European Commission Vice-President for the Digital Agenda
"Cloud computing and data protection"
Les Assises du Numérique conference,
Université Paris-Dauphine, 25 November 2010
I am delighted to join you today. I would like to thank Serge Pilicer, Christophe Stener and the organising team for creating an event so clearly at the heart of the Digital Agenda for Europe, our strategy for making every European "digital".
We all know the penetration of ICT is not an end in itself. It is already now, and will be even more so tomorrow, one of the key building blocks to generate smart, sustainable and inclusive growth in our societies. What we now face together is the task of taking the right decisions and turning these values into action. I have had an excellent experience of working with Nathalie Kosciusko-Morizet, Frédéric Mitterrand and other members of French Government, and I look forward to continuing that with M. Eric Besson.
Of course, the many subjects that Les Assises du Numérique will address today reflect the diversity of the digital revolution: from the ever faster networks we need to roll out – and I mean both landlines and wireless high-speed broadband – to the need for ever richer content, and to the challenges of making sure all sectors of society and all territories benefit from ICTs. In our key policy document, the Digital Agenda for Europe, the European Commission has presented the actions it will deliver, together with the Member States, in the years to come.
Today, I wish to discuss cloud computing in more detail. In particular, cloud computing's relationship with individuals' privacy and the right to personal data protection, and how we can best build the trust and security essential for digital success.
Cloud computing is more than simply a technical challenge. By putting our personal data on remote servers, we risk losing control over that data. Because the right to the protection of personal data is a fundamental right in the EU, this demands several actions. Fundamentally, the Commission believes that we need further research to enhance the security features of these technologies. And indeed we are funding such research at European level – which looks at "privacy-by-design" and "privacy-enhancing technologies".
Additionally, there are questions about the flow of data within the EU and at a global level. For example, the implementation of the EU's Data Protection Directive differs across Member States. We need to clarify when this reflects an unavoidable difference of culture and legal tradition, or when it is merely an avoidable obstacle to the rules of the Single Market. The Commission will continue working with Member States to address this challenge.
In my mind, the free movement of personal data within the EU is another way to help to complete the Digital Single Market in Europe. Therefore, the underlying approach ought to be 'cloud-friendly'. But a 'cloud' without clear and strong data protection is not the sort of cloud we need. Having clear and 'cloud-friendly' rules can only help ICT companies ‑ and you know that many of them in Europe are SMEs ‑ to know exactly what is allowed and what is not. This may mean simpler, harmonised measures, for instance for the registration forms for notification purposes. We also wish to encourage self-regulatory initiatives, such as codes of conduct or codes of practice like the "binding corporate rules" for international data transfers. That is how they can effectively both protect and serve their customers.
Many international companies claim that Europe's rules on data protection are just a protectionist measure in disguise. They suggest the rules do two things: 1) give an unfair advantage to European operators, and 2) hold back the development of cloud computing in Europe. Conversely, many European players are concerned that European rules hurt them at the global level. I think both assumptions are incorrect. Take the example of the car industry: we primarily build and buy cars to enhance mobility but it does not mean we do not also care about their safety features – good brakes and airbags, for example. We do care! Data protection features should serve the same role in cloud computing. Data protection is a "must have" feature for consumers, individuals and society in general. A cloud without robust data protection is not the sort of cloud we need. So these features should be well-integrated in the design of cloud computing products and services, from the very beginning of the business processes.
In this worldview, the winners will be those manufacturers and services providers – from whatever country of origin – that understand the competitive advantage that in-built privacy features provide.
My vision is that every European cloud customer should be able to know two things:
a) that their cloud supplier protects their personal data efficiently, that is in a transparent manner, and in line with EU personal data protection standards,
b) that all the governments of all the countries where the cloud touches the earth – that is, where the servers are located – must have legal frameworks in place that guarantee adequate data protection and privacy. There can be limited exceptions for reasons of public order and national security, but these must be governed by the rule of law.
It takes brave governments and brave thinking to deal with these issues. And the Commission is prepared to be brave too. That is why we have started to work on a cloud computing strategy. For this work, we will need your input in the first half of 2011.
Against this background, is a wider set of issues around the ongoing revision of European data protection legislation.
A review of the general data protection framework has just been launched by my colleague Viviane Reding, responsible for Justice, Fundamental Rights and Citizenship. It aims to make these rules fit to meet the challenges of globalisation and emerging technologies, on-line social networking, e-commerce, behavioural advertising, and so on.
It's high time - data is not what it was in 1995, when general rules on data protection were adopted in the EU. Social networking sites had not yet re-invented our communication culture. Cloud computing did not exist. An internet of things based on billions of sensors and applications for smartphones did not exist. We only dreamed of transport passes like Navigo.
So now we need to change the general data protection framework to ensure our fundamental rights and freedoms are well addressed in the digital era. There are important questions to answer, such as:
How do we ensure transparency in the processing of personal data? People should be aware of what they are signing up to. They should have the possibility to review their choice in a user-friendly manner at any time.
Data minimisation: what can be done to ensure that just the right amount of personal data is collected, and nothing more?
The "right to be forgotten" – how can that work in practice? Here I want to pass my personal thanks to Nathalie Kosciusko-Morizet whose relentless work on this subject has been very valuable. Let me be clear: in my view, the issue is not merely about deleting all data. Just like in real life, when you present yourself on the net, you cannot assume no records exist of your past actions. What matters is that in those cases any data records are made irreversibly anonymous before further use is made of them.
Data portability. This is all about freedom of choice: the right for you to change your mind and preference about the services you need. Freedom of choice is only possible when a user can easily and freely transfer his or her data to him or herself and then possibly to another service provider.
Efficient use of the resources invested in data protection is important – both for the supervisory authorities and for the industry complying with it. Unnecessary administrative burdens should be removed where possible.
In conclusion, I wish to say to you that cloud computing may indeed become one of the backbones of our digital future. Securing workable data protection will help us to give shape to that digital future. Let us keep up the conversation about these and other digital issues. If we do that, we will deliver the better economy and better living that digital technologies make possible.