Cloud Computing and Privacy Shield Regulations

As the implementation of the European Union Privacy Shield comes closer, other elements of the shield come into influence and place restrictions on businesses that transfer data between the United States and Europe.  Further adding onto this, is the General Data Protection Regulation.  This can be a major issue in cases where data transfers may occur, but more specifically, it impacts the cloud computing sphere, and services like Dropbox and Google Docs.  So, how do these services work?  What would the General Data Protection Regulation do?  How can they be used with the Privacy Shield in effect?

How do these services work?

Now, these systems work by allocating computing resources to another location.  Usually, this is done through the internet, by transferring data towards other electronic devices or servers.  Effectively, it allows for individuals or businesses to take advantage of greater resources of other entities, like those of Dropbox or Google, by granting use of their services for a fee.  On the flip side, these services could be compromised by hackers, and cause the loss of personal or confidential information.  We have discussed some of the risks associated with cloud computing before and would ultimately encourage our readers to carefully evaluate the risks of submitting any information to the Cloud.

What would the General Data Protection Regulation do?

While the Privacy Shield imposes restrictions on businesses that transfer data between the European Union and United States, the General Data Protection Regulation dictates standards in online security, as well as, requirements in the European Union as part of its own digital market initiative.  Cloud computing is specifically called out in the data protection regulation’s impact assessment acknowledging that the data is difficult to geographically place, and the content may be frequently replicated on all continents to improve accessibility.  From this perspective, the use of cloud computing may be covered in multiple instances, both under the GDPR, and EU-U.S. Privacy Shield.  This is ultimately done in response to surveys that the European Union is relying on, citing that 75% of individuals are not feeling in control of their online data.  In fact, the GDPR includes various rights for the European Union citizens, including, a right to be forgotten, data portability, higher protection, and right to know when data is hacked.

How can cloud computing be used with the new regulations?

With both the EU-U.S. Privacy Shield and GDPR, organizations wishing to do business that would require the transfer of data across international lines, may face some difficulty.  In regards to cloud computing, those services that would rely on data centers outside of the EU, would possibly be in trouble as compliance would be needed for both the Privacy Shield and GDPR.  As such, it is possible that those services providers that are based outside of the EU will face a difficult choice to change with regulation or to move out.

We may not be able to determine what is best for your business, but as we stated before, it is suggested that an organization weigh all its options before determining whether a shift towards cloud computing is practical.  At our law firm, we assist clients with legal issues related to business, technology, and e-commerce transactions.  You may contact us to set up an initial consultation.