As the U.S. Congress stays on track to pass a sixteen-year record low number of bills this year, its counterpart in the European Union continues on nothing less than a data privacy rampage. In a speech this morning at a continent-wide data privacy conference in Brussels, European Commission Vice President Viviane Reding renewed her call for a single data protection authority to oversee privacy policies in all member states – a measure whose main objections now come from member states themselves, rather than Parliament.
But in an effort to keep her end of the bargain, Comm. Reding openly called upon cloud service providers to refrain from a nasty habit that more and more of them have gotten into this year. Apparently referring to this story from IDG’s TechWorld UK, she said CSPs should stop offering themselves to European customers as data shelters from the prying eyes of American lawmakers.
“I am reading in the press more and more about European internet companies offering a cloud computing service which stays in Europe,” Comm. Reding told attendees. “Just yesterday I read about a Swedish company whose selling point is that they shelter users from the U.S. Patriot Act and other attempts by third countries to access personal data.”
The outfit she was referring to was the recently merged operations of Sweden-based Severalnines with London, U.K.-based City Network. Two weeks ago, the new operation began actively promoting itself as a safe haven from the CIA and FBI.
“E.U. customers can now benefit from the savings and flexibility enabled by cloud-based database services safe in the knowledge that they will not fall under the jurisdiction of the Patriot Act,” reads a joint press release issued November 23. “Under the Patriot Act, data from E.U. users of U.S.-owned cloud-based services can currently be shared with U.S. law enforcement agencies without the need to tell the user.”
This made the plain spoken justice commissioner a bit upset. “Well, I do encourage cloud computing centers in Europe – because we need more innovation, more research and more investment in the ICT [information, communications, and technology, the European term for “IT”] industry. But this cannot be the only solution,” she told the Brussels meeting. “We need free flow of data between our continents. And it doesn’t make much sense for us to retreat from each other.”
Last July, this reporter spoke with several cloud service providers both in the U.S. and abroad, who confirmed that Europe-based customers were more openly seeking public cloud services that could guarantee their data would never be routed to servers in the U.S. The CSPs with whom I spoke said it was not their policy to issue such guarantees, although they mentioned there were competitors who were only too willing to oblige.
One of the multitude of unpassed bills wallowing in the halls of the U.S. Congress this year is the Commercial Privacy Bill of Rights, sponsored by Sens. John Kerry (D – Mass.) and John McCain (R – Ariz.). As originally conceived, the bill would include a provision that would prevent any service provider from disclosing a customer’s personal data with any agency, even under government order, without notification and consent of the customer. E.U. officials have said passage of this bill would bring U.S. law more in line with European law, as well as with the terms of a Safe Harbor treaty between the two governments that guarantees E.U. citizens’ data will not be traversed by U.S. authorities – which would appear to contradict the terms of the Patriot Act.
Up to now, Comm. Reding has supported the concept of the Kerry-McCain bill, but has kept relatively quiet (as best she can) with respect to the process. That changed this morning: “You might remember that last year I welcomed the Democrat-Republican joint initiative on data protection,” she told attendees. “It made headlines. The Senators made clear that a federal law is necessary to ensure the protection of privacy in the United States. They argued that the U.S. government had a substantial interest in creating a level playing field for all collectors of personal data both in the U.S. and abroad. This sounded encouraging indeed! However, I have been told that only voluntary codes of conduct based on multi-stakeholder consultations are envisaged. Well, I hope I got it wrong, because I am worried that U.S. ‘self-regulation’ will not be sufficient to achieve full interoperability between the E.U. and U.S.”