Global Standards: Recent Developments between the Poles of Privacy and Cloud Computing

• Author: Philipp E. Fischer
• Position: Munich, LL.M. (IP, London/Dreseden), Data Protection Officer & -Auditor (TÜV)
• Pages: 33-58

Global Standards: Recent Developments between the Poles of Privacy and Cloud Computing

2012

33

1

Abstract: The development of the Internet has

made it possible to transfer data ‘around the globe

at the click of a mouse’.1 Especially fresh business

models such as cloud computing, the newest driver

to illustrate the speed and breadth of the online en-

vironment, allow this data to be processed across na-

tional borders on a routine basis. A number of factors

cause the Internet to blur the lines between public

and private space: Firstly, globalization and the out-

sourcing of economic actors entrain an ever-grow-

ing exchange of personal data. Secondly, the security

pressure in the name of the legitimate fight against

terrorism opens the access to a significant amount of

data for an increasing number of public authorities.

And finally, the tools of the digital society accompany

everyone at each stage of life by leaving permanent

individual and borderless traces in both space and

time. Therefore, calls from both the public and private

sectors for an international legal framework for pri-

vacy and data protection have become louder. Com-

panies such as Google and Facebook have also come

under continuous pressure from governments and

citizens to reform the use of data. Thus, Google was

not alone in calling for the creation of ‘global priva-

cystandards’.2 Efforts are underway to review estab-

lished privacy foundation documents. There are sim-

ilar efforts to look at standards in global approaches

to privacy and data protection. The last remarkable

steps were the Montreux Declaration, in which the

privacycommissioners appealed to the United Na-

tions ‘to prepare a binding legal instrument which

clearly sets out in detail the rights to data protection

and privacy as enforceable human rights’. This ap-

peal was constantly repeated, lastly in 2010 at the

33rdInternational Conference of Data Protection and

Privacy Commissioners. In a globalized world, free

data flow has become an everyday need. Thus, the

aim of global harmonization should be that it doesn’t

make any difference for data users or data subjects

whether data processing takes place in one or in sev-

eral countries. Concern has been expressed that data

users might seek to avoid privacy controls by moving

their operations to countries which have lower stan-

dards in their privacy laws or no such laws at all. To

control that risk, some countries have implemented

special controls into their domestic law. Again, such

Global Standards: Recent

Developments between the Poles of

Privacy and Cloud Computing

by Philipp E. Fischer, Munich, LL.M. (IP, London/Dreseden), Data Protection Officer & -Auditor (TÜV)

© 2012 Philipp E. Fischer

Everybody may disseminate this ar ticle by electronic m eans and make it available for downlo ad under the terms and

conditions of the Digita l Peer Publishing Licence (DPPL). A copy of the license text may be obtained a t http://nbn-resolving.

de/urn:nbn:de:0009-dppl-v3-en8 .

Recommended citation: Philipp E. Fis cher, Global Sta ndards: Recent Developments between the Pol es of Privacy and Cloud

Computing, 3 (2012) JIPITEC 1, para 33.

Keywords: International data transfer, international legal framework, global privacy standards, cloud comput-

ing, data protection, privacy rights infringement, data controller, data processor, European Data Pro-

tection Directive, EU-DPD, safe harbor, Standard Contractual Clauses, adequacy, adequate level of

data protection, APEC, OECD, UN, accountability, Binding Corporate Rules

2012

Philipp E. Fischer

34

1

A. Introduction

1

During the 2012 CeBIT IT fair this March in Han-

nover, René Obermann, CEO of Deutsche Telekom,

highlighted that ‘the present PC architecture is out-

dated; the post-PC era has begun. […] We want to

play an important role in the ecosystem cloud’.

3

This

is not surprising, given that Germany’s BITKOM4 as-

-

nual turnover in cloud computing businesses in Ger-

many will end up at around 5.3 billion euros in 2012,

a steep increase of 50% compared with the previous

year. The prediction for 2016 is even about 17 billion

euros per year, a third of it through business-to-pri-

vate consumer relations. Market analyst ‘Gartner’ re-

cently determined the global returns of cloud com-

puting in 2012 at 77 billion euros.5

2 Big market players are now pushing forward their

own business models for cloud computing and ins-

talling new data centres worldwide. This dramati-

cally increases the quantity – but not necessarily the

quality – of cloud computing services offered to con-

sumers. This development leads to a large amount

ofdata transfer‘ around the globe at the click of a

mouse’,6 data which is to be processed across natio-

nal borders on a routine basis.

3

The shady side of these new opportunities for the

global web community has been addressed not only

by Germany’s chancellor Angela Merkel – ‘The more

natural technologies become, the more important is

the necessity of trust’7 –but also by Viviane Reding,

Commissioner of the European Union (EU):





Cloud computing is becoming one of the backbones of our di-



-

les is not the sort of cloud we need.8

4 Reding went on to say that ‘privacy nowadays has

become a moving target: new risks need better le-

gal remedies’.9

5 Few companies take data protection issues in cloud

computing seriously. The Deutsche Telekom seems

to understand that in order to serve the B2B mar-

ket with cloud computing services, it needs some

hard work on data protection measures and politics

of trust. According to Mr. Obermann, 60 out of 90

data centres outside of Germany already do comply

with all technical standards under German law. The

negative example to prove the opposite is – again –

Google: even after having suffered strong criticism

because of its newest privacy policy, Eric Schmidt, a

member of Google’s board of directors, didn’t say a

word at the CeBIT fair about data protection in cloud

computing surroundings; he preferred to praise the

neutrality of the Net.

6

To tackle concerns of privacy and data protection in

the cloud, calls from both the public and private sec-

tors for an international legal framework for privacy

and data protection have become louder. Companies

such as Google and Facebook have come under con-

tinuous pressure from governments and citizens to

reform the use of data.

7 Efforts are underway to review the established pri-

vacy and data protection legal framework:

8 -

ration,10 in which the privacy commissioners ap-

pealed to the United Nations ‘to prepare a binding

legal instrument which clearly sets out in detail the

rights to data protection and privacy as enforceable

human rights’. This appeal was repeated in 2008 at

the 30th International Conference of Data Protec-

tion and Privacy Commissioners held in Strasbourg,

11

at the 31st conference held in 2009 in Madrid,12 and

at the 32nd conference held in 2010 in Jerusalem.13

At the 33rd conference in 2011 in Mexico City,14 the

working group for the ‘Promotion of the Internati-

onal Standards’ resumed their efforts:

-

  -

   

 -

mental conference for developing a binding international

   

government’s representatives at the next Conference mee-





9

French President Nicolas Sarkozy decided to put the

Internet at the top of the agenda of the French pre-

sidency of the G8/G20 in 2011. At the G8 summit in

Deauville last May, all member states expressed the

strong political commitment of the G8 members con-

cerning the protection of personal data and indivi-

dual privacy:

The effective protection of personal data and individual pri-

vacy on the Internet is essential to earn users’ trust. It is a

 

aware of their responsibility when placing personal data on





effectiveness of this protection. We encourage the develop-

ment of common approaches taking into account national-

-





10

The EU Commission addressed these issues in its

factsheets on proposed data protection reform:

The rapid pace of technological change and globalisation have

profoundly transformed the scale and way personal data is

 



 -

-

-

tinents and around the globe in milliseconds and the arrival