Vice-President of the European Commission, EU Justice Commissioner
Privacy in the Cloud: Data Protection and Security in Cloud Computing
Round-table High Level conference on Mobilising the Cloud organised by GSMA Europe
Brussels, 7 December 2011
Ladies and Gentlemen;
I am delighted to be with you today to discuss the reform of the European Union data protection laws. The title of your conference: 'Mobilising the cloud' couldn't be more timely! The potential of cloud computing for economic growth is enormous. Now is the time to leverage this potential and make the most of our single market of 500 million people.
Fifteen years ago, we had vast collections of cassettes and video tapes which took up lots of room on our shelves. As new technology developed, these became smaller CDs and DVDs. Then we put them onto our computers’ hard drives. You know what happened next: our digital lives have now shifted from the desktop to the cloud. We store and retrieve our precious photos, contact lists, emails and household accounting on remote servers.
No one questions where those servers are. They could be in Dublin or Dubai – it does not really matter. We take it for granted that we can instantly access the data we need at any time – wherever we are. If my computer breaks, I don't have to panic because I can still access my files from another device anywhere. Cloud computing has created new business opportunities and liberated us from our desktop computers.
The benefits of storing digital files on remote servers and retrieving them via the internet are enormous: we save space, time and money. It is an opportunity for citizens, businesses and the economy as a whole.
Companies cut costs by outsourcing data storage tasks. For European businesses, cost savings are the cloud's biggest attraction. Small and medium-sized companies no longer have to worry about maintaining expensive servers at their offices. They have access to the same data storage services as large companies and can compete on a level playing field.
We don't know what will be next. It is impossible to predict how digital tastes will change. Who can say what the next popular smart phone or social network site will be? One thing is certain: these technological advances in 2011 represent one of the biggest challenges to data protection and data security of our citizens. This is why we have to equip ourselves now and for the future. And this is why we have to adapt our current, European legislation on data protection, which is more than fifteen years old, so that it meets these new challenges and any new situations.
What is the best way to achieve this? How can the European Union make sure that its citizens don't lose control of their data in the cloud? How can we ensure a high level of protection without falling into the trap that would restrict users to only a European cloud? How can we unleash the potential of the cloud for the digital economy without putting citizens' data at risk?
Today Europe is accelerating and taking important decisions for its future that in normal times would take years. The future of our digital economy needs to be addressed swiftly and effectively as well. This is why next month I will propose new European law. I want to make sure that Internet users are very well protected and at the same time that cloud services move up a gear. I want to make sure that the future European regulation on personal data, also in the cloud, is not foggy. It should and will be based on a solid law!
Now, how can I do it? At the time when I was European Commissioner for Information Society and Media, I laid the foundations for what is now Europe's Digital Agenda – the EU's action plan for enabling our digital future, which is today managed by my colleague Neelie Kroes. I made roaming prices affordable for citizens and businesses. This move was absolutely necessary to unleash the power of mobile data. I also updated the privacy rules for the public electronic communications sector, the so called ePrivacy Directive. My aim was to ensure people's trust as well as a level playing field and legal certainty for businesses. And this is exactly my aim now that I am the European Justice Commissioner.
Reliable and consistent rules are essential if we want the digital economy and our digital single market to grow. These rules should make people feel comfortable about using new technologies and services. We need a framework for privacy that protects individuals and boosts the digital economy.
So what are the main aims of my data protection reform?
Firstly, I want to put citizens in control of their data. I want to improve the effectiveness of the fundamental right to data protection. Citizens must always be in a position to take informed decisions about how their personal data is used. Internet companies must ensure transparency. They must provide people with appropriate information about the processing of their data. And, may I add, this has to be in simple and understandable language! Our citizens must be clearly told which data is collected and for what purposes. They need to know how it might be used by third parties. And they must know which authority to address if their rights are violated.
The authorities responsible for data protection must have sufficient powers to enforce the law and they must have sufficient resources to exercise those powers. I want to strengthen coordination between national data protection watchdogs so that the rules are enforced consistently.
Secondly, I want to reinforce the incentives to ensure security in the cloud. Businesses must take the security of personal data more seriously. One could argue that personal information is also not secure on a home PC’s hard drive and therefore security is not a problem only in the cloud. But let’s be careful: we should not underestimate the risks in the cloud where the data of millions of people is stored. On the contrary, we see that large internet companies that hold vast quantities of personal data increasingly come under constant attack from hackers. We have also seen data breaches on major online game services that have affected millions of users.
This is why, under my proposal, businesses will have to pay utmost attention to security of information and privacy by design. These features should be well-integrated in the design of cloud computing products and services. The real winners will be those companies and service providers – no matter where they are from – that understand the competitive advantage of having built-in privacy features.
But when a data breach happens, a company will have to inform the national supervisory authority immediately and the individual whose data has been compromised or stolen. We have seen lengthy delays in telling customers that their data has been compromised. There can be no excuses for not letting people know what has happened to their personal information. These data security breaches risk undermining peoples' trust in the digital economy. My proposal introduces a general obligation for data controllers to notify such breaches immediately. The new legislation will bring all industries on par with the telecoms sector where security and breach notification are compulsory since the 2009 reform.
My third point is that users should have the freedom to take all their data with them when they choose to leave a cloud service, and to leave no digital traces behind. Individuals should not be discouraged from switching from one cloud service to another. After all, the photos, videos and contacts that people build up on their profiles belong to them, not the company. It means that their photos, agendas, e-mails and profiles should be given back to them in a widely used format that makes it simple to transfer elsewhere.
There should be no downside risk if someone wants to cancel an account, erase a profile or move all of their data to a competitor. Companies should not erect hurdles when people want to change. Such 'locking-in' not only stifles effective competition but, more importantly, deprives users of their effective right to freely chose and freely change the best privacy environments for their personal data. This right to 'data portability' will be an essential element of the legislative reform.
My fourth point is that I want to create a level playing field for companies in the EU and a more business-friendly regulatory environment. Inefficient data protection rules hold businesses back. I want to simplify the situation and eliminate unnecessary costs and administrative burdens. If we want to encourage businesses to take advantage of new technologies and operate across borders, we need to make it simpler. As a result, companies will be able to sell goods and services to 500 million people in the European Union under the same data protection rules. Now, those are real economies of scale and a fantastic business opportunity!
My fifth point is about international transfers. In a world where the flow of data is imperative for our global businesses and physical boundaries are meaningless, we need to rethink the way we regulate and control the transfer of data outside the EU.
With my reform, we will overcome the fragmentation in the EU and create a real single online market for online services. The free flow of data will be guaranteed. We will make sure that we have one single set of instruments and rules for transfers of personal data to third countries, with no national extra conditions any more. Unnecessary administrative cycles and obstacles will be eliminated. And I want to encourage and facilitate the use of flexible tools such as Binding Corporate Rules. Where they cover also data processors, all kinds of business models, including cloud computing, can be covered.
Point number six is innovation and trust. While ensuring the rights of citizens, the reform needs to encourage innovation and economic progress. If we don't want to hinder technological developments, we have to encourage trust in emerging technologies through a sound data protection framework. The full potential of the cloud can only be realised if it is seen as a trusted way of storing data.
Businesses understand that a high level of protection of privacy and personal data is essential for establishing a relationship of trust with their customers. The trust companies earn by complying with strict privacy rules gives them a competitive edge. But I also know that Europeans want their competitors to abide by the same rules. That’s why one of the key objectives of my reform is to create a level-playing field for all businesses.
Ladies and gentlemen,
There is no doubt that the future will bring us more and more innovations for storing, processing and accessing our personal data. There is also no doubt that cloud services and mobile devices are made to be combined. Cloud computing allows us to use ICT resources, platforms and services from anywhere in the world. Cloud computing is efficient. It shifts resources to where they are needed, regardless of location. With our mobile devices, we can use a wide range of services from anywhere in the world.
The legal challenges the cloud computing industry is facing are not specific to the online world. Many of the issues are similar to any outsourcing service, in particular to cross-border outsourcing. This also means that we can effectively tackle the cloud computing challenges by laying a sound legal foundation for cloud services first and foremost in the area of privacy and data protection. And this is exactly what I want to do by removing fragmentation, reducing red tape and rationalising the instruments for international transfers of personal data. The reform will also put EU and non-EU service providers on an equal footing. The reform will allow Europe to reap the benefits of cloud services.
I have outlined the main elements of the legislative package that I will propose next month. Today we are talking about how we can instantly send photos, videos and messages to friends around the world and then store all that data in the cloud. But what will tomorrow bring? No one can predict how technology will continue to change our lives. That’s why the reform must stand the test of time. Europe's new data protection rules should continue to guarantee a high level of protection of our citizens and provide legal certainty to businesses, no matter what marvels and life-changing innovations arrive in the coming years. The upcoming reform needs to be legally sound, citizen friendly and future proof.
Rest also assured that the Commission will not stop to work on cloud computing after our data protection reform proposals. Vice-President Neelie Kroes has confirmed that she will propose a European Cloud Computing Strategy in 2012. Thorough consultations with stakeholders have just been completed. First concrete announcements will follow soon. European Parliament and Council support for the Commission's reform of the EU data protection legislation will of course be essential for the Strategy to succeed. I would welcome this approach, and I am working together with Neelie Kroes on this. Because we both believe that Europe should be in the fast lane when it comes to cloud computing.