International Privacy Law

In contrast to the United States, the European Union has a comprehensive privacy framework, the EU Data Protection Directive. Recently, the European Union has focused particular attention on cloud computing because of vendors and prospective users of cloud technology trying to ensure compliance with the EU Data Protection Directive requirements. In addition, the European Network and Information Security Agency (ENISA) recommended in a recent cloud computing risk assessment that European officials should determine how the data protection laws apply to cloud computing services.


European Union Regulatory Issues

International Transfer of Personal Information

With respect to international data transfers, the EU Data Protection Directive prohibits the transfer of personal information of EU residents out of the EU without companies have the “adequate” level of protection. The US is among those countries because it has no national data-privacy laws that meet EU standards. The EU prohibits data transfers from the EU, unless a viable legal mechanism for transfer is implemented. For example, if US companies need to obtain and use EU-origin personal data, companies must comply with this Directive through agreements or the US-EU Safe Harbor Framework.

Classification as Data Controllers and Service Providers

Whether an entity is classified as a data controller or processor affects the liability of the entity for compliance with EU data protection requirements. In particular, it is pertinent that the entity/cloud vendor enter into a data processing agreement with third parties to ensure legal requirements are met.

For more information on how the EU sees cloud computing, see the the European Commission's Information Society & Directorate-General's report titled The European Union: The Future of Cloud Computing: Opportunities for European Cloud Computing Beyond 2010.

EU Flag

Rest of the World

Flag of Canada The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law relating to data privacy. Recently, the Office of Privacy Commissioner of Canada launched a consultation on the privacy implications of cloud computing.

For Global Data Protection Laws around the world, please visit the Privacy International Organization’s International Survey of Privacy Laws & Developments.

References

  • Tanya Forsheit, Legal Implications of Cloud Computing (Privacy and the Cloud), Information Law Group (Sept. 30, 2009) available at http://www.infolawgroup.com/2009/09/articles/cloud-computing-1/legal-implications-of-cloud-computing-part-two-privacy-and-the-cloud/ (last visited Mar. 26, 2010).
  • Lisa Sotto, Cloud Computing, BNA Privacy & Security L. Report, 9PVLR 269, Feb. 15, 2010 available at http://lawprofessors.typepad.com/law_librarian_blog/2010/02/privacy-and-data-security-risks-in-cloud-computing.html (last visited March 26, 2010).
  • Tim Greene, Schneier: Fight for Privacy or Kiss it Good-Bye, Network World, Mar. 9, 2010, available at http://www.networkworld.com/news/2010/030910-schneier-privacy.html