Open Season on Service Providers? The General Data Protection Regulation Cometh…

[Commentary] Service providers, be afraid. Be very afraid. Especially (but not only) if you're an IaaS/PaaS cloud provider. Data controllers, be prepared. Your service providers (if well-advised) will want to negotiate or renegotiate your contracts. Why? The General Data Protection Regulation (GDPR). This would make service providers and other data processors directly liable, across the European Economic Area (EEA), for security and certain other data protection-related matters. The EU institutions, each with their own version of the text and currently in horse-trading trilogue negotiations, aim to agree and adopt the GDPR by the end of 2015. That's not far off, in the scheme of things, although there should be a two-year lead time before the GDPR takes effect (directly) in all EEA Member States.

What's the big difference? Under the current Data Protection Directive, only data controllers -- not processors -- have obligations and liabilities under data protection laws in most member states (although in a few, such as Ireland, processors do have direct liabilities under national implementing laws).

[W Kuan Hon is a joint law/computing science PhD student at QMUL, a senior researcher working on cloud law projects at QMUL and a consultant lawyer to Pinsent Masons]