Europe's Data Security Laws Clear Some Clouds, Muddle Others

The European Commission (EC)'s plan to rewrite the European Union's data privacy directive and update regulations to account for the increasing amount of personal data online in social networks and cloud services has some U.S. cloud providers on alert.

Critics in the U.S. have charged that the proposed law would throw up competitive road blocks for cloud providers. For Europeans, the law would unite a myriad of interpretations of the original privacy directive and allow citizens the "right to be forgotten."

But for data security, the proposed privacy legislation has both a silver lining and a darker side, say experts. Cloud providers will have a single set of regulations with which they need to comply, making handling and securing consumer data simpler. However, the new provisions could put non-European companies at a disadvantage and hefty fines -- up to 2 percent of global revenues -- could be levied against firms that do not notify authorities within 24 hours of a breach.

"We expect that the new approach will simplify the multi-jurisdictional issues and remove some of the administrative challenges in regards to notifications," Felix Sterling, senior vice president and general counsel for security firm Trend Micro, said in a statement. "But (we) also anticipate new compliance challenges. Unfortunately, what this means at the end of the day is that more companies will need to review their risk management approach and security measures in light of the heightened accountability for errors and breaches."

The revision to the European Union's Data Protection Directive comes nearly two decades after the original law mandated that member states adopt privacy protections. The proposed law would put in place a single set of regulations, rather than the 27 different individual implementations currently in place. Companies will deal with a single national data-protection agency in the country where they operate. The European Commission estimates that the harmonization will save companies approximately 2.3 billion euros a year.

"Right now, there are problems for the cloud providers in dealing with the European states, because they have to comply with all 27 different laws," says Daniele Catteddu, the Cloud Security Alliance's managing director for Europe, the Middle East and Africa.

[Cloud services aim to simplify information technology for businesses, but as companies subscribe to a greater number of services and integrate virtual infrastructure into business processes, complexity rises. Can brokers help? See Cloud Brokers Seek To Simplify, Secure Services. ] 

Yet, while companies applaud the single set of regulations, they worry that fight between the U.S. government's search for information on terrorism could put them at odds with European regulations. If a U.S. law enforcement or intelligence agency requests from Microsoft an Italian citizen's Hotmail data stored on a server in Ireland, who has jurisdiction: The United States, Italy, or Ireland? In 2011, Microsoft stated that it would have to obey lawful requests from the U.S. government and turn over information under the USA Patriot Act, the anti-terrorism law passed following 9-11, even if the information was owned by a non-U.S. citizen. The current proposed update to the European privacy directive would give the EU jurisdiction.

The debate will be "a huge food fight between American cloud service providers and the European Union," Tim Mather, advisory director at accounting firm KPMG, said at the Cloud Security Alliance (CSA) Summit in late February.

"Lets be quite honest about this: The Europeans want nothing to do with the USA Patriot Act, and this is a way for them to fight back and incidentally give an economic advantage to the European cloud service providers," Mather said.

The current proposed update to the directive would also scuttle the Safe Harbor provisions negotiated by the EU and the United States, which allows U.S. companies to export some data in certain restrictive circumstances. The problem is that the European Commission believes that the keeping data inside a data center in an European country means that it's safe, Marc Crandall, senior manager of global compliance enterprise for Google, said at the CSA Summit.

"Does location really equal security? I would argue that it does not," he said. "But that is an issue that we are going to have to reckon with."

Today, Google has to deal with varying regulations and compliance standards in each European country. In 2010, for example, a judge in Milan, Italy, convicted three Google execs for violating Italian privacy laws, when a controversial video was posted to the company's service. Even though Google helped authorities track down the person who posted the video, the court still held the service culpable.

In the end, however, the degree to which a company is impacted will depend on their business model and their approach to their customers' data, says Praerit Garg, president and cofounder of ambient cloud storage provider Symform.

"The nature of companies' business models ultimately drives their behavior," he says. "If their business model is about collecting user information, then those companies are fundamentally at odds with privacy regulations."

Companies whose business model revolves around protecting their clients data will likely only benefit from the European changes, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.