< Back

Share |

Passing Clouds: The EC’s data protection reform plans and their relevance for cloud computing

March 2013

The EC has set out plans for a strategy to  “unleash the potential of cloud computing in Europe”. It aims at a faster adoption of cloud services in all economic sectors. At the same time, the planned reform and harmonisation of EU Data Protection law is well underway in the form of the draft EC data protection regulation (Regulation). The Regulation, which is part of a larger draft package currently under debate, does not deal specifically with cloud computing. Rather, it is set out to be technology-neutral.  In addition, it does not touch on provisions which deal with electronic communications, in particular liability rules for intermediary service providers.  Nevertheless, the Regulation will have consequences for cloud computing due to the nature of data processing taking place via these services.

cloud keyboardIn general, the Regulation will be beneficial for both cloud computing service providers and users because it will harmonise standards and requirements with regard to territorial scope, transfers of data and compliance control throughout Europe. For providers, this should, in theory, lead to fewer country-specific amendments of their business models; for users, there should be more unilateral measures for safeguarding data within the cloud. In the worldwide cloud computing market, however, this harmonisation will have only a partial effect unless the EC’s reform plans are seen as a trigger for amending the legal and regulatory framework in the USA.

The following provisions of the Regulation are likely to be relevant to cloud computing services:

Territorial scope, Art. 3(2)

For service providers located outside the EU or the EEA, there will be a significant change as the new EU data protection rules will apply to “services offered to individuals in the Union”. The question, however, is whether these rules will also apply to cases where an EU-based company is transferring its data to a cloud service located outside the EU.

Right to data portability, Art. 18

Service providers which are offering cloud solutions directly to individuals will also be subject to a new right which allows an individual to request a copy of all its data stored be transferred to another provider. The effect of this change on storage-only cloud services should be small. For cloud solutions which offer software applications, however, – even if this comprises just email services – the new right to data portability might lead to a dramatic increase in costs.

Transparency requirement, Art. 11

A new requirement with regard to the provision of “transparent and easily accessible policies” will apply to service providers. While this information obligation should not be interpreted broadly, offering or making available certifications or privacy seals might be a helpful tool for service providers to achieve compliance in this regard.

Notification requirements, Art. 31 et seqq.

Service providers offering cloud solutions to individuals in the EU will be subject a new obligation to notify the relevant supervisory authority within 24 hours in cases of data breach. From a practical perspective, due to the complex nature of cloud service infrastructure, this short time frame could raise issues for service providers although in some cases, a reasoned justification might suffice if a notification is not possible within the 24 hour period.

Data Protection Officer, Art. 35(1)(b) and (c)

The obligation to appoint a data protection officer i.e. a person in charge of overviewing all data processing activities, might apply to service providers with more than 250 employees for  cloud computing solutions deemed to be “processing operations which… require regular and systematic monitoring” of individuals.

Processing on behalf of a controller, Art. 26 et seqq. / Art. 77


Where cloud computing - as currently recognised by EU regulators - is considered to be a “processing operation carried out on behalf” of another company, service providers will face a number of changes. For those who already comply with current German data protection law provisions, however, these new requirements will sound familiar.  Obligations to sign a binding written contract outlining, inter alia, audit rights and subcontractors used; to document processes; and to co-operate with the supervisory authority, already exist under German law. Finally, service providers will not only be liable to the company on whose behalf they are acting but will also be potentially liable for damages to individuals.

Transfers outside the EU/EEA, Art. 42

With regard to data transfers outside the EU or EEA, service providers may adduce appropriate safeguards by using binding corporate rules or standard contractual clauses which must be approved either by the European Commission or by a supervisory authority. This is generally in line with current requirements set out by the EU’s Data Protection Supervisory Body, based on the Article 29 Working Party’s “Opinion on Cloud Computing”. Under the Regulation, however, the use of standard contractual clauses will be mandatory for and applicable to all processing and subprocessing activities, not only for non-European ones.  

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Thanos Rammos

Thanos Rammos      

Thanos summarises the impact of the EC data protection proposals on cloud computing.

"The Regulation will be beneficial for both cloud computing service providers and users because it will harmonise standards and requirements with regard to territorial scope, transfers of data and compliance control throughout Europe."