EU Privacy and the Cloud: Consent and Jurisdiction Under the Proposed Regulation

By Paul Schwartz, Bloomberg BNA


Cloud computing allows dramatic flexibility in information processing—and on a global basis. Its technology permits data transmissions that span the globe. Computing activities now shift from country-to-country depending on load capacity, time of day, and a variety of other factors. These decisions are sometimes made in real time and by machines rather than humans.

The cloud is also a business sector in which U.S. companies lead the world in new products and services. Important and innovative cloud offerings include Salesforce, Dropbox, Google Drive, the Amazon Elastic Compute Cloud, and Microsoft SkyDrive. The market for cloud computing is already a multibillion-dollar international market. Forrester Research Inc. has predicted a growth in the size of this market from $40.7 billion in 2011 to more than $241 billion in 2020.

Due to the international dimensions of cloud computing, regulations outside of the United States are now as important as those inside it. The European Union is the most important bilateral trade area for the United States, and its proposed data protection regulation (‘‘Proposed Regulation’’) is of profound significance for U.S. companies that offer cloud services. As the European Commission notes, concerns about data protection constitute ‘‘one of the most serious barriers to cloud computing take-up.’’ It calls for ‘‘a chain of confidence-building steps to create trust in cloud solutions.’’ One of the most important of these steps is the Proposed Regulation and its strong protections for information privacy.

U.S. cloud services should take particular note of two areas of the Proposed Regulation. The first concerns its limitations on the use of an individual’s consent to permit data processing. The second is how it crafts a broad jurisdictional reach for EU information privacy law.