08 May 2014

Clouds and the proposed EU Data Protection Regulation

'Cloud Accountability: The Likely Impact of the Proposed EU Data Protection Regulation' by W. Kuan Hon, Eleni Kosta, Christopher Millar and Dimitra Stefanatou considers
the implications for cloud accountability of current proposals under the draft General Data Protection Regulation to modernise the EU Data Protection Directive. It makes recommendations aimed at improving the technology-neutrality of the proposals and their appropriateness for cloud computing, with a view to ensuring that the proposals will maintain or enhance protection of personal data for data subjects while not unduly deterring cloud computing. 
It is based on documents publicly available as at 14 February 2014, and analyses and compares the European Commission's January 2012 draft, the LIBE Committee's November 2013 draft (since approved unamended by the full European Parliament in March 2014), and the first full draft of the Council published in December 2013. 
A similar work by Kosta et al was noted here.

In the 60 page current paper the authors offer several recommendations -
  • Cloud and other new technologies should not be treated as risky per se – risks depend on their intended use and the type and sensitivity of the data concerned. 
  • For technology neutrality, only persons with logical access to intelligible personal data should be regulated. Physical access is not necessary or sufficient to access intelligible personal data. 
  • The ‘personal data’ definition triggers obligations and liability in an ‘all or nothing’ fashion and could encompass most data. A concept of pseudonymous data is one way to calibrate obligations, but definitions and obligations for each data type need further consideration. 
  • The extra-territorial scope of EU data protection law is unclear. To avoid discouraging non-EU controllers and providers from using EU data centres and EU cloud providers or sub-providers, the status of data centres and hardware/software providers should be clarified explicitly, as should the key definitions of ‘establishment’, ‘context of activities’ and ‘offering’. 
  • Clarity is needed regarding which obligations should trigger ‘strict liability’ for any non- compliance regardless of fault, and which should be risk-based, eg requiring only the taking of measures appropriate to the individual situation or reasonable measures to industry standards. 
  • We support a more focused risk-based approach, as opposed to requiring privacy impact assessments etc in a broad range of situations that may not warrant it from a risks perspective. 
  • To incentivise adoption of accountability measures such as codes of conduct, certifications, and seals, consequences of adoption should be made clear. In particular, defences or reductions in liability should be available to those who have obtained and complied with such measures. 
  • Defences available to intermediaries under the E-Commerce Directive should be available to cloud providers if they do not know that data stored with them by their users are personal data, or do not or cannot access intelligible personal data. Also, provisions regarding ‘instructions’ to processors should instead target the underlying mischief, namely misuse or disclosure of intelligible personal data by processors.
  • Rather than impose joint liability on processors and co-controllers, a more fault-based allocation of liability is recommended. Careful consideration is needed of exactly which obligations should be imposed on processors. 
  • Consideration should be given to abolishing the data export restriction and international agreement sought on jurisdictional conflicts and rules restricting, or compelling, government access to personal data. If the restriction is retained, ‘transfer’ should be defined by reference to intention to give or allow logical access to intelligible personal data to a third party recipient who is subject to the jurisdiction of a third country. Prior authorisations by data protection authorities are not practicable and should be required only in selective appropriate cases. Any ‘legitimate interests’ derogation should be based not on size or frequency of transfers but on risk-appropriate safeguards and a balancing against data subjects’ rights and interests. 
  • We support updating security requirements in line with general concepts of confidentiality, integrity and availability. 
  • The requirements and scope of data protection by design and default need to cater for infrastructure providers who may not know the nature of data processed using their infrastructure, and controllers and processors who may have limited control over infrastructure. 
  • Clarification is needed regarding the types of data breaches to be notified, thresholds and the detailed contents of any public register, but we support the deletion of ‘hard’ time limits. 
  • The right to data portability is very limited in scope, and this could be reconsidered, as well as its relationship with the right to erasure.