The new proposed EU Regulation on data protection : End of the lock in?

On January 25, 2012, the European Commission finally approved the proposed Regulation for the protection of personal data (the complete Regulation may be consulted on the website of the Commission) which contains some interesting provisions concerning Cloud Computing.

The declared intention is, without doubt, that of facing the rapid technological changes which have taken place in the last few years, providing a uniform legislation on the protection of personal data in all 27 Member States (cfr. Recital n. 6).

Of particular importance, for our purposes, is article 18, paragraph 2 of the aforementioned Regulation, whose title is Right to the portability of the data, which expressly provides that the data subject is entitled to have his personal data migrated from the original Data Controller to another individual. In the event that such a request is made, the Data Controller is obliged to issue the aforementioned data in a commonly used electronic format di (or in such other format as may be used by the European Commission) without being able to make any objection whatsoever in relation thereto.

In the event that the aforementioned provision were to still be contained in the definitive Regulation that will be approved by the Parliament and the European Council, the data subject will be provided with an extremely effective remedy against so-called vendor lock ins.

Up until now, the manner in which personal data is released and, above all, the format in which it is released , has been left to the parties to negotiate.

The evident practical consequence, however, is that single users of the web are seldom in the position to obtain more conditions from Cloud providers which are more favorable than those generally contained in the standard general contract conditions that the user is obliged to accept in that the event that the user wishes to use such service).

This has led, in most cases, to the provider being interested only in preventing the User’s data being migrated from its server to that of a different Cloud provider .

In order to achieve this objective, the practice of locking in vendors has been developed, which consists in setting up obstacles of a technical and legal nature to personal data being transferred between different providers (i.e the recording of personal data in proprietary formats which cannot be used by other providers).

Article 18 of the aforementioned Regulation purports, instead, to impose an obligation upon providers to release Users’ data in commonly used formats, thus proving Users for the first time with a remedy – which would also be actionable in legal proceedings against providers subjected to the provisions contained in article 3 of the proposed Regulation – a right to the portability of his or her personal data.

This post is also available in: Italian