Chapter 9: The proposed new EU Regulation and other measures – Data Protection and the Cloud: Are the risks too great?


The EU Directive (95/46/EC) on which the Data Protection Act 1998 is based, was first mooted in 1993 and agreed in 1995. The intervening 20 years have seen dramatic technical changes which could not have been foreseen at the time. Cloud computing is one of these.

Many would say that the Directive has actually coped quite well with these changes, as it was couched largely in terms of general principles and could therefore be seen as technologically neutral. Cloud computing and other developments have, however, started to raise issues that the existing data protection regime does not really have answers to. In addition, a review would also allow some modification to be made in the light of experience.

The process began with the publication of a proposed Regulation by the European Commission in late 2011. After a great deal of discussion and negotiation, the European Parliament approved a revised version in October 2013. The next stage is agreement by the Council of Ministers, where national preferences and viewpoints are likely to come into play. The European elections in 2014 brought about significant changes, both in the Parliament and subsequently in the Commission, so that, at the time of writing, it is hard to predict the final form in which the Regulation will emerge.

Once the Regulation is approved, there is a lead-in period, but after that it takes effect immediately. A Regulation is in effect an EU-wide law; it doesn’t depend on individual countries bringing in their own legislation. Even in the event of the UK leaving the EU it is unlikely that free trade arrangements would be able to continue without the UK adopting legislation compatible with the Regulation.

Many of the issues addressed in the draft Regulation are not specific to cloud applications. However, it is worth being aware of some possible changes that the new Regulation might bring about. These include:

Security: There are more specific obligations on the security measures to be taken.

Data and Data Processors: There is more clarity on how the responsibility is shared out when two or more organisations work together, either as joint Data Controllers or as Data Controller and Data Processor.

Data Protection management: The rules on how organisations must manage Data Protection are much more specific, including provision for every Data Controller (possibly excluding small ones) to have a suitably qualified Data Protection Officer.

Breach notification: All (or at least many more than at present) data breaches would have to be notified to the Information Commissioner.

Penalties: Far higher maximum penalties for breaches are a possibility, based on the size of the organisation. The proposal is for penalties to be up to 2% of global turnover.

Basis of processing: There are minor changes, such as requiring ‘data minimisation’.

Erasure: Data Subjects would have the right, in some circumstances, to require data to be erased. This has been erroneously described as a ‘right to be forgotten’.

The EU Commission has also said that it may establish standards for terms and conditions for cloud computing services. Progress towards this appears to have been made with the establishment of the Cloud Select Industry Group, under whose auspices an industry group (largely appearing to comprise US companies) produced draft standard guidelines10 in June 2014. The guidelines set out a process for ensuring that cloud computing terms and conditions are clear and comparable between providers. They do not, however, appear to redress the balance between the provider and the customer in terms of the negotiability of cloud terms and conditions, or to provide mandatory minimum standards.

The next step is for these guidelines to be tested with cloud users.


10 At the time of writing these can be found at: