IT giants still wary of EU on data protection


This article is part of our special report Data protection.

New EU data protection rules could threaten growth in the high-tech cloud computing sector in Europe, says a report published yesterday (22 February) by a leading industry group.

However, it also finds that existing legislation across Europe is better-suited to support the expansion of cloud than many emerging economies including China and India.

The report ranks 24 countries by their "cloud-friendliness" depending on factors including data protection, cybersecurity and intellectual property rights. It was prepared by the Business Software Alliance, or BSA, a lobbying group whose members include Microsoft, Apple, Dell, Intel and Adobe.

The document criticises European Commissioner for Justice Viviane Reding's regulation proposal on data protection, presented last month, saying it "has the potential to undermine its benefits with new, overly prescriptive rules [that] threaten to undermine the economic advances that a truly global cloud can provide."

The criticism comes despite moves to water down the proposal to accommodate economic and security concerns raised by Commissioner for Trade Karel De Gucht, Commissioner for Digital Agenda Neelie Kroes, and the US government.

EU proposal 'too prescriptive'

Reding's legislation would require companies of more than 250 employees that hold personal information to assign a data protection officer, to warn the authorities of a data breach within 24 hours, and to establish documentation and security procedures for data processing.

BSA's director of government affairs in Europe, Thomas Boué, called the provisions "too prescriptive". "It's going to be a box-ticking exercise but will it protect the data? That remains to be seen," he said.

Boué said the numerous 'delegated acts' in the regulation – specific rules that have to be defined by the Commission at a later date – are creating "legal uncertainty" for IT firms considering cloud computing.

These delegated acts include the definition of "public interest" in data transfer authorisation; the conditions for children to grant their consent to sharing personal data; documentation and security requirements for data processing; and the "right to be forgotten".

Matthew Newman, spokesperson for Reding's office, downplayed the fears, saying the Parliament and national governments are involved in the process. "We always consult broadly before making proposals," he said.

Security concerns

More generally European countries rank high in the report for "cloud-readiness". In contrast, fast-growing emerging countries including China, India, Indonesia and Singapore "do not yet have any substantial data protection laws," the BSA report says.

The report claims this will limit the benefits these countries draw from cloud computing saying, "users will fully accept and adopt cloud computing only if they are confident that private information stored in the cloud, wherever in the world, will not be used or disclosed by the cloud provider in unexpected ways."

In recent years the information and communications technology sector has been expanding massively in emerging economies. The number of Chinese internet users reportedly reached over 500 million at the end of 2011 and it has been estimated that the country's ICT sector will nearly double in turnover between 2010 and 2015, reaching around €300 billion.

Cloud computing describes a range of infrastructure, software, data or applications residing in the 'cloud' – off your own premises and accessed via the Internet.

A study carried out by the University of Milan, published in late 2010, estimated that cloud computing has the potential to create 1.5 million new jobs in Europe over five years. The sector's turnover worldwide in 2010 was estimated at around €26.7 billion.

While businesses and governments are enthusiastic, EU regulators have been more wary, as further use of cloud systems would mean a large swathe of public and commercial data would migrate to servers possibly located outside national borders or on other continents.

Existing European Union rules on data protection were adopted in 1995, when the internet was in its infancy.  On 25 January the European Commission proposed a new regulation to govern data protection, which must be still be examined and approved by the Council of Ministers and European Parliament.

Subscribe to our newsletters