Inside the Briefcase

Augmented Reality Analytics: Transforming Data Visualization

Augmented Reality Analytics: Transforming Data Visualization

Tweet Augmented reality is transforming how data is visualized...

ITBriefcase.net Membership!

ITBriefcase.net Membership!

Tweet Register as an ITBriefcase.net member to unlock exclusive...

Women in Tech Boston

Women in Tech Boston

Hear from an industry analyst and a Fortinet customer...

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

In this interview, JumpCloud’s Antoine Jebara, co-founder and GM...

Tips And Tricks On Getting The Most Out of VPN Services

Tips And Tricks On Getting The Most Out of VPN Services

In the wake of restrictions in access to certain...

Data Protection– What’s Next?

April 13, 2015 No Comments

Featured article by Julian Box, CEO of Calligo

cloud-security-2

As the EU finalizes the new EU Data Protection Act, which will likely become law across all EU member states by the end of 2015, I find myself once again turning my attention to data protection. As CEO of Calligo, the trusted cloud, I am eagerly awaiting to see how this new law will change how our data is handled by service providers and enterprises globally.

With the world of data protection in the news spotlight over the last few years –especially following the revelations from Edward Snowden – it’s no surprise that the EU, widely recognized as the global leader in this area, is looking at strengthening how data is governed.

With ever increasing security breaches making headlines, keeping the topic of data protection top of mind and igniting fears of what can result from loose data governance, some of the reasons we need a new set of laws and rules seem quite obvious. However, understanding where we stand now, and where we need to be is not as apparent.

Here is a cloud’s eye view. First of all, the current set of data protections laws covering the EU are based on an EU Data Protection Directive. This means each member state has to meet the minimum standard set out in the directive, but can add any additional rules and standards to meet the member state’s own definition of good practice. However, this directive was created in the mid 90’s, before the Internet had really established itself. As for cloud…well, back then there were only weather objects and satellites in our skies!  Adding additional complexity, consider that the EU currently has 28 different data protection laws, which has create a muddled and difficult set of systems. All this means a single law governing all EU members with online data at its heart is long overdue.

While numerous tweaks to the existing law are in progress, there are two key changes I believe that everyone needs to focus on. Firstly, the jurisdiction where the service is consumed will become the legal point for any disputes irrelevant of where the service is running from. And secondly, the right to privacy is set to be squarely at the heart of the new law.

So let’s look at each of these in a bit more detail to examine what each of these may actually mean to the provider and the consumer.

Designating the country where the consumer or business uses the service as the legal jurisdiction of reference for any dispute is a big change. It means all providers offering services to EU citizens and business have to legally meet the local laws irrelevant of where they originate. Currently, this isn’t the case. This major change would make it easier to take action in the event of a breach. For example, an entity will be able to take a U.S. service provider to court in the country of use, rather than the U.S., as country of origin.

How this will work for U.S.-based providers is going to be very interesting. Currently, US service providers have to sign up to the Safe Harbour agreement to be able to offer services within the EU as the EU believes the current U.S. data protection laws are significantly below what is considered acceptable.

The problem is that this is currently being undermined by the U.S. government through a U.S. court in the form of a warrant for data within Microsoft’s facilities in Dublin, Ireland. Microsoft has already lost the initial court case and its first appeal. The tech giant is now preparing for a second appeal while being in contempt of court – certainly not a solid foundation to be claiming they can meet the current legal obligations. It’s also not surprising that most of the other big U.S. providers are backing Microsoft’s efforts since they are all going to be affected by the final outcome, whatever it is.

At a cloud law conference in November last year, I had the opportunity to ask Microsoft what would happen if they did ultimately lose the case. Not surprisingly, Microsoft executives stated that they didn’t believe they would lose and even if they did, there were still other avenues to take. Their position (one I agree with!) is that when data residence is in another country and they have signed internationally recognized legal frameworks (i.e. Safe Harbour), they should be bound by these laws and not U.S. court warrants – especially when there is nothing stopping the U.S. government from going to the Irish courts to obtain the data.

This is all very well, but it doesn’t change the fact that Microsoft can only meet its current legal obligations by being in contempt of court. How long could they hold out if they did lose? And what would the ramifications be if they did give the data over? These are complex questions and can’t be answered very easily. But the new law is going to be a lot tougher and non-EU providers and organizations holding EU citizen data will need to meet a new elevated level of protection, which is going to get much tighter. With so much change and uncertainty around this whole area, where providers and enterprises put their data should now be at the forefront of all cloud decisions.

The impact of formalized right to privacy is going to be even deeper, as every provider, enterprise, and in fact, any organisation holding private information on EU citizen will be required to have a data privacy officer who’s responsibilities are to the clients even though they will be employed and paid for by the business/organization holding the data. This isn’t a causal role either; this person (and in a lot of cases their team) will have legal requirements to prove their business/organization is meeting its legal obligations. In many cases, this will require bringing in external auditors to ensure compliance.

The costs resulting from this change shouldn’t be underestimated, let alone the frameworks, standards and processes that will have to be implemented to meet this – all of which will increase the burden on data holders.

As with the current data directive, the new law and its requirements will also need to be met by any business outside the EU that want to offer services to member states. Most locations, such as Jersey, in the UK Channel Islands, where I live, already have data protection laws that align to the current EU directive, which ultimately will be enhanced to meet the new requirements. However, the big questions remain: how will U.S.-based providers be able to meet the new mandate and will the U.S. government ultimately respect international borders and laws, or continue take the “Wild West” approach and try to ride rough shot over them.

 

Leave a Reply

(required)

(required)


ADVERTISEMENT

DTX ExCeL London

WomeninTech