More EU Data Protection Rules Discussed

By Scott Calonico

Many individuals are rather cynical about data protection nowadays, especially in the wake of Edward Snowden’s privacy revelations.

Government instructions about how to protect personal data can seem a little hard to take when it often seems to be the governments themselves who are most determined to access it!

However, it seems that more EU data protection rules are on the way that will have a particular effect on cloud service providers who work with (or wish to work with) clients in Europe.

The new proposed guidelines specifically relate to when personal data is stored in the cloud away from the EU. The European Data Protection Supervisor (EDPS) will apparently need assurances that service providers are storing data in compliance with EU regulations.

These new rules could make things complicated for cloud providers of all sizes. Replicating data to servers elsewhere in the world is often considered a case of simple good practice for the sake of resilience. The authorities, however, are protesting that this means that there is “no stable location for the data” and that this could create “risks to the rights and freedoms of the person whose personal data are collected, held or processed.”

The EDPS is currently preparing guidance on this issue. As ever with such things, the technical complexities are unlikely to make the guidance straightforward.

Mixed Messages

These forthcoming new guidelines are being put together against an interesting technical backdrop. Back in January this year, Computer Weekly reported that a quarter of UK businesses are actively moving cloud data away from the USA in the wake of the NSA revelations.

More recently, the UK government has fast-tracked emergency legislation to give the authorities the power to target all kinds of electronic communications. The changes passed through central government and the House of Lords just a week after being made public. Quite rightly, there has been outrage that the moves were undemocratic, and perhaps even in violation of basic human rights laws.

Now, these new rules being tabled could give EU countries the right to have a say on how data security is being managed away from their jurisdictions. On a technical level it’s rather hard to see how this will work in practice, but it’s pretty clear that the age of electronic surveillance is upon us, and has proceeded so far that it’s hard to imagine a route back.

The hardest fact of all to take is that the complexities of data storage and cloud services are not something many laymen understand (or indeed wish to). Thanks to this, governments are managing to erode basic principles of privacy with surprisingly little objection, hiding behind the basic principle of “nothing to hide, nothing to fear.” Those with a little more background knowledge must surely be concerned that the world is sleepwalking towards a 1984-style dystopia.