Regulatory Developments

Last updated: 
3 months 2 weeks ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

Clouds and the draft Data Protection Regulation

Monday, November 25, 2013 - 09:11

At the moment both cloud computing providers and their business customers in Europe have to deal with at least twenty-eight different interpretations of Data Protection law. And there are nearly as many different national rules and formalities when using non-European cloud providers (the UK approach is described in the Information Commissioner’s Guide to Cloud Computing). The current process to develop a European Data Protection Regulation should reduce this divergence as there will be a single law applicable across all member states and national regulators will be able to grant approvals that take effect across the EU. Getting to that stage is taking a long time, as it requires the European Commission, Parliament and Council of Ministers to agree on a complex legal text. Recent publications suggest that the Commission and Parliament have different ideas on how that law should deal with cloud computing.

When the Commission published their first draft last year they declared it “cloud-aware”, containing and developing most of the existing legal provisions that are used to support cloud computing. Indeed Binding Corporate Rules for Data Processors, which had been developed under the authority of the Article 29 Working Party, appeared for the first time in (draft) law.

By contrast the European Parliament’s recent response seems to foresee a different approach, suggested last year by the EU Data Protection Supervisor, which would rely much more on providers or contracts being approved in advance by national authorities. The process for obtaining continent-wide approval should be simpler, as it will no longer involve consulting every national regulator. But it will require providers to be willing to seek authorisation and regulators to find resources to grant it (a concern that has been expressed by the UK’s Information Commissioner). European businesses who are unable to obtain approval in the two years between the passing of the law and its coming into force (currently foreseen around 2017) may be trapped without a lawful source of the infrastructure they need to provide high-quality cloud-based services to their customers.

Fortunately NRENs such as Janet have already established relationships with major cloud providers, who have been willing to adapt their services and agreements to meet our customers' requirements under current data protection law. The Commission have recently rejected any "fortress Europe" approach to cloud computing. So if a future Data Protection Regulation were to require a different approach to compliance we expect that our existing relationships and agreements would let us help both providers and customers find the best way to achieve it.

Cloud computing
Data Protection Regulation
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo