Cloud services could lose, in an Olympian contest over privacy between US patriots and EU human rights defenders, says Eric Doyle.
The passing of the US Patriot Act has thrown the differences between the American approach to privacy into sharp relief against European legislation. The casualty is the Safe Harbor agreement that exists between the two international entities.
According to Safe Harbor, the privacy laws of the customer’s registered country of origin will be applied to any data wherever it is stored. The Patriot Act states that US authorities can access any data stored in the United States or anywhere in the world by a US company.
US companies own any data they store
The Patriot Act, however, appears to include data stored by an American company on behalf of a European firm. This breaches Safe Harbor as it stands and could threaten the adoption of US cloud services by European businesses.
The European Commission is considering a reworking of its data protection directive which was passed in 1995. This could take a Draconian view of the cloud market and insist that any company that cannot uphold the 1995 Data Protection Directive, and any modifications that are adopted next year, cannot handle EU enterprise data. Alternatively, the rules could be relaxed to accommodate laws such as the Patriot Act.
What is certain is that social networks will be put under pressure because safeguards for users will be enshrined in the new laws.
At the beginning of this month, announcing the start of the initiative to update the Data Protection Directive, vice-president Viviane Reding, EU commissioner for Justice, Fundamental Rights and Citizenship, said, “The protection of personal data is a fundamental right. To guarantee this right, we need clear and consistent data protection rules. We also need to bring our laws up to date with the challenges raised by new technologies and globalisation. The Commission will put forward legislation next year to strengthen individuals’ rights while also removing red tape to ensure the free flow of data within the EU’s Single Market.”
Unsocial network behaviour
In an outline of these new data protection challenges, the EC said it is considering regulation to ensure that social network users can access, delete or change entries that they may have made in the past. It also upholds the “right to be forgotten”, a move already criticised by Facebook, so that when a user leaves a service all previous records created during their membership will be erased or, if preferred, transferred to a new service.
This will have a major effect on Facebook, Twitter, Google+ and other social media and search engines which will have to develop tools and functions to comply. It will prevent rash words from the past being dredged up and used against individuals later in life.
The Commission also wants to see some of the red tape removed from business data relocation. It also wants to create a “single market dimension” which means that within Europe the legal situation will be smoothed out as to which countries laws apply to data held outside the owner’s country of registration.
The implication is that the directive, which has been applied according to each country’s interpretation, will become a fixed set of laws to be enforced as written to ensure a level playing field across the EU.
The most telling and possibly controversial section states that the new regulations will be geared towards: “Ensuring high levels of protection for data transferred outside the EU by improving and streamlining procedures for international data transfers. The EU should strive for the same levels of protection in co-operation with third countries and promote high standards for data protection at a global level”.
If the laws do not align with other countries there could be fireworks – and the current Patriot Act cuts across existing principles on data protection. In the US, the state has every right to access any data of a US citizen or registered company, at home or abroad, without their permission and even without their knowledge.
This could be the sticking point and the EC is further revising data protection rules in the area of police and criminal justice. An individual’s personal data will be protected in these areas.
“Under the Lisbon Treaty, the EU now has the possibility to lay down comprehensive and coherent rules on data protection for all sectors, including police and criminal justice. Naturally, the specificities and needs of these sectors will be taken into account. Under the review, data retained for law enforcement purposes should also be covered by the new legislative framework.”
The Commission is also reviewing the 2006 Data Retention Directive, under which companies are required to store communication traffic data for a period of between six months and two years. In what way, the Commission has not said but more will be revealed in January and the changes are due to be set before the European Parliament before the middle of 2012.
The US is already rattling its sabre, declaring the changes as being mere protectionism, of European cloud markets in particular. This does not bode well for an harmonious New Year.