Considering the Cloud in Sunny Madrid
Last week, I attended the 31st International Conference of Data Protection and Privacy Commissioners in Madrid. Government data privacy officials representing 46 countries were there, as well as hundreds of lawyers, corporate privacy officers and advocates from around the globe.
There were plenary sessions and panels on every possible privacy issue but at the center of much of the discussion were the complex and seemingly unanswerable questions about global data flows in an era of cloud computing: What is the right way to protect privacy in an Internet cloud where data flows don’t respect borders? When consumers from around the world place their data in a social networking site based in the United States, which data protection laws should apply? Who should be accountable for data privacy and security when data is collected by one entity and then stored with cloud providers offering storage, processing and software as a service? When those cloud providers move data from server to server, often in multiple jurisdictions, which data protection rules apply and which country may assert jurisdiction over the data when other substantive legal questions arise?
Even in the European Union, where the data controller remains accountable for privacy and security pursuant to the European Data Protection Directive, there is a growing consensus that the Directive’s underlying assumption that data has a fixed location is making the Directive increasingly difficult to apply. There seems to be a growing agreement that there needs to be some international standards or binding instrument that will help to reconcile conflicting data protection regimes.
With this background, the main order of business at the closed session of the data protection commissioners was to consider and adopt the resolution “International Standards on the Protection of Personal Data and Privacy,” which some would like to constitute as the basis for a binding international agreement on data privacy; just this morning an English translation of the final resolution went online. Peter Hustinx, the European Data Protection Supervisor, made clear in remarks at an earlier panel that the document was not intended to address the question of which law applied to data as it moved from one country to another, but rather would define a set of principles and rights that would guarantee the effective and internationally uniform protection of privacy and facilitate the international flows of personal data needed in a globalized world. But there appears to be considerable disagreement as to what such standards will mean in practice. According to the Spanish data commissioner who led the effort, the standards are “soft law” intended to guide the development of privacy protections in countries without protection and build consensus toward a future binding agreement.
However, many others have expressed doubt that such an agreement is either possible or appropriate. And some have criticized the standards as too closely aligned with the European Directive rather than taking the best from other data protection frameworks. In any event, it’s an important start to a needed conversation.