As featured on TM Forum’s the Insider BlogThe European Commission [is suggesting] some serious reforms to data protection laws that could have implications for everyone that uses the internet or provides services over the internet, including operators.
For a start, companies operating over the internet will have to seek explicit consent from users if they plan to use data about them, including when it is being collected, how long it will be stored, and for what purpose it is being used for. (Sounds a bit like Google’s new privacy policy which places the onus on the individual to set their own data and privacy settings but has become so convoluted most won’t bother.)
There are three key elements that will directly affect CSPs, however. The main one is that accountability rests with those that process personal data, and those companies could be obliged to notify authorities of serious data breaches within 24 hours, or face stiff penalties (presumably more dire than customer backlash).
Consumers should be allowed to have easier access to their own data, be able to transfer it from one service provider to another more easily and be able to delete their data. Supposedly, this would not only apply to social networking sites, but critically to cloud service providers, which CSPs are aspiring to become. Facebook may find the last requirement difficult to abide by, as anyone that has attempted to delete a Facebook account will confirm.
What does throw a ‘spanner in the works’ is that the EC wants its rules to be applied even if data is handled abroad by companies that are active in the EU or offer services to EU citizens. It is not yet clear if data belonging to non-EU citizens but residing on servers within the EU will be similarly affected. And what happens to EU data that, because of data and server virtualization over the cloud, is actually sitting in a non-EU country that applies its own set of rules?
Here we go again. Regulation rears its head in what appears to be a desperate attempt to keep up with internet and cloud activities. Not surprising really as the current EU data protection laws date back to 1995, and a lot has certainly changed since then.
Any attempt to harness the use of private data should, of course, be welcomed, but unless ALL countries agree on the ways and means of doing so, then the whole idea is flawed from day one. The internet does not understand international boundaries, nor do cloud services for that matter.
When you take into account that Europe has a population of over 500 million people, which is nearly twice that of the US, the initiative takes on new light. Of course, size probably doesn’t matter in this case. The USA will likely set its own agenda on data privacy much as it has with ‘net neutrality’ initiatives. There will certainly be challenges for US companies operating EU subsidiaries and vice-versa, just trying to keep within whatever laws will be adopted.
It may be a little too early for panic and hysteria to set in because the EC’s proposals will now pass to the European Parliament then all 27 individual member states will have to debate and approve what will eventually become a single set of rules. Once there is agreement, it will be at least another two years before the final version is adopted and, by then, the internet will probably have moved at light speed in a different data direction.
Of course, one option may be for data to be stored in a country that will take no notice of EU or US data laws, and there’s no shortage of those.