EU prepares updates to data protection laws that could impact cloud service providers

cloud

Cloud services were tipped to be included in new data protection rules that are expected to be finalised by the European Union (EU) today.

EU ministers are expected to reach an agreement updating existing data protection rules that in some cases are up to 20 years old. If ministers reach agreement, the updates would be sent to the European Parliament for finalisation, Reuters reported.

The current rules class cloud services providers who provide remote storing and processing of server data as "processors" because they do not collect data themselves. In turn this removes liability for using data illegally unless they are in contract breach with their clients--so-called "data controllers."

The new provisions include greater liability for cloud providers rather than just the companies who are their clients. If a bank's security is compromised for example, in the future not only will the bank be liable, but so potentially will its cloud provider.

According to the European Data Protection Supervisor (EDPS), cloud computing in general is a concern for those charged with protection of personal data privacy. "The roles of each party are not as straightforward in cloud computing, where the cloud service provider often makes important decisions about the means and conditions of processing personal information, such as where the information is stored, the use of sub-contractors and security."

The EDPS also sees the organisation of the cloud as a fundamental departure from a model where an end customer maintains control over their personal data. Under current rules, regulators believe that there is a high risk that nobody takes responsibility for full compliance with privacy and data protections per EU law.

Companies such as Germany's SAP, IBM, Cisco Systems and Amazon all oppose the new provisions, claiming it will kill the cloud computing industry in Europe. Such companies also warn that the new rules could hamper the creation of a unified market for digital services--also a core plank of the European Commission's agenda to boost economic growth in the EU.

Companies are worried that the new provision will blur lines of responsibility and increase liability for everyone who touches the industry.

The problem is that data is often collected, stored and processed by as many as three different companies. European regulators in turn have previously expressed concern that larger cloud companies would impose unfair terms on smaller businesses, which would then bear the brunt of responsibility in case of liability.

For more:
- see this Reuters story
- see this EDPS briefing
- see this European Commission report

Related articles:
Cisco unveils new SDN products, says wireless carriers focused on functions connected to packet core
Swisscom launches VoLTE, prepares to offer Wi-Fi calling
Audi CEO pledges to protect driver data in age of connected car
GSMA DG says EC must back plans for joint mobile and broadcast usage of UHF frequencies
Qualcomm seeks to cash in on L-band spectrum following EC SDL decision