New EU laws to protect data in the cloud

Grazed from Public Service Europe.  Author: Daniel Mason.

New European Union laws to be proposed next month will oblige companies to act more quickly to tell customers if their data is compromised, reinforce individuals' rights to remove photos and videos from an internet profile without leaving a digital trace, and reduce the regulatory burden of data protection rules so that businesses can maximise the benefits of cloud computing – European Commission vice-president Viviane Reding said today.

Speaking at a GSMA Europe conference on cloud computing in Brussels, Reding said she would propose next month to protect internet users and unlock the technology's potential. "Reliable and consistent rules are essential if we want the digital economy and our digital single market to grow." These rules make people feel comfortable about using new technologies and services. We need a framework for privacy that protects individuals and boosts the digital economy." The EU is also negotiating a data protection agreement with the United States...

Among the proposals will be a commitment to ensure users would be able to remove their photos, videos or contacts from a cloud service without leaving any digital trace because "their profiles belong to them, not to the company". The content should be returned to the customer in a widely used format so that they can be transferred to another provider, Reding said. "Individuals should not be discouraged from switching from one cloud service to another," she insisted, adding that there should be "no downside risk" for someone if they decided to cancel an account or erase data. "Locking-in not only stifles effective competition but, more importantly, deprives users of their effective right to freely choose and freely change the best privacy environments for their personal data. This right to data portability will be an essential element."

She said businesses would be forced to take security more seriously, including acting more quickly to tell users if their data has been compromised. "We see that large internet companies that hold vast quantities of data increasingly come under constant attack from hackers. We have also seen data breaches on major online game services that have affected millions of users," she said. The data of 77 million users of Sony's PlayStation Network was compromised earlier this year, and the company was criticised for its delay before announcing the security breach to its customers. Sony said it took a week to investigate the scale of the data theft.

But Reding warned: "There can be no excuses for not letting people know what has happened to their personal information. These data security breaches risk undermining people's trust in the digital economy. My proposal introduces a general obligation for data controllers to notify such breaches immediately." Similar legislation has been effective in the telecoms industry since 2009. The commissioner said users should have full control of their data, with companies providing clear information about how it is used and whether it has been passed to third parties. Coordination between national watchdogs should be strengthened, she said. In a speech yesterday to the second annual European data protection and privacy conference, Reding said it was 16 years ago that the commission's directive on data protection had been created and the "the world has become much smaller".

Today, Reding said she would simplify inefficient data protection rules to reduce the regulatory burden and create a level playing field for EU companies. "As a result, companies will be able to sell goods and services to 500 million people in the EU under the same data protection rules." She backed the creation of a "real single online market for online services" in the EU, guaranteeing the free flow of data beyond Europe's borders, warning that the EU should not fall into the trap of restricting users to a European cloud. But she said the cloud would only be valuable if it was trusted – and business would gain a competitive edge if they complied with privacy rules.

Reding said that the benefits of cloud computing for economic growth could be enormous. "We save space, time and money. It is an opportunity for citizens, businesses and the economy as a whole. Companies cut costs by outsourcing data storage tasks. For European businesses, cost savings are the cloud's biggest attraction. Small and medium-sized companies no longer have to worry about maintaining expensive servers at their offices. They have access to the same data storage service as large companies and can compete on a level playing field." She added that cloud computing "shifts resources to where they are needed".

She said her proposals would have to stand the test of time because it was impossible to predict changes in technology. "Europe's new data protection rules should continue to guarantee a high level of protection of our citizens and provide legal certainty to businesses, no matter what marvels and life-changing innovations arrive in the coming years. The upcoming reform needs to be legally sound, citizen friendly and future proof." She said that Digital Agenda commissioner Neelie Kroes would unveil a European Cloud Computing Strategy in 2012. Last month, the British Information Commissioner's Office said it was vital that the new EU rules were easy to apply.