Questions on where data is located and adherence to data privacy regulations usually figure prominently in any cloud vendor due diligence checklist, eg in this Checklist for using a Software as a Service (SaaS) vendor (last question), or in this Cloud Security Checklist (question 2) or in my own SaaS project self-assessment (Questions 8 and 9). The subject has recently made headlines because of concerns that US cloud providers do not provide adequate data protection for customers in the European Union.
In this article we’ll look at the recent Patriot Act headlines, try to understand the background to the EU’s data protection laws and run through a quick primer on the subject. Then we’ll consider the challenges of implementing pre-cloud privacy laws in a cloud world, and how the EU regulations are likely to change to accommodate this. Finally, we’ll look at threats (to US cloud providers) and opportunities (for EU cloud providers).
IT’S MIDNIGHT – DO YOU KNOW WHERE YOUR DATA IS?
The trigger for the recent EU data privacy concerns is the US government’s Patriot Act, which allows security agencies to have access to personal data held by US-registered cloud vendors, even if that data resides outside of the US.
In the past few weeks alone, we saw the following headlines around the world:
- In Australia, cloud specialist and former CIO, Rob Livingstone, warned Australian government agencies not to consider using US public cloud services for any material other than information in the public domain.
- In the Netherlands, the Security and Justice Minister, citing Patriot Act concerns, proposed changes to procurement requirements to state that a supplier is under no circumstances allowed to transfer governmental data to any foreign legal body – thereby implicitly excluding US companies from tenders, or public sector RFPs.
- IDG’s Brussels correspondent Jennifer Baker penned an article saying that concern in the European Union that U.S. data protection laws are too lax has created a new market for European cloud computing services.
- UK defence giant British Aerospace Systems has pulled the plug on a proposed outsourcing mission to Microsoft’s Office 365 cloud solution, after data sovereignty could not be guaranteed.
And Mark Zuckerberg didn’t do anyone any favours with Facebook’s recent data privacy stumble, incurring the wrath of the Federal Trade Commission (FTC). In violation of its data privacy commitments to its customers, the company passed on personally identifiable information to advertisers. It also failed to make photos and videos on deactivated and deleted accounts inaccessible.
In order to appreciate these concerns, which may appear excessive to some US observers, it would help to understand where the Europeans are coming from.
WHY ARE EUROPEAN DATA PRIVACY LAWS SO STRICT?
As most people know, data protection laws are far stricter in the EU than in the US. EU law is primarily aimed at protecting a person’s identity. People are therefore expected to be able to control their personal data at any time. Not only are their governments not allowed to intrude on the privacy of individuals, they also have a responsibility to prevent any intrusion by third parties. There are historic reasons for this. In the prelude to the Second World War, the war itself and the subsequent cold war period, a whole string of political -isms (Nazism, fascism and communism) kept detailed information on its citizens that was used and abused by the state for political purposes.
EU national data protection regulations (namely the EU Data Protection Directive) therefore make companies legally responsible for the security and privacy of any personal data used in their IT systems.
A QUICK PRIMER ON EU DATA PRIVACY LAWS
To better understand the rest of this article, here is a quick primer on the basics of data protection under the current EU laws.
A company that holds personal data about employees or customers (called “Data Subjects”) is called a “Data Controller”, because it controls what data to collect and how it will be used.
Controllers may then engage a department or an outsourcer, called the “Data Processor”, to store and process the data on its behalf, within clear boundaries defined by the Controller. The Processor is therefore responsible for keeping the data secure from unauthorized access, disclosure or accidental loss.
Controllers and Processors are legally responsible for observing national data privacy laws corresponding to both the jurisdiction of the data subject and the location of the data. So data stored and processed for example in the US (cloud vendor) or India (outsourcing vendor) on a Data Subject resident in France are subject to EU law, and not just US or Indian law.
Even in these rather simple scenarios, multinational companies struggle to comply with the various national rules, even in a traditional on-premises environment. Nathalie Prouveur-Genoud, a lawyer and data protection officer in a multi-national company in Geneva, knows the subject only too well. She explains that data collected in one EU country (eg France) to be hosted in a second (eg Germany) may in the course of normal business end up being shared with companies located in a third country, eg the US. This mandates compliance with more than one EU national law (ie France and Germany) and has to address the question of access by non-EU companies to the data, especially in the US.
THE CHALLENGES OF APPLYING EU PRIVACY LAWS IN A CLOUD WORLD
As we saw above, it is already challenging enough trying to apply the EU data privacy laws in a pre-cloud, on-premises world. Cloud computing makes it even more so.
The current laws, which date back to the pre-cloud days of the 20th century, are based on the premise that it is always clear where personal data is located, by whom it is processed and who is responsible for the processing. In an on-premises world, this was a given: both the Controller (eg the marketing department) and the Processor (ie the IT department) were part of the same company. For outsourced systems, eg payroll, the controller was the HR department and the processor the payroll company. In both cases, because data location was clear, it followed that Controller and Processor responsibilities were also clear.
In a cloud world however, a vendor is free to move data to the most cost-effective location in terms of server capacity and efficiency without a customer’s knowledge. Which raises the interesting question as to which national data protection regulations at which location actually govern the protection of the data.
To muddy the waters further, a SaaS cloud vendor, for example, will often use an IaaS (Infrastructure as a Service) cloud vendor lower down the “cloud stack” to actually store the data. The SaaS vendor at the top of this “virtual service chain” can therefore bundle together one or more services provided by others, each of which is effectively a black box with an SLA (Service Level Agreement), over which it has little or no visibility.
With cloud computing therefore, it is not always possible to say where the data is at any given time and by whom and how it is being processed.
And yet, the EU laws require that Data Controllers, ie cloud customers, assume full responsibility for the data and how it is processed! Hence their understandable wariness with US cloud providers, which has nothing to do with trust, and everything to do with trying to stay within the law.
HOW EU DATA PROTECTION LAWS ARE LIKELY TO CHANGE IN 2012
EU data regulators are well aware of the problems created by the current patchwork approach and technological challenges and are expected to issue an updated Data Protection Directive in January 2012. This will make the laws more adaptable to the new cloud environment, including social media, whilst still providing the required data protection.
Under this project, a number of new obligations would replace the current obligation to notify the authorities of the processing of personal data. The key word is accountability. Controllers would remain responsible but Processors would also share some of the burden. As Nathalie Prouveur-Genoud points out, this will go to the core of the business: “If Controllers must implement ‘privacy-by-design’ whenever personal data is involved and clarify the underlying processes on that data, it would represent a real change of mind-set. It is my experience that most companies do follow SOPs (Standard Operating Procedures) and restrict access to personal data, but how many are audit-ready?” The project also contains new provisions for inspections of Controllers – and by extension their Processors.
The bad news for vendors is that this would increase their costs. But the flipside is that it would also be good for business, since those vendors with sound practices should see fewer barriers to cloud adoption.
The updated regulations are also expected to strengthen the already existing privacy requirements. For example, the Financial Times reported this week that under sweeping proposals to be unveiled next month, businesses breaching EU privacy rules could face fines of up to 5 per cent of their global turnover.
The project, however, might not be implemented overnight. Unless part of a central EU directive from Brussels, it will have to go through a discussion and ratification process by member states, which could take at least 1-2 years.
THREATS AND OPPORTUNITIES
The threats to US cloud vendors are clear. The Patriot Act has the potential to disrupt the US cloud industry’s foreign markets, especially in the EU – its largest bi-lateral trading partner.
Not all sectors will be equally affected though. The types of information security agencies are mainly be interested in concern people’s personal identity, their family connections and their interactions with local state and government bodies (state and government IT); what people are saying to each other (email); their financial transactions (banking); their medical records (health care); and their comings and goings (airlines and transportation in general). You can generally expect these sectors to be wary of the Patriot Act and to seek out EU cloud providers.
The remaining sectors, especially those relying on e-commerce online channels, have in theory less reason to be worried, since a trail of people’s shopping habits and the products they buy on-line are less likely to be of interest to a security agency.
For these sectors, the decision to go with a US cloud provider will be driven by business interests and common sense. This will mean comparing the cloud’s business advantages of time-to-market, innovation and costs (certain and quantifiable) with the risk of a customer finding out that a US security agency not only had access to his data, but also that such access resulted in non-negligible personal or business prejudice (uncertain and unquantifiable).
On the opportunity side, the Patriot Act will leave the field wide open for European cloud providers to steal their US competitors’ lunch. Jennifer Baker’s IDG article referred to at the start of this post mentions two Swedish companies, Severalnines and City Network, that have begun promoting their newly-merged service as “a safe haven from the reaches of the U.S. Patriot Act.” She also goes on to say that the gap in the market is also being exploited by other firms such as DNS Europe, Colt and MESH, with the latter strongly promoting its location in Germany and “data separation in strict compliance with German data protection laws.” Finally, here in Geneva, where I’m based, vendor SwissCloud makes it clear – drawing parallels with the country’s banking secrecy laws for extra emphasis – that “your data will never leave Switzerland without your consent”.
The Patriot Act is in a sense the ideal marketing pitch for EU cloud vendors because it symbolizes the type of sweeping data access powers that the very EU laws are meant to counter. Without changes to this US legislation, business will soon be handed to them on a plate – in essence a free lunch.
Acknowledgements: I’d like to thank Nathalie Prouveur-Genoud, lawyer and data protection officer in a multi-national company in Geneva, for her in-depth review and her input on the current EU regulations and how they are likely to change in 2012.