Since Edward Snowden lifted the lid on the US National Security Agency’s (NSA) surveillance secrets there has been a lot of fretting about spies. It is not a new issue, but more people are now talking about keeping data in places beyond the legal reach of any foreign government.
It is an environment that favours hard mandates, according to software industry group BSA. The organisation's report, titled Powering the Digital Economy, claims a number of countries have taken steps to reduce cross-border data flows or require that data servers are located within the borders of local markets, and this is slowing the development of digital services.
The BSA's report acknowledges that it is usually done in the cause of consumer privacy, and the NSA revelations are encouraging such measures. But it claims there is a lack of flexibility that hinders the development of software services, especially those in the cloud, and deprives many businesses of the potential operational efficiencies and savings.
There does not seem to be an immediate threat to digital service providers in the UK. Frank Jennings, a partner at legal firm DHM Stallard and chair of the Cloud Industry Forum’s Code of Practice Board, says the UK benefits from an open market with the rest of the EU and a good relationship with the US, and that the existing balance in the law is about right.
“I don’t think the protectionist measures [highlighted in the report] will affect the UK overnight, although if you have customers in those countries it will,” he says.
More on NSA
But Jennings adds that reports of the NSA and GCHQ accessing data have prompted concerns that some countries might adopt protectionist measures in the name of security, and this could have an effect.
“Any protectionist measure is a bad thing, particularly in the cloud industry which is essentially global. There’s no harm in selling to customers in the EU on the basis it will keep data within the EU if it’s what they want; but for data protection law it should be kept secure no matter where in world.”
A similar warning comes from Thomas Boué, director of government affairs EMEA at The Software Alliance (BSA). He says there are proposals going around Brussels with elements of digital protectionism, and cites a European Parliament report calling for the suspension of the Safe Harbour mechanism with the US and to keep European data within Europe.
“It is a clear example of an attempt to introduce barriers for international companies that want to do business in Europe,” he says. “However, creating obstacles for the movement of commercial data will do nothing to solve concerns about government access to data, which is the core motivator for this initiative.”
He also says there are calls for the building of cloud services solely for European citizens and companies that would cut them off from global providers and networks, and undermine the efficiencies they can find in an international market.
Data protection for the digital age
The key factor, however, will be the shape of the EU Data Protection Regulation. In March the European Parliament gave its support to a revised draft of the regulation, which will go to the Council of Ministers for discussion in June. But there has been subject to a lot of criticism and it could yet be derailed.
Boué says the BSA agrees that privacy is a fundamental right, but that the regulation has been based on “brushing up” the Data Protection Directive of 1995 and is not sufficiently forward looking.
“The way the Data Protection Regulation is being drafted is backward-looking and does not embrace the digital age,” he says. “A lot of commentators are of the opinion that if it does go through it will have to be reviewed soon because it hasn’t kept up with the digital age.”
More on the EU Data Protection Regulation
- The proposed EU data protection regulation and its impact on cloud users
- EC data regulation will disrupt UK e-economy, warn lawyers
- European Commission data protection proposals draw hostile reaction
- Data protection regulators will increase focus on HR systems
- Big changes expected as EC publishes data protection review
He claims there are a number of issues, and highlights the definition of personal data as being too wide: “If everything is personal data and has to be treated with the utmost care and safeguards, it is an enormous burden on the data being able to flow across borders.”
Louise Bennett, chair of the security community for the Chartered Institute of IT (BCS), says the regulation in its first draft could undermine the cloud industry.
“One suggestion for the new legislation – that people have a right to be forgotten – is very nice conceptually but impossible practically,” she says. “You go to an external provider because you want better resilience and security, and because things are moved around and backed up. Yet backing it up means it is even more difficult to ensure you have cleaned out data if someone wants it removed.”
Bennett adds that there is opposition to removing the right to be forgotten, and that the draft provides too much scope for argument about whether an organisation has done its utmost to protect personal data. It also leaves little room to allow for changes in technology which cannot be foreseen.
“Looking forward one year in IT and the internet is quite difficult; looking forward five or 10 years is well nigh impossible,” she says. “At the moment data protection laws are about 25 years old, and because they are principles-based they’ve stood the test of time pretty well. Trying to add more detail, especially if you tie it to today’s technology, is very foolish.”
She says the thousands of amendments were submitted because of “real practical problems” with the first draft, and that: “It’s better to do something covering the major things that people are concerned about in a sensible fashion rather than produce something unworkable.”
The overall message is that the regulation as it stands is too prescriptive, insufficiently flexible and could be a severe hindrance for digital service providers in the future.
“Every commentator agrees the regulation is very prescriptive and leaves little room for interpretation," says Boué. "It could have worked 20 years ago, but the world is evolving constantly and having something set in stone is not the right approach.
“There are many ways they approach it but, for many companies, privacy is at the heart of their business as it allows them to build trust, and there needs to be some flexibility on how to achieve it.”
Flexibility and freedom
Organisations are working out what works best for them. Lance Fisher, CIO of international recruitment firm SThree, says Germany is one of its major markets and has the most stringent approach to data protection, so it tends to use it as the common denominator for its own approach. There is a degree of caution here, given that he expects people to become more protective of their data and that the regulations will become more stringent.
“Increasingly countries will enforce better data protection and privacy laws and companies will have to follow them,” he says. “The European laws will get stricter and people will have to follow them.”
You should be making small steps all the time to deal with the problems that emerge from where you are
Louise Bennett, Chartered Institute of IT (BCS)
He also makes the point that in some areas of business the company needs to move the data across borders to provide the service to its customers. SThree keeps the CVs of some job candidates inside a country’s borders, but for some industries, such as oil and gas, it is serving an international market in which the details have be on an international platform.
“Part of it is being upfront,” he says. “It’s saying that if you sign up to a job board, you know where the CV is, and you can send in a personal data request on where it is stored and what will be done with it.”
Whether or not EU member state ministers accept it in its current form, the pressure for a new regulation will remain and people are now thinking about how a rewritten version could lay the ground for a workable balance between privacy and a free market. Boué says the key factor is flexibility.
“If you are too prescriptive, especially with a regulation that takes years to be developed, negotiated and implemented, it needs five or six years and the world will have changed. If it’s prescriptive from the outset the world will have changed and it’s not effective any more.”
He suggests that an approach based on outcomes could be successful, and points to the US as example: companies providing digital services are given more freedom in how they protect data, but this is coupled with a strong enforcement regime.
Bennett suggests that it is too big and complex an issue to solve with one sweep of legislation, especially as the landscape for technology and data management is changing so quickly.
“You should be making small steps all the time to deal with the problems that emerge from where you are,” she says. “I believe that is quite doable.”
She warns, however, that “there are all sorts of opportunities to derail it, and the biggest come along each time Snowden reveals more”.
So the privacy scares are threatening to knock the EU off the balance that seems to be serving the business well. The challenge for its legislators is to allay the fears while ensuring that organisations which obtain benefits from moving data across borders can continue to do so.