European cloud trends have raised some new concerns regarding data protection. It’s no question that EU data protection legislation is far more stringent than its American counterparts. However, certain observers believe that this controversy is created because of financial motivations, rather than security concerns. This article takes a look at the controversy in the EU over US-based cloud service providers.
As the market share of the cloud belongs to US giants including Amazon.com, Microsoft and Google, what industry observers really need to think about is whether or not EU clients have anything to fear? It’s possible. In June 2011, a Microsoft executive admitted at the Office 365 launch in London, under the Patriot Act, the company could be made to turn over information stored overseas to US authorities without seeking consent or even providing prior notice to the data owner.
According to US laws, any data which is housed, stored or processed by a US-based company, or one that is wholly owned by a US parent company, is vulnerable to possible interception and inspection by US authorities.
According to Deputy Assistant Attorney General Bruce Swartz, the US Justice Department has a “core belief in the importance of protecting citizens from government intrusion. Any notion that the United States doesn’t value privacy is mistaken.”
In January 2012, the European Commission released a new EU data protection proposal that requires companies to employ a data protection officer and notify users within 24 hours of a data breach. Critics comment that the proposal introduces measures, including the “right to be forgotten,” which may be impossible to implement. It might also introduce new burdens onto already-struggling small firms.
Mark Watts, data protection partner at law firm Bristows, observes,
“It seems to have been their focus to write something very much directed at addressing the evils of U.S. technology companies without thinking of all the small European companies. It’s a missed opportunity in terms of trying to write a piece of legislation that matches the reality of sharing information these days.”
European Commissioner Viviane Reding, who had a large role to play in developing this new proposal, is known as a consumer champion in her previous responsibilities as Commissioner for Information Society and Media, in which she mandated that mobile telecom companies needed to cut their roaming charges for customers making and receiving calls abroad.
Reding’s critics now complain that the legislation she is proposing is far too stringent and ultimately will be too difficult, not to mention expensive, to implement. One of the most surprising proposals is a sanction of up to two percent of a company’s turnover. Many point out that this is wildly disproportionate. However, Reding returned by saying that replacing 27 national data protection laws with a single European legislation will eventually save €2.3 billion (US$3 billion) in administration costs.
Beyond privacy and security…
Of course, there are others who believe that this is an elaborate campaign to channel European clients towards EU-based cloud providers.
InfoWorld blogger, David Linthicum comments:
“The real issue here is that U.S.-based cloud companies, such as Amazon.com, Microsoft, and Google, are taking off as the cloud becomes more real each day. As such, businesses in the E.U. are placing data in those clouds as cloud data centers begin to pop up overseas. So, with U.S. companies on the rise in their own backyard, is it time for the E.U. to talk about how bad these U.S.-based cloud companies will be for data privacy as a way to create space for European cloud companies?”
After all, research firm Gartner estimates that by 2015, Western Europe alone would represent a $47 billion market for cloud services. There’s a lot at stake, and most industry observers can see that European IT companies have quickly fallen behind their American counterparts, especially Google, Facebook and Apple.
According to Jean-Francois Audenard, France Telecom’s cloud security advisor, “It’s the beginning of a fight between two giants. It’s extremely important to have the governments of Europe take care of this issue because if all the data of enterprises were going to be under the control of the US, it’s not really good for the future of the European people.”
It’s clear that the market is what’s on the mind of European technology leaders. Henning Kagerman, president of Germany’s National Academy of Science and Engineering points out how EU-based companies have already dropped behind in terms of social media and Internet searching. It’s important that these companies avoid making the same mistake with cloud computing. Kagermann comments, “I can’t imagine that Europe can afford to leave this field to the US. This year will show whether we’re serious about this.”
This article takes a look at the conflict between EU data protection laws and US privacy laws and how this affects cloud service providers. While American IT companies undoubtedly have the market share, new EU data protection proposals have sparked concerns that US-based cloud providers are not protecting data stored in the cloud in an appropriate manner. The article takes a look at the EC’s new data protection directive, with provisions aimed towards cloud services. It also introduces the possibility of other motivating factors for these changes.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Jurisdictions and data locations (Domain 3)
- Provider selection (Domain 8)
- Key management best practices (Domain 11)