Sunday, 14 October 2012

Europe, EU, EEA, EFTA, Council of Europe - Venn diagram - & cloud computing data protection implications

I've produced a Venn diagram and table showing which countries are in Europe, EU, EEA, EFTA and/or the Council of Europe. These country groupings are all different, and there's often confusion as to which country is in which international organisation.

It makes a difference. For example, for EU data protection law purposes, there's a restriction on transferring personal data outside the EEA (relevant eg when using cloud computing) - there's a shorter article about this restriction.

The EEA is not the same as Europe. "Europe" is broader than "EEA", as you'll see from my Europe/EEA/EU etc Venn diagram. In fact there are 20 countries in "Europe" that are not in the "EEA".

Cloud services which allow users to choose data centres in "Europe" may think they're helping users with their data protection law compliance responsibilities by enabling users to keep their data in "Europe", but they're not.

Cloud providers who really want to help their users with data protection compliance should allow users to confine their personal data to data centres in the "EEA" or "EU".

If the provider specifically names the countries concerned (as Amazon now does), that's also helpful, as users can work out (eg from the diagram) whether that country is in the EEA. Similarly, Microsoft, for its Windows Azure cloud service, refers to "Europe" as a selectable region, but clarifies that this means Ireland and the Netherlands.

However, cloud providers like Google are still offering storage eg of buckets in "EU - Europe" (with "EU" meaning "Europe" here, rather than the "European Union"). It should clarify whether this is in fact within the EEA or European Union. "Europe" just isn't good enough, for EU data protection law purposes.

Hopefully, more providers will start to provide clearer data centre location information soon - ie, they should name the countries where their data centres are located, or else state that they are in the EEA or EU (if that is the case). Stating that customers may choose to process their data in "Europe" is not enough to assist them to meet their data protection law obligations.