Neelie Kroes: EU Data protection reform and Cloud Computing


“Fuelling the European Economy” event, Microsoft Executive Briefing Centre

Ladies and Gentlemen,

Cloud computing will change the way businesses do IT, and it will change our economies. Because it will tremendously increase flexibility and efficiency.

And I think we could all do with a productivity boost right now.

But potential users still hesitate. They worry about the service they will be getting, about risks of lock-in and whether they can trust the provider with their data.

All businesses, and the smaller ones in particular, want to know the answers to these questions. To obtain the benefits of the Cloud without protracted and expensive legal negotiations. To get clarity on issues like standards, privacy, data portability, legal liability and applicable jurisdiction. To help them we are working on a European Cloud Strategy for mid-2012. The strategy will set out how different actions can serve this goal, how to make Europe not just Cloud-friendly – but Cloud-active.

One of these actions, announced in Davos last week, is the creation of a European Cloud Partnership between public authorities and industry. With a simple idea: to agree common requirements for public Cloud procurement and thus harness the buying power of the public sector. So the Cloud can support public administrations and public administrations can support the Cloud.

In my speech there I set out the need to make the Cloud a great place to find innovative, legal content – a place where using creative material means recognition and reward for creators. Remaining obstacles will be assessed in the Cloud Computing Strategy.

Today I want to focus on another, very topical part of the story: the EU data protection reform and what it means for Cloud Computing.

The Commission proposal, presented last week, is designed to improve privacy online while allowing for the development and use of the new services we need. Rules fit for the Cloud era.

There are two sides to this coin. We must have rules people can trust: because if people can’t trust new technology, they will turn it off. And we won’t achieve wide uptake of the Cloud.

But on the other hand, it’s no use having rules that only make sense on paper, but are unworkable when it comes to new technology and can’t be applied in practice. Especially when you consider applications that were not even imagined 15 years ago. Our current data protection rules date from the early 90s, when the net was a niche activity. When the founder of Facebook, Mark Zuckerberg, had just started school.

Today we have hundreds of millions of Internet users in Europe alone. We have seen new developments like social networks, and new promises like the Cloud. And systems, companies and data readily cross borders.

The challenge is to take our fundamental rights to privacy and the protection of personal data and make them work in the digital era. So that we remove obstacles – and indeed give a boost – to a competitive and effective Cloud market.

Our proposal starts from everybody owning their own personal data. It can only be used with good reasons. You can correct it, get a copy in a commonly-used, interoperable format to go on using it elsewhere, or to have it deleted.

So putting your personal data in the Cloud needn’t mean you lose control of it, or that you’re locked in to one provider. That’s good for privacy, good for user control, and good for a competitive Cloud market. Because I don’t want a situation where choosing one Cloud service means that you’re stuck with that decision. And this is of course true even for non-personal data, by the way.

Second, we have proposed rules more relevant to a networked, connected world. Clouds cross borders, and so does the data they hold. So we will make it easier to operate Clouds both within and outside our Single Market.

We have proposed a Regulation to replace a Directive: that means a single set of rules for Europe, not 27 different ones. Alongside that, under the new rules you will get a one-stop-shop of enforcement. So that, even if an operator is active in several EU countries, it will only have to deal with one data protection authority – the one where its main base is.

Cloud users should not have to guess where their provider is: if a company offers goods or services to people in the EU, or is monitoring them, then it shouldn’t matter where that company’s based – in Madrid, Mumbai or Mountain View. Our rules should apply to the data.

Globally operating businesses will benefit from changes to the use of binding corporate rules. They only have to get authorisation from a single authority; and there is more recognition of the variety of structures used in Cloud Computing. That will make the use of BCRs less burdensome and more effective.

This legal framework is a sound basis for the Cloud. But I am confident that many Cloud providers will choose to go further, and take additional steps. Because strong protection and respect for privacy make good business sense. From our public consultation, we know people are concerned about which Cloud providers they can trust. And let’s not forget that even in established areas like online shopping today less than one in five people feel in complete control of their personal data. Here to read more.

Share this article!

About Author

Leave A Reply