Regulating European Clouds: The New European Data Protection Framework

Introduction

Cloud Computing allows the outsourcing of computational power, data storage and other capabilities to a remote third-party (Buyya et al., 2009). In the supply of any goods and services, the law gives certain rights that protect the consumer and provider, which also applies for Cloud Computing: it is subject to legal requirements and constraints to ensure Cloud services are accurately described and provided to customers with guarantees on quality and fitness-for-purpose.

As a result of the pace of technical and economic progress in this field, it was important to determine the compliance of common Cloud Computing usage patterns with legal constraints and requirements. In a former work (Kertesz et al., 2014) the authors provided a method for and the results of an evaluation of commonly-observed Cloud federation use cases against the law applying to Cloud Computing. To point out where legal problems may arise, they summarized the national laws of major countries related to data protection, then they revealed relevant use cases for Cloud Federations (Marosi et al., 2011) and assessed them against evaluation criteria derived from legislation for the data processing of end-user details and materials, including the roles and responsibilities necessary for legal compliance. To clarify and exemplify legal compliance in the identified usage patterns, they considered the Data Protection Directive (Directive 95/46/EC, 1995, DPD) of the European Union, which is a commonly accepted and influential directive in the field of data processing legislation. In this former evaluation of data management in Cloud Federations against legal requirements the authors have chosen to perform the investigation exclusively using requirements from data protection law. Data protection covers the dynamic provisioning and processing of data in Cloud environments – intrinsic to the operation of all Clouds – and the field covers the majority of currently available Cloud Computing characteristics and functions, including cases where (Section 4 of OPTIMIS, 2010):

• •

  The infrastructure used to store and process a costumer's data is shared with other customers (i.e., multi-tenancy);

• •

  The Cloud provider's servers are located in several jurisdictions;

• •

  Data is transferred from one location (also called as establishment) to another depending on where resources are available;

• •

  The Cloud service provider decides the location of the data, service and security standards instead of the customer;

• •

  IT resources are not dedicated to a customer but instead are dynamically provisioned.

Data protection legislation is fundamental to Cloud Computing as the consumer looses a degree of control over personal artifacts when they are submitted to the provider for storage and possible processing. To protect the consumer against the provider misusing their data, data processing legislation has been developed to ensure that the fundamental right to privacy is maintained. The distributed nature of Cloud Computing, i.e. Cloud services are available from anywhere in the world, makes is difficult to analyze every country's data protection laws for common Cloud usage evaluation criteria. Therefore it is important to know how the corresponding legislation affects the behavior of Cloud providers.

In this chapter the author investigates the revised European legislation resulting in the General Data Protection Regulation (General Data Protection Regulation, 2012, GDPR), which will be used to set up the new European Data Protection Framework. Then the author gathers and summarizes the most relevant changes this regulation brings to the field of Clouds, and draws relations to the previous legislation called the Data Protection Directive currently in force.