How secure is your information uploaded in the cloud? How many people upload data into the cloud and how many of them have ever stopped to consider the safety of the information uploaded or the compliance requirements with the laws regarding data protection.

Even though the use of Cloud services is becoming more widely spread, the Cloud raises several security issues.  These issues relate particularly to such matters as processing and storing the users personal data and the personal data of others. In the current laws of many European countries these security issues are not taken into account.  Romania is no exception.  In Romania, the penalties for infringements of the data protection law are low.  The law, when drafted, did not take into account the cloud and sought only to mirror the European Union legislation with some minor amendments.  Thus it is true to say that the Romanian laws concerning the cloud regarding this issue in its present state is deficient.

At a national level, Law no. 677/2001 on the protection of individuals with regard to the processing of personal data in Romania, is applicable although it does not expressly refer to cloud services.  In accordance with art. 2 para. (1), the law applies to the processing of personal data carried out wholly or partly by automatic means.  The law embodies the fundamental principles of EU legislation on data protection.  As mentioned earlier for infringements regarding the transfer, processing and storing of personal data the provisions of Law 677/2001 stipulate fines which varies between 500 (five hundred) lei to 50,000 (fifty thousand) lei, depending on the provision that has been infringed its seriousness.

From our analysis of other European Union laws  it is clear that some of the cloud services that are currently being used in the European Union do not meet the minimum requirements of the current European data protection legislation, namely Directive 95/46/EC.  Depending upon the location of the storage servers there may be a transfer of personal data outside Europe by cloud services which may be at odds with the Directive.  How many users of the cloud have asked their providers if they have a “safe harbor certificate”?

The problems regarding personal data are not limited to the processing and transferring of personal data but also to the storing of this information. The current Directive requires that enterprises do not store in or transfer data through countries outside the European Economic Area that do not have equivalently strong data protection standards set out in the directive. Taking into consideration that most of the cloud serves are US based, these servers have to have a Safe Harbour Certification, which provides exemption to these regulations. But in terms of data security Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment. Additional safeguards for data security may thus be deployed; such as by incorporating the expertise and resources of third parties that are capable of assessing the adequacy of cloud providers.

Currently there is a European Union initiative regarding the adoption of new regulations in the form of a Directive which aims to modernize the existing legal background as set out by the directive in such a way as to suit the needs of the new internet and cloud era.  Will this new directive be ahead of the developments in the industry or be behind as before.  All the indications are that the European Directive could be passed in 2014 for implementation in 2015.

One step outlines in the new draft directive will require data controllers and data processors (such as cloud providers) to share the liability for breaches of data and violations of the law.

At the moment it is considered that the risks regarding the use of cloud services and transfer of personal data need to be carefully assessed, both by public bodies and private enterprises.  The new regulations aim to establish the obligation of controllers and processors to carry out a data protection impact assessment prior to processing operations.

Despite the acknowledged benefits of cloud computing in both economic and societal terms, cloud computing services can trigger a number of data protection risks, mainly a lack of control over personal data as well as insufficient information with regard to how, where and by whom the data is being processed/sub-processed.

All users of the cloud need to carefully consider their position both in terms of internal security as well as the access that Governmental agencies can require and demand in respect of the National laws of the country were the data is being processed. Everyone needs to do more work to ensure that the data is properly protected and all agreements should be carefully reviewed to protect against current and future liability.