and retain cyber-security personnel of a higher quality than many governmental agencies. To put it differently, as with airlines and safety, all cloud vendors know that solid data security is their top business priority.
A tricky issue for European cloud users is of course the legal restriction on overseas transfers of personal data. The cumbersome administrative requirements that need to be sorted out in order to legitimise those transfers are not particularly helpful. Matters are made worse by the straight-jacket nature of the European Commission’s model clauses for data transfers. So a cloud computing vendor will not agree to the standard contractual clauses? Who can blame them! This is an issue that badly needs addressing. High hopes rest on the forthcoming EU data protection legal framework but as that could easily take half a decade to materialise, we might as well try to find a solution today. Undoubtedly, smart cloud providers are very likely to take the lead and push for a Safe Processor Rules-type solution aimed not only at overcoming the transfer restrictions but at creating a balanced model of rights and obligations.
As Vivek Kundra puts it, the current economic crisis will only accelerate the move toward cloud services. European data protection law should not be a barrier but a catalyst for the development of the cloud. Conflicts of law need a common sense approach where legally required disclosures of cloud data are still proportionate and subject to privacy safeguards. All other data protection issues can have a very positive effect on the cloud and viceversa. If European data privacy is about balancing the free flow of information with the control by individuals of their personal information, cloud services can definitely support that balance and facilitate legal compliance whilst maximising the benefits of the information economy.