Happy Data Protection Day.
What better time for the European Parliament to publish a report that calls for more "legal certainty in jurisdiction-spanning transfers of data involving a multiplicity of data controllers and processors” and for the Safe Harbor Agreement to be extended to Cloud Service providers based in the USA.
In a passage that will get all the headlines, the Report also calls for more transparency in relation to how law enforcement agencies in third countries (but in particular the USA) will use their surveillance powers to access personal data, held in the Cloud, about data subjects who are not their citizens.
The Report states that “The challenges of privacy and data protection in a cloud context are clearly underestimated, if not ignored. In most European for a dealing with cybercrime, Data Protection laws appear to be very marginal in the agenda and inadequately addressed to meet the challenges raised by cloud computing”. That is why “Data Protection offences should be recognized as a type of "Cybercrime".
The Report claims that as the Data Protection Directive 95/46/EC and the Proposal for a General Data Protection Regulation "do not apply to law enforcement activities” (unlike the UK data protection law which does apply to policing and law enforcement) there is a need for “a harmonization of fundamental legal concepts such as 'jurisdiction', 'data processor' and 'data controller' at EU level”.
The Report claims “Such harmonization would decrease conflicts of laws and would contribute towards more legal certainty for the data subject/consumer as regards the applicable law”.
The Report also claims that “the EU-US Safe Harbour Principles which allow transfers of data to US organizations does not apply to telecommunication common carriers which also provide cloud computing services”.
Consequently, the “study recommends that Safe Harbour Certification are checked and reinforced. The 'Safe Harbor' principle should also apply to telecommunication common carriers which also provide cloud computing services”.
With respect to Homeland Security, the Report states that “Particular attention should be given to US law that authorizes the surveillance of Cloud data of non-US residents”. Consequently the European Parliament “should consider amending the DP Regulation to require prominent warnings to individual data subjects (of vulnerability to political surveillance) before EU Cloud data is exported to US jurisdiction”.
In general “No data subject should be left unaware if sensitive data about them is exposed to a 3rd country's surveillance apparatus. The existing derogations must be dis-applied for Cloud because of the systemic risk of loss of data sovereignty. The EU should open new negotiations with the US for recognition of a human right to privacy which grants Europeans equal protections in US courts”.
Finally a different topic: if you are looking for a data protection day present for yourself why not consider a copy Rosemary Jay’s Fourth Edition of her Data Protection Law and Practice which is officially launched today. At 1330 pages, it is the obvious book to have if ever you are asked that “Desert Island” question.
References:
EU’s Cloud Report http://www.europarl.europa.eu/committees/en/libe/studiesdownload.html?languageDocument=EN&file=79050
Details of Rosemary Jay’s book (the Fourth Edition of Data Protection law and Practice) can be downloaded here: Link at bottom of; http://amberhawk.typepad.com/amberhawk/2013/01/european-parliament-mauls-the-data-protection-regulation-enhanced-protection-for-data-subjects-and-fettering-of-commission.html
Comments
You can follow this conversation by subscribing to the comment feed for this post.