Leading European authorities are not satisfied with the data privacy measures offered by cloud and Internet-based services providers. In January, the Norwegian Data Protection Authority temporarily banned Google Apps from public sector applications, citing that the service did not comply with national privacy laws. More recently, Irish and Norwegian regulators launched investigations into the privacy implications of Facebook’s facial-recognition technology.
Even more concerning for the broader community of U.S.-based cloud providers are the recent recommendations of an influential European Commission (EC) advisory body, the Article 29 Data Protection Working Party, which point to a continued gap between European consumer privacy principles and cloud vendor practices.
U.S. cloud providers must recognize the ramifications of Europe’s growing concern regarding consumer privacy and consider measures to strengthen transparency and personal data protection. Otherwise, the Working Party’s recommendations could endanger the continued success of Facebook, Google, and other U.S.-based tech giants in the European market for cloud computing services.
For American companies, regulation already presents challenges for compliance in Europe, beginning with the broad protection of personal data under national laws. Any information that can be used to identify an individual, from a telephone number to a social network post, date of birth, or photograph, is legally protected.
This year, the EC introduced legislation that would update existing laws by providing individuals stronger authority over their personal information. The proposed legislation also seeks to better unify the divergent national privacy codes that exist today.
The Article 29 Data Protection Working Party reinforced the legislation’s values by calling for cloud providers operating in the European Union (EU) or that service EU citizens to implement robust measures ensuring the privacy of consumers’ personal information and transparency of vendor practices.
Though they are non-binding, the Working Party’s suggestions could foreshadow the end of certain business practices. If these data privacy and security recommendations were law, some U.S. vendors would need to take significant action.
Chief among these potential changes are alterations to providers’ business models and technological infrastructures, including the elimination of the secondary use of consumer data. Depending on customer demands, providers that monitor user search patterns and collect consumer data may be forced required to cease these practices and establish new revenue sources. Businesses, individuals, and organizations paying for cloud-based email or storage services, for example, could specify that no information be processed by cloud vendors for advertising, used for internal research purposes, or released to third parties.
Any EU cloud provider would also likely be mandated to provide a list of locations in which citizens’ or organizations’ data may be processed, transmitted, or stored. Though Norway is not a member of the EU, its decision to forgo adopting Google Apps stemmed in part from uncertainty regarding the geographic location of Google’s data centers. And, if recent political dialogue in France and Germany is any indication, geographic restrictions on cloud provider data center locations may be imposed more broadly.
Most significantly for the present, the Working Party signaled growing distrust in the Safe Harbor process. Long the means by which American companies have circumvented gaps between European and American regulation, today’s Safe Harbor regime allows U.S.-based organizations to self-certify that they meet European data protection standards. The Article 29 Working Party directly states that this self-certification process may no longer suffice without additional proof of robust data protection measures.
What the Working Party’s suggestions will ultimately mean for U.S.-based cloud vendors remains unknown. It is clear, however, that the privacy implications of cloud computing are of increasing concern to European regulators and will likely lead to continued scrutiny of cloud services. In the public sector, regulators are likely to be all the more stringent about their requirements. The EU cloud model will likely favor those providers that are able to guarantee consumer privacy and security needs, as conceived by Europeans.
With countries across the globe looking to the outcome of EU data privacy legislation, the potential implications of these recommendations are far-reaching. Should these scenarios fully play out, cloud giants planning to continue business across the Atlantic will need to re-examine their consumer protections and business models—or incur limits on their expansion in Europe.