It should come as no surprise to those who have been following the NSA Spy scandal unfolding that regulators are passing laws to protect data from prying agencies. The Guardian reports from Brussels today:
Regulations on European data protection standards are expected to pass the European parliament committee stage on Monday after the various political groupings agreed on a new compromise draft following two years of gridlock on the issue.
The draft would make it harder for the big US internet servers and social media providers to transfer European data to third countries, subject them to EU law rather than secret American court orders, and authorise swingeing fines possibly running into the billions for the first time for not complying with the new rules.
This comes at a blow to the US cloud industry which currently dominates the global cloud market. In August reports suggested the industry could lose between $21 and $35 Billion dollars due to the revelation of the NSA's PRISM program:
U.S. cloud providers could lose between $21.5 billion and $35 billion in revenue over the next three years because of worries about the National Security Agency's PRISM program, which enables the government to access user data from U.S. Internet companies, according to a report this week by the Information Technology & Innovation Foundation.
The Guardian article goes on to say:
Data privacy in the EU is currently under the authority of national governments with standards varying enormously across the 28 countries, complicating efforts to arrive at satisfactory data transfer agreements with the US. The current rules are easily sidestepped by the big Silicon Valley companies, Brussels argues.
The new rules, if agreed, would ban the transfer of data unless based on EU law or under a new transatlantic pact with the Americans complying with EU law. ...
Parallel to the proposed data privacy rules, there are various other transatlantic arrangements in place regulating European supply to the Americans of air passenger data, financial transactions and banking information aimed at suppressing terrorism funding and the so-called Safe Harbour accord allowing companies in Europe to send data to companies in the US where, as a result of Snowden, it is clear that that data can then be tapped by the NSA.
"The Safe Harbour may not be so safe after all. It could be a loophole because it allows data transfers from EU to US companies, although US data protection standards are lower than our European ones," said Reding. "Safe Harbour is based on self-regulation and codes of conduct. In the light of the recent revelations, I am not convinced that relying on codes of conduct and self-regulation that are not policed in a strict manner offer the best way of protecting our citizens."
The European commission is warning that it could suspend all these agreements unless the US commits to a new regime, but the commission's threats would also run into trouble with national governments, not least the British.
Brussels and Washington have also been negotiating a deal on police data exchanges for two years, but the talks are deadlocked because there is no legal redress for an EU citizen in the US courts if the system is abused.
The good news for concerned cloud users is that due to the proliferation of high speed internet, it's not difficult to move to another provider in another country. However, the US has been a leader in building infrastructure. Countries such as Malta who have attracted such business for other reasons such as lax online gambling regulation, have fallen behind the infrastructure build curve.
Like with many things today, a combination of intelligence in orbiting fields (Global regulation, politics, and technology) will be required for anyone making a plan how to organize their online presence.
Another point the article does not elaborate on is how will US companies operating in the EU comply with these new regulations, as they may be required by their domicile country, the US, to comply there. Also they may have alliances to US intelligence agencies as has been shown in the case of tech giants such as Microsoft.
In any event, non-US organizations should be wary about using US based cloud providers.