Keeping darkness out of the cloudBy Viviane Reding, European Justice Commissioner
Cloud computing conjures up images of floating zeroes and ones - dataliberated from the desktop and drifting effortlessly from one server to thenext. Consumers and companies benefit from storing information onremote servers, no matter where they are, and then pulling it back whenthey need it.
Our societies have been transformed as users embracesocial networks, blogs, newsfeeds and shared bookmarks that are keptin the cloud. Companies cut costs by outsourcing data storage tasks.But is there a dark lining to the cloud? While this lofty world holds mucheconomic promise and consumer benefits, it also raises new challengesfor policymakers.
Consumers who store data in the cloud risk losingcontrol over their photos, contacts and emails. Data is whirling aroundthe world: a UK resident who creates an online personal agenda coulduse software hosted in Germany that is then processed in India, storedin Poland and accessed in Spain.
The European Commission takes data protection and privacy veryseriously. Data protection is a fundamental right in the European Union.We have rules on how data should be protected so users know whatthey are signing up to when they use social networking sites. Thecloud's security is essential for consumer confidence.
The EU's data protection rules are more than 15 years old. They havestood the test of time, but now they need to be modernised to reflect thenew technological landscape. The Commission is reviewing ideas fromconsumers and businesses on how to move forward. As the EUCommissioner in charge of data protection, I will propose changes to the1995 Data Protection Directive later this year.One idea is "privacy by design" - building privacy-enhancingtechnologies into products and services.
Data protection is a "musthave" feature for individuals and society in general. A cloud withoutrobust data protection is not the sort of cloud we need. These featuresshould be well-integrated in the design of cloud computing products andservices, from the very start of the business processes. This is not aboutgiving an unfair advantage to European companies or holding backcloud computing in Europe.
The real winners will be thosemanufacturers and service providers - no matter where they are from -that understand the competitive advantage of having built-in privacyfeatures.The underlying approach should be a "cloud-friendly" environment. But acloud without clear and strong data protection is not the sort of cloud weneed.
Having cloud-friendly rules can only help technology companies -many of which in Europe are small businesses - to know exactly what isallowed and what is not. This may mean simpler, harmonised measures,such as the registration forms for notification purposes. We also want toencourage self-regulatory initiatives. Codes of conduct or codes ofpractice like the "binding corporate rules" for international data transfersare good solutions.
Regulatory certainty is essential: companies must know what the rulesare about the flow of data within the EU and at a global level. Forexample, the implementation of the EU's Data Protection Directivediffers across Member States. We need to clarify when this reflects anunavoidable difference of culture and legal tradition, or when it is merelyan avoidable obstacle to the rules of the Single Market. I plan to workwith EU Member States and Data Protection Authorities to address thischallenge.
As the centre of gravity in our digital world shifts from the desktop to thecloud, we also have to keep a careful watch over individuals' privacy andthe right to personal data protection. In the cloud, personal data isprocessed and stored far from where a user lives.
This raises importantquestions for policymakers. Who is in charge of protecting ourinformation kept in remote server farms in the four corners of the globeand transferred from one to another in milliseconds? The cloud isborderless so the question of how to effectively protect our personaldata online is also global.
I call on companies to ensure that data isprotected and secure.Transparency must be ensured. Today's tech-savvy individuals need tobe able to trust the internet to reap its full benefits. They need to beguaranteed control of their personal data, of the possibility to switchcloud providers easily, and their right to delete their personal data atwish: the internet needs to learn how to forget.
"The right to be forgotten" is not merely about deleting all data. Just likein real life, when you use web-based services, you cannot assume thatno records exist of your past actions.
What matters is that any datarecords are made irreversibly anonymous before they are used again.We cannot afford foot-dragging in this area.
As EU Commissioner forFundamental Rights, I look forward to speaking with European and UScompanies in Davos later this week about our rethink of the general dataprotection rules in Europe. When considering policy for the cloud, ourfeet are firmly on the ground: the goal is to ensure that well-tested rulesevolve naturally to serve the globalised 21st century.