Lee & White

Cloud computing, it is a hot topic these days. But what is it all about?

Basically, it describes technologies to deliver software as a service. The cloud provider provides processing power, software, data access, and storage in order to deliver services to the consumer of the cloud services.

How does it look from your end of the screen? Compare it to your water supplier; at the end of the day, the average user would probably require that when he turns on the tap, water comes out. The more concerned user would be a bit more interested in the quality and origin of the water coming out.

A better parallel with regard to your data however would be the attended cloakroom. You would arrive at the theatre and hand your coat to the cloakroom attendant in exchange for a numbered ticket. After the show, you would hand the ticket to the attendant in order to have your coat returned.

So as a user (the data subject), you would hand your personal data to a company (the data controller) you trust, and this company would store your data or process it in ‘the cloud’ through his cloud provider (a data processor).

If the attended cloakroom is unattended (after closing hours) or in case of an emergency, you could browse through the coat hangers in the cloak room and find your coat. What if it wasn’t there, what if the cloakroom had ‘outsourced’ storing the coats? You would appreciate a sign saying ‘We outsource our coat storage to external sites in x, y and z’. You could still go to x, y and z and retrieve your coat.

With data however, nobody is guaranteeing that the data is stored completely in one location, it might be distributed over multiple data stores. It is also not guaranteed that the data is stored only once, only that it is stored at least once. And no guarantees that if data is deleted or moved, it is physically removed or erased in the original location.

So what can we learn from this short story:
It is vital that everybody involved knows where the data resides, handles it with care and only for as long as needed and wanted, keeps it safe from abuse, and deletes it when no longer needed.

Data Controller

• Draw up and adhere to rules regarding handling personal data. (data handling procedures)
• Draw up and implement procedures to allow data subjects to execute their legal rights under the Data Protection Law.
• Ensure your subcontractors abide by the same rules you impose on yourself.
• Inform your data subjects of these rules, be transparent. (privacy statement)
• Audit yourself regularly to check adherence to your rules and the Data Protection Law.
• Audit your subcontractors to check the above.
• Be vigilant!

Data Subject

• Read the information provided by the data controller before handing over your personal data.
• Execute your legal rights under the Data Protection Law.
• Stay in control of your personal data, know who is using it and what for.
• Be vigilant!

And finally. if in doubt, do not hand over your personal data and look for another provider.

The time has come. High time, in fact - given the numerous intentional and ignorant breaches that has occurred in the last decade.

Many organisations in Belgium, especially in the private sector have frequently set aside matters of data protection on the ground that no one ever gets caught in Belgium, and even if one was found out, the low risk of a fine meant that to spend resources (both monetary and manpower) was a waste of time. Profits are essential - and budgets are limited.

Coupled with the fact that the Privacy Commission's powers are quite restricted (having a mainly advisory role...), and seeing the lack of bite in previous breaches, complying with the duties set out by the Data Protection Law is just an unnecessary expense which no data controller in the business world wants to indulge in.

On December 7, 2011 in Brussels, Viviane Reding, Vice President of the European Commission, EU Justice Commissioner revealed plans to strengthen data protection by the choice of a type of legal instrument, new data protection rights and a new tool to ensure compliance with the new single data protection law in Europe.

As part of the effort to ensure greater data protection compliance, the powers of Data Protection Authorities in member states are to be strengthened so that they are able to effectively sanction breaches of the law.

In order to assist the authorities to enforce the new laws, a new Data Protection Board will be created from the current Article 29 Working Party. "When the reform will enter into force, a new European Data Protection Board will be created from the current Article 29 Working Party. Given its enhanced future responsibilities the Board should have an efficient and dedicated secretariat. How to do it? I think that this secretariat should be hosted by the European Data Protection Supervisor's office which would be a cost-effective solution drawing upon the ready-made experience of that office." said Reding.

She also went on to assure that it was not the intention of the European Commission to take over the enforcement of the data protection rules. "Last but not least, let me stress that the European Commission has neither the intention nor the means at its disposal to take over your role as interpreters and enforcers of data protection rules on the ground, or as decision-makers on individual cases. On the contrary, with the reform, you will have a fully independent secretariat at your disposal and better tools to develop a common legal doctrine."

The proposals for the new regime will also include the following:

• Individuals will get more rights that will be enforceable in the online environment and simultaneously, data controllers will be subject to stricter obligations.
• The principles of data minimisation and privacy by design will be strengthened.
• The right to be forgotten and the right to data portability are to be included.
• Adequate protection of children against abusive profiling or tracking on the internet.
• The administrative burden of compulsory notifications on personal data processing is to be reduced and prior checks are to be limited only to cases where they bring real added value. However, privacy impact assessments for risky processing will be introduced so that data protection is not undermined.
• Data breach notifications to be extended to all sectors and the role of data protection officers in the public sector and in large companies and in companies with risky processing will be strengthened.

If all goes well, and the proposals outlined become part of the new legal framework, EU will have a very promising data protection regime and data controllers will have little choice but to put protection of personal data first on their business agenda and make room in their limited budget to comply.