Data Protection Reform, The Cloud, and Millard

February 1, 2012

In the wake of the EU Commission’s release of a draft Data Protection Regulation, Professor Christopher Millard, leader of the Cloud Legal Project at Queen Mary University of London, has released his comments on the data reform package. He said:

Commissioner Kroes stated that the proposals will ‘make it easier to operate a cloud across the EU, with a single point of contact’ and ‘make it easier to operate outside the EU, too, with simplified and more consistent rules.’

However, unless further changes are made to clarify and harmonise data protection rules across the EU, the draft Regulation may drive business away from Europe, and still fail to deliver effective protection for individuals.

It will be difficult for non-European cloud providers to determine which EU country will supervise them for data protection purposes across Europe. This may discourage the building or use of EU data centres or EU service providers for cloud computing.

Furthermore, the draft Regulation fails to close a loophole which may undermine protection for some EU residents when they use services provided by non-EU cloud providers.

The use of cloud computing may also be inhibited by additional restrictions on the transfer of personal data outside Europe, including cumbersome regulatory approval requirements.

Given the ease of global data transmission and remote access over the Internet, and the increasingly fragmented nature of data storage, what matters most for privacy and security is who can access the data in intelligible form. This is now more important for privacy than data location.

In our recommendations, we proposed a more radical solution, namely abolishing the restriction on data export, focusing instead on appropriate measures to ensure security, transparency and accountability, regardless of the geographical location of personal data.

The draft Regulation will impose substantial new compliance obligations on businesses, as well as greatly expanding the roles of the European Commission and national regulators, all of whom will need extra resources.

It is unclear how this will be financed, especially in the current economic climate. The proposed abolition of registration fees is a step towards reducing red tape, but proper provision for the adequate funding of supervisory authorities in performing their expanded duties will be essential if the draft Regulation is to protect individuals and facilitate the free flow of data.

Professor Millard is one of the speakers (with Mark Watts and Hazel Grant) at SCL’s upcoming data protection seminar, which will consider the implications of the reform package.

Don’t miss the comments already posted on the site with the original reform package news item. It includes contributions from Eduardo Ustaran, Jacob Kohnstamm, John Halton, Bridget Treacy, Richard Thomas, Maragaret Tofalides, Peter Hustinx, Shelley Thomas and a comment posted by Renzo Marchini.

For the Cloud Legal Project web site, where there is more on the topic, see