Cloud computing has become somewhat of a ‘buzz’ word in the digital arena lately, but there has been some confusion for those involved seeking to comply with their data protection obligations.
Our data protection legislation (which was born as a result of heavy European influence), stops data being sent outside of Europe unless the recipient country has ‘adequate’ protection in place. Whilst I will not offer a cure to insomnia by going through the details as to how adequacy can be found, one of the more common ways is if the European Commission has made a finding of adequacy in relation to a particular country’s data protection rules.
In relation to the USA, there has been no such finding – partly due to the fact that US legislation provides protection on a more sector-specific and self-regulatory basis. However, in 2000 the EC and US greed a set of data protection principles known as the ‘Safe Harbor’ agreements which US comply with in order to properly receive data transferred from within Europe.
With the increasing use of cloud computing however (and therefore the widespread outsourcing and storage of data) concerns had been raised about the extent to which those involved in data transfers for cloud computing purposes could seek shelter under the Safe Harbour provisions. The US Department of Commerce’s International Trade Administration has issued useful guidance on this point confirming, amongst other things, that cloud computing is not seen as a unique model for the purpose of Safe Harbor and that the general principles continue to apply.
The guidance is useful and certainly keeps the regulatory framework relatively simple. However, whilst the use of cloud computing continues to become more intricate and widespread, with data contained in ‘the cloud’ originating from a growing number of territories, it will be interesting to see whether a more a more global approach is adopted