Data Protection in the Cloud
Cloud computing has become a reality in almost all areas of today’s life and business. What happens to be a trend is no new development. The hosting of services on third party infrastructures has been there over several years. But due to rapid technological developments, the problems with this development have become visible only now to a broad public.
By having cloud computing used more and more, the biggest question for regulators and lawyers is the determination of the applicable law. When it comes to data processing and storage in the cloud, this arises first of all with provisions and standards on data security and data protection. Seen from a business perspective, the security standards are already seen as very important as it is not only about trust of clients in the integrity of their systems and services, but also about possible criminals or competitors damaging their interests or property.
Something which is still not enough in the minds of cloud providers and users is the question of data protection and privacy. As a fundamental right of the “data subject”, this is not a genuine interest of cloud providers and users in the first place. But it turns out to be a growing issue for clients. When it is about the trust of consumers in the digital market and the services provided the figures are devastating.
According to a survey of the British researcher Ovum in eleven different countries, only 14 per cent of the consumers asked said that they trust in their data protection rights to be respected by the services on the market today. In addition there is a growing knowledge of the problem of services which are based on or use cloud services outside the own jurisdiction. To give trust in the digital market back to consumers, the European Union now proposes a regulation on data protection which is setting out a single standard for the European market.
The EU’s data protection regulation should replace the existing 27 different laws on data protection in the EU which are based on a directive from 1995. With this step the European institutions intend to give legal certainty to citizens, businesses and authorities about the rules being applied for the single European market. Based on the existing rules, this regulation will simplify dramatically the compliance with data protection rules in cloud based services. As Europeans set out a high level of protection for their citizens based on the charter of fundamental rights and the Lisbon treaty, the new regulation will set a global standard for a safe environment when it comes to data protection and privacy.
Every cloud provider could be certified alongside with the European provisions and thereby be on the safe side when he or she offers products and services on the European market. While doing that, this would give a competitive advantage to those who take care of high data security and data protection standards already in the design of their products and services.
The future of the digital market will be determined by consumer trust in secure systems hitting the standards they expect and complying with the rules they decide in their democratic institutions. The lack of enforcement and diversity of different regulations will not be accepted by citizens either in a medium-term, nor in a long-term perspective.
As some dominant market players try to convince policy makers and consumers that there is no need for a legislative standard on data protection and other standards for the digital economy, we already see new competitors deciding aspects of consumer expectation with regard to a secure legal and technical environment. With regard to the developments in ITU and the different regulatory approaches across the globe when it comes to online services, a clash of different legal cultures, especially between democracies based on the rule of law respecting basic rights of citizens and repressive or deregulated states, is more than foreseeable for future years.
It will be a huge question how those states which see a value in protecting their citizens’ interests will prevail in this struggle as they do not represent a majority in international institutions in the global market. For as long as they do not take positive action to protect their legal systems and standards by setting simple and enforceable rules, the reality of cloud computing will lead to mistrust and a huge competitive disadvantage for especially those companies setting high standards for security and data protection. The EU´s data protection regulation is a first step towards a single digital market in the European Union and thereby leading the global debate to introduce common rules for high standards.
Having said this, it is obvious that high standards on data protection are no contradiction to, but instead a condition for, growth and innovation in the digital market. Many new cloud services already implement the privacy by design and privacy by default principles and apply for data protection and data security seals. Economic growth and fruitful competition will depend on clear rules set by the legislators for their own markets. Only then can a debate about best regulation take place.