2014 is likely to prove to be a big year in data protection for many industries – none more so that the cloud computing industry with the possible adoption of the EU’s proposed Data Protection Regulation, implementation of European cyber security strategies and moves by Germany and France to set up a European Communications Network.
In a recent weekly podcast, German Chancellor Angela Merkel suggested a European Communications Network should be set up to avoid potential access to data by the U.S. Government. In the podcast Merkel commented: “We’ll talk about European providers that offer security to our citizens, so one shouldn’t have to send emails and other information across the Atlantic”.
It is not clear whether these comments will ever develop into anything more concrete but what is clear is that concerns around data protection and cyber security are driving a number of regulatory developments that will have a significant and profound impact on the cloud computing industry in 2014.
The proposed EU Data Protection Regulation
The proposed EU Data Protection Regulation was originally published by the European Commission in January 2012 and is designed to introduce a radically new data protection regime. The proposed EU Data Protection Regulation will apply to European businesses and also businesses outside the EU that have personal data on EU citizens and so will directly apply to cloud providers in the EU and those outside the EU.
Non-compliance with the proposed Regulation can expose organisations to potentially significant fines of up to 5% of their annual worldwide turnover or €100 million. The proposed Regulation is particularly aimed at tech and social media companies giving individuals a “Right to be Forgotten” by requesting that their personal data be deleted.
The proposed EU Data Protection Regulation also contains various obligations on companies that will be relevant for cloud providers including appointment of data protection officers, keeping detailed records of what personal data are collected and performing privacy impact assessments. There are also obligations to implement appropriate technical and organisational security measures and a requirement to report security breaches “without undue delay”. The proposed EU Data Protection Regulation is expected to be adopted in 2015.
The proposed Regulation also maintains the current European data protection restrictions on transferring personal data to countries outside the EU that are not deemed to provide an adequate level of protection, such as the U.S.
The proposed NIS Directive
Recently the UK Government ranked cyber security as a Tier 1 threat to national security equal with terrorism. Against a background of increasing concern over cyber security and increases in data breaches the European Commission published last year a proposal for a Network and Information Security Directive “(NIS Directive”) which will have a significant impact on cloud providers.
Indeed, one of the key points of the NIS Directive is to extend to a certain number of market operators, including cloud providers and key internet companies, the obligation to assess the risks they face, adopt appropriate measures to ensure network information security and to report to the competent authorities any incidents seriously compromising their networks and information systems. The European Parliament is currently considering the draft NIS Directive.
Data protection and cyber security is now firmly a boardroom issue for cloud providers and those businesses that use cloud computing. Regulators are also now looking closely at cloud computing and data protection with several European DPAs having issued important guidance over the last few months.
It will be key for the cloud computing industry in 2014 to monitor these developments closely, engage with regulators and assess the impact of these developments on their businesses.