Another day, another uncomfortable political miasma hanging over the cloud services market. Earlier this week, the European Commission put up for public review the draft of the new Data Protection Regulation, designed to provide a common legal framework for privacy matters to the European Union’s 27 member states. And if passed in its current form, it could mean big trouble for European cloud service providers and vendors.
First and foremost, a TalkinCloud tip of the hat to ZDNet’s Zack Whittaker, who’s been following this data protection law for months and provides several key insights into the bigger picture. I definitely recommend keeping an eye on Whittaker’s ongoing coverage — especially given his advantageous position of reporting straight from the United Kingdom.
Some of the new data protection law is fairly straightforward. For instance, since the Data Protection Regulation works across all 27 countries in the European Union, questions of jurisdiction become moot. Wherever the provider’s European headquarters is, that country becomes the organization’s designated data protection officer. To use Whittaker’s example, Microsoft and Twitter have their headquarters in the United Kingdom, so the Information Commissioner’s Office becomes their local arbitrating body under the law.
In that vein, to prevent a repeat of the Sony PlayStation Network fiasco, service providers will be required to notify their local data protection agency within 24 hours of a breach or else pay stiff fines up to €1 million (about $1.3 million US) or 2 percent of the service provider’s global turnover. Moreover, cloud service providers will have to provide tools to export data, such as the kind Google Takeout already offers.
One of the more controversial provisions of the Data Protection Regulation is that organizations of 250 seats or more will be required to appoint a data protection officer to make sure that standards are being kept and potentially (this point is still unclear) actually perform the reporting. This has been criticized as an undue burden on the business.
But the trickiest part is easily the so-called “right to be forgotten.” In other words, if you delete your information from a cloud platform (or social network or search engine), it’s up to the service provider to wipe all traces of your data. That’s troublesome, to say the least — a single photo hosted in Dropbox, say, could make the rounds all over the Internet, and it seems as though the service provider could well be liable if it stays available. That could mean big trouble for the whole cloud market as the implications really start to set in.
As I said, this is only a draft, and it’s already greatly reduced in harshness from the original version that was leaked in November 2011. All the same, while its intentions may be pure, the Data Protection Regulation could redefine “unintended consequences” for a new era (recalling echoes of SOPA).
