The European Commission's draft changes to the existing EU Directive on Data Protection are likely to "drive business away from Europe" and not fully work in a cloud environment, according to cloud legal experts.
The Commission says the proposals will "make it easier to operate a cloud across the EU, with a single point of contact", as well as to "operate outside the EU, with simplified and more consistent rules".
But the Cloud Legal Project at Queen Mary, University of London disagrees. Professor Christopher Millard, leader of the Project, said: "Unless further changes are made to clarify and harmonise data protection rules across the EU, the draft regulation may drive business away from Europe, and still fail to deliver effective protection for individuals."
He said "uncertainty" will persist as to whether particular non-European cloud providers and cloud users are regulated in the EU, and, if so, which laws apply to them. "This may discourage the development of EU data centres and the use of EU cloud services generally," said Millard.
Millard added that the draft regulation fails to close a loophole which may undermine protection for some EU residents when they use services provided by non-EU cloud providers.
Millard said privacy and data security were now more important than the location of the data storage infrastructure.
"In our recommendations we proposed a more radical solution, namely abolishing the restriction on data export, focusing instead on appropriate measures to ensure security, transparency and accountability, regardless of the geographical location of personal data," Millard said.
He said the draft regulation will impose "substantial" new compliance obligations on businesses, as well as greatly expanding the roles of the European Commission and national regulators, all of whom will need extra resources to police the new regime.
The European Commission recently announced a first £8 million tranche of funding for its European Cloud Computing Strategy.