As reported in Silicon.de, in Experian.it and in other sources, the European Commission is planning to release a new directive on data protection, which will affect the Cloud Computing industry. Viviane Reding, European Commissioner for Justice, Fundamental Rights and Citizenships is planning to update the Data Protection Directive. The Data Protection Directive was first introduced in 1995, and a lot of new challenges for personal Data Protection have appeared, from social networks to cloud computing and the current digitalization of public data assets.
Experian reports: The process to update the Directive has just started. Over 160 responses were collected to a public consultation that lasted until December 2009. These responses were crafted by citizens, businesses and other organizations and public authorities. The objective of this public consultation is to gather “views on the new challenges for personal data protection, in particular in the light of new technologies and globalisation”, and what steps should be taken to overcome those challenges. Now Reding plans to present a first draft of the legislation by autumn this year.
In her speech in January she outlined the main issues to be covered in the updated directive (quoted from Experian):
- Social networking, especially matters related to child protection regarding their data and activities in those social networks.
- Usage of RFID tags, small chips that may contain and broadcast personal data, although encrypted, as is the case with the European Union passports. A wider usage of these chips outside logistic operations, where they are standard now, for storing personal data, may have an impact on privacy.
- Regarding behavioural online advertising she stated that “For me it is clear that without the prior informed consent of citizens their data cannot be used”.
- The last example she cited explicitly in her speech were notifications of breaches of personal data. In her previous role as Commissioner for Information Society and Media she forced Telecom providers to notify both authorities and individuals of any personal data breach. This decision was taken not without controversy, as individuals affected by the personal data breach have to be notified even though the breach has been solved and measures have been taken, thus creating unnecessary alert and confusing users.
- And finally, she expressed her wish to incorporate into the Directive the principle of Privacy by Design. This concept was developed by Ontario’s Privacy Commissioner, Dr Ann Cavoukian in the 90s, and “is an approach whereby privacy and data protection compliance is designed into systems holding information right from the start, rather than being bolted on afterwards”. Privacy by Design in comprised of 7 principles:
- Proactive not Reactive; Preventative not Remedial
- Privacy as the Default
- Privacy Embedded into Design
- Full Functionality – Positive-Sum, not Zero-Sum
- End-to-End life-cycle Protection
- Visibility and Transparency
- Respect for User Privacy
According to Silicon.de Ms. Reding is convinced that this reform process of the directive will have to lead to a better protection of consumers’ personal data independent from the country the consumer lives in and independent on the country where the data processing service provider is located.
After Microsoft had publicly admitted earlier this year that it may have to hand over European customers’ data on a new cloud service to U.S. authorities. The company may also be compelled by the Patriot Act to keep details of any such data transfer secret. This is directly contrary to the European directive, which states that organizations must inform users when they disclose personal information.
Microsoft can already transfer E.U. data to the U.S. under the Safe Harbor agreement. But legal experts have warned that this agreement is hardly worth the paper it’s written on. There are seven principles of Safe Harbor, including reasonable data security, and clearly defined and effective enforcement. However all this is nullified if the Patriot Act is invoked.
“I’m afraid that Safe Harbor has very little value anymore, since it came out that it might be possible that U.S. companies that offer to keep data in a European cloud are still obliged to allow the U.S. government access to these data on basis of the Patriot Act, ” said Theo Bosboom, IT lawyer with Dirkzager Lawyers. “Europeans would be better to keep their data in Europe. If a European contract partner for a European cloud solution, offers the guarantee that data stays within the European Union, that is without a doubt the best choice, legally.” (Computerworld.com, July 5, 2011)
And Computerworld further reported: “Does the Commission consider that the U.S. Patriot Act thus effectively overrules the E.U. Directive on Data Protection? What will the Commission do to remedy this situation, and ensure that E.U. data protection rules can be effectively enforced and that third country legislation does not take precedence over E.U. legislation?” asked Sophia In’t Veld, a member of the Parliament’s civil liberties committee. “I hope the Commissioner will ensure that the U.S. and other countries respect E.U. laws in E.U. territory. I don’t think the U.S. would be amused if Europeans (or other non-U.S. authorities) were to get access to databases located within U.S. jurisdiction.”
This is good news for European Cloud Computing Providers. Following the release of the new directive they will be able to provide services that can be separated from US jurisdiction and the U.S. Patriot Act.
This would help to strengthen the acceptance for consumers and industry in Cloud Computing. What do you think?
- E.U. to Tighten Web Privacy Law, Risking Trans-Atlantic Dispute (nytimes.com)
- Updated European law will close Patriot Act data access loophole (zdnet.com)
- E.U. Data Law Threat to Facebook and Google (blogs.wsj.com)
- Upcoming EU data law will make Europe tricky for Facebook (go.theregister.com)
- Facebook, social networks, businesses ‘must adhere’ to EU law (zdnet.com)
- EU upset by Microsoft warning about US access to EU cloud (infoworld.com)
- European companies ‘need confidence’ over Patriot Act concerns (zdnet.com)
- European Data Concerns Cloud Outlook for US Vendors (pcworld.com)
the conflict between European data privacy laws and the patriot act is quite interesting. I’m looking forward to a resolution of that situation.
It will mean that the US will have to acknowledge the fact that there are in fact other authorities out there, which claim their own legislation in their territory and that US law might not be applicable any longer on a world-wide basis.