Upcoming EU Cloud Strategy Announced: Application of Local Privacy Laws Remain an Issue, To Be Explored at IAPP Navigate on September 14
The European Commission’s Vice-President for a Digital Agenda, Neelie Kroes earlier this week indicated that the EC is aiming for a 2012 Cloud strategy that reflects the EU focus on human rights. She has recruited former federal Chief Information Officer Vivek Kundra to be an adviser in the creation of the strategy.
As reported in the Washington Internet Daily, Kroes and Kundra were speaking at Salesforce.com’s Dreamforce conference in San Francisco where Kroes said that because "this is by definition a global issue," Europe should work with the U.S. and Asia in setting policy. But she also said that privacy and other human rights considerations are central to the way Europe approaches issues like this, "even if it's taking more time" to complete policymaking, "the human rights system ... is the basis of our democracy," Kroes is reported to have said.
In this connection, recall that Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner has proclaimed that as essential "pillar" of EU citizens' privacy rights is "protection regardless of location" which has obvious implications for the Cloud.
"[P]rotection regardless of data location"  means that homogeneous privacy standards for European citizens should apply independently of the area of the world in which their data is being processed. They should apply whatever the geographical location of the service provider and whatever technical means used to provide the service. There should be no exceptions for third countries' service providers controlling our citizens' data. Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules.
(The EU also generally takes the position that its privacy laws cover nationals from countries outside the EU whose data is processed in the EU, but France's data protection authority, the CNIL recently exempted certain outsourcing services performed in France, a move followed by India with respect to its new privacy law, to the relief of companies performing outsourcing services in India.)
Presumably, Mr. Kundra's involvement in Vice-President Kroe's efforts to develop a Cloud strategy will help temper the rigid application of EU privacy laws to data stored in the Cloud.
The issue of whose law will apply in the Cloud and the potential conflicts will be illustrated in an upcoming session at the IAPP Navigate program in Dallas on September 14, which was created and will be co-chaired by Hogan Lovells privacy practice director Chris Wolf and Michelle Dennedy, Chief Privacy Officer of McAfee, Inc. and Founder of The iDennedy Project.
From the IAPP, in its announcement of the Navigate conference:
Cloud computing involves data and data applications stored and processed remotely, often in places far away, sometimes in multiple places, and in places with differing legal regimes. Who has authority to prescribe and enforce rules about personal data in the cloud? When does law enforcement have the right to demand access to data in the cloud?
Decide these critical questions of jurisdiction and control in a “moot court,” where you will put cloud computing on trial and deliberate on the outcome. Provocateurs will portray opposing lead counsel in a hypothetical case involving a nation within the EU requesting a preliminary ruling from the European Court of Justice (ECJ) on whether a cloud computing company with a physical presence within its borders is subject to its enforcement of national data protection laws enacted under the EU Directive. Navigate participants will be split into two groups—counsel for the Petitioner and counsel for the Respondent. Five participants will be selected as "justices" who will be free to question "counsel" about their positions. The judges will have an opportunity to deliberate and will return to deliver a verdict when the group reconvenes.
For those who are interested, a copy of the Moot Court Hypothetical is available at www.privacyassociation.org (PDF).