At the recent SCL seminar on the pan-European data protection of cloud services there was a somewhat frustrated comment at the end of the event from a data protection specialist that it is “really no different from anything else”. I’ve been mulling over that comment as in a sense he was right. Cloud services are regulated in just the same way as other services. At the event we had a range of excellent presentations from data protection experts about how the data protection rules are applied to cloud services in a variety of European countries, together with an overview from the Rapporteur for the Article 29 Working Party. What we did not do – other than through Dervish Tayyip setting the scene at the start of the seminar – was to provide an opportunity for cloud service providers to explain why the current regulatory environment for cloud services is inappropriate.
This was perhaps a mistake but the issues are well known. The challenges posed by cloud services to data protection are nothing new for IT service provision arrangements but they exacerbate the issues considerably. The first issue is the inherently non-geographic nature of cloud services. Cloud services are available anywhere anytime, whereas (despite the European-level grounding) data protection law remains resolutely nationalistic in Europe. At the SCL event we heard about considerable differences in the way that EU data protection rules are applied across Europe: including much tougher controls on sub-contracting in Germany and more extensive registration requirements in a number of countries. Perhaps the new Regulation will introduce increased commonality across Europe but there did not seem to be too much hope about this at the SCL event.
The second issue is probably the more important. It is the problem that the data protection rules are constructed on the basis that processing takes place on the basis of instructions from the user. This seems to be a fundamental aspect of how the data protection rules are constructed but in the case of cloud services it is simply an inaccurate fiction. Cloud service providers offer services to their users and users decide whether or not to take that service. The cloud service providers decide what service will be offered, they decide how the data will be processed, they decide on the security levels that will be applied. The user can review what is offered but does not have any real opportunity to influence the decision. It is a “buy or not buy” decision. The idea that the cloud services provider acts on the instructions of the cloud services customer is false and this inaccuracy leads to all sorts of problems.
One of these problems seems to me to be the lack of constraints in the rules on the giving of consent for the use of data provided into cloud services by consumer users. If it were true that cloud service providers were acting on the instructions of their users then then the lack of constraints on the extent to which “consent” can be given for the use of data provided by users might be acceptable. The recent Instagram situation shows that this is far from the case. Cloud service providers impose “consent” requirements in their terms of use and it is only in high profile situations that inappropriate “consent” requirements can be overturned.
My prediction for 2013 is that the extent to which user’s data – whether provided by directly by users (as in Instagram) or collected by the service about users – can legitimately be used by cloud providers and other bodies will become more and more of a hot topic. It is not just a legal issue – it is a civil liberties/human rights issue with overtones of “Big Brother” and a surveillance culture. My personal view is that there are pros and cons of increased surveillance. (I’m writing this blog from my South London home which has a much reduced crime rate since the introduction of CCTV cameras – we probably wouldn’t be living here without the CCTV cameras). But there does seem to be a very real issue over the extent to which our data can be processed which ought to be addressed in the debate over the Data Protection Regulation.
This issue will be a continuing theme in 2013. It’s not new but with the ever increasing collection of user data, the increased usage of cloud services and the new Data Protection Regulation this will be one of the key “hot topics” of 2013.
Have a great Christmas and New Year break!