Safer cloud computing with new data protection law
Thursday, July 28, 2011, 5:20 PM CET
Although it carries inevitable advantages, the spread of cloud computing raises several legal concerns in Hungary. Experts hope that new legislation on data security will bring solution to most of them.
One of the most sensitive issues in cloud computing is data security. With the introduction of the new law on data protection, million forints fines could be imposed in certain cases, said law office Horváth és Társai DLA Piper.
Hungary’s current data protection law, compared to EU legislations, is quite strict.
“Just a simple example: if a company wants to store its employees’ data in cloud computing, and the cloud provider happens to be located in abroad, Hungarian legislation requires the consent of the given employees. It can be a huge administrative burden on a company that employs several thousands of people,” explained Zoltán Kozma, legal expert of DLA Piper.
The legal environment can sometimes be deceiving, the law firm said. For example, when a cloud provider and a client company are based in different countries, the law does not make it clear which country’s jurisdiction should be taken into consideration.
It is also unclear what a cloud service provider should be considered from a legal point of view: whether it is data manager or data processor, as different rules apply to the two.
“A data manager can forward data for a data processor within the European Economic Area without permission by the user, but transferring it outside the EEA requires such permission,” Kozma said.
Contracts with cloud providers are another touchy issue, the DLA Piper analysis pointed out. Cloud providers typically use standard contacts which allow little room for negotiation and customizing, so companies using services by cloud providers should be increasingly aware of analyzing possible risks before signing a contract, the law office warned. “One should clarify issues such as who is responsible in case of losing data, who is obliged to recover them, and what compensation a client is entitled to in such cases,” Kozma noted.
Companies should also pay attention to conditions on which a contract can be terminated, and should find out in advance what happens to their data in case of termination, he added.
Legal challenges connected with cloud computing has been in the focus in EU law making process: a statement issued by the European Commission at the end of last year initiated the review of EU’s data protection regulations.
“The situation is controversial in Hungary,” said Kozma. “While regulations on data protection are, in general, stricter than EU regulations, the data protection commissioner does not have strong licenses for sanctioning possible rule-breaking behavior.” The paradox situation has forced several companies to find legal loopholes in their data managing processes, he added.
The recently submitted amendments to Hungary’s data protection law, however, might bring a solution, Kozma said.
The legislation would provide stronger sanctioning licenses for a new authority on national data protection and freedom of information, yet to be set up. According to the draft bill, the authority might fine companies reluctant to oblige the legislation with fines up to several millions of forints.
“For the time being, it is unclear how the new authority would translate paragraphs on data transmission in the new law, but we hope that it will positively move forward the spread of cloud computing in Hungary and will successfully deal with problematic legal issues,” the DLA expert said.
The Hungarian government submitted to the Parliament the new legislation on data protection in June.