Just as we are entering an era of cloud services, the European Parliament and Council pass aa new set of privacy laws, known as the General Data Protection Regulation.
The GDPR sounds like a post-WWII socialist state but contains a number of new protections for EU data subjects (you and me) while threatening significant fines and penalties for non-compliant data controllers/processors (your company and mine as well as the Facebook, Amazons, Google and other American giants who provoked these new laws.)
To achieve this, the EU uses the GDPR to keep as much European data within the confines of Europe, including the European cloud. (Funny, how it becomes good business for Europe to protect its citizens but this only follows a heritage that rejects American rah-rah free trade in favor of some useful protectionism.)
The GDPR is a "EU-wide" law, intended to create one-stop shopping, save billions in country-by-country data law adaptions, centralize EU data protection so you deal one with agency, and ensure the rights of its citizens. What could possibly go wrong?
Now, for those not living in Europe, (yes, that soon will include you Brexiters), you might think you are free of the GDPR shackles. Wrong...
The GDPR applies to any service provider doing business in the EU: Americans, Canadians, Australians, So. Africans, Mexicans, Chinese, Russians--- anyone offering a service managed by cloud.
Imagine a British company doing business in UK and the Continent (after Brexit is completed). The home country data rules will apply in UK, but any cloud services extended to Europe will need to confirm to GDPR.
Once GDPR comes into force in the spring of 2018, it will…
- Start imposing fines for non-compliance (the Data Police!)
- Force transparency amongst providers (or else!)
- Bring cloud and managed services into a spotlight (for good and for bad)
- Provide a template for other governments around the world (who might also want to regulate)
- Obligate organizations to possess clearly demonstrable data protection capabilities for the data of EU citizens. No more “trust through contract” model, allowing any certified entity to process personal data that had been transferred from Europe. (It’s going to be interesting to see how many international organizations will be forced to shift their business models dramatically to comply.)
- Provide a huge opportunity for specialists (to bring customers into compliance)
- Force everyone in the cloud chain to spend time & money (in order to comply)
- Obligate larger economic entities to name a Chief Privacy officer (more than 250 employees) who may be subject to jail time if the data is not properly protected and compliant
The new rules address specific concerns for individuals:
A "right to be forgotten": When an individual no longer wants her/his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted.
Easier access to one's data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. A right to data portability will make it easier for individuals to transmit personal data between service providers.
The right to know when one's data has been hacked: Companies and organisations must notify the national supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high risk breaches as soon as possible so that users can take appropriate measures. This may sound like common sense but today a number of companies try to hide these breaches because they are bad for their reputation and create more costs when dealt with transparently.
Data protection by design and by default: ‘Data protection by design’ and ‘Data protection by default’ are twin pillars of EU data protection rules. Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps.
Stronger enforcement of the rules: data protection authorities will be able to fine companies who do not comply with EU rules, up to 4% of their global annual turnover.
Managed services continues to grow globally (and in Europe), but service providers (SPs) need to be more transparent. European SPs, in particular, will need to demonstrate things such as geolocation of data and geolocation of users with logical access to customer data.
It will soon create a world of have and have nots: dividing all companies into those capable of complying with the GDPR and those who cannot.
For big cloud service providers with solid transparency practices and good documentation of policies and procedures, there is probably no problem only some cost in both money and time. For smaller companies, like usual, no one in government thinks small enough to realize the complications.
For example, if you are outsourcing service via a cloud provider outside EU (a common practice) who is liable for these fines. You, the provider or both. If, as usual in law as applied by government decree, both are culpable, now you will have to screen your suppliers. We say “screen” because as a small company your complaint/request will have no impact on a big company so your only choice is to walk away and find another supplier.
And there will be plenty of new and exciting cloud services built in places like USA or India who won’t want to take time from their rocket growth in home markets to fiddle around adapting to EU’s particular data rules.
What if you offer a cloud-based subscription service for company news-- and from all over the world executives are subscribing? You will need to conform. What if that provider is a US-based supplier like iContact, ConstantContant or MailChimp? Most likely these big service providers will have to move into datacenters in Europe to comply. But what if you were using a smaller, cheaper service who won’t comply? Then, most likely, you will have to move your business and pay the higher rates of these bigger suppliers who are in compliance. Or (and the EU is happy about this) you find a smaller provider in EU who has to be in compliance just to be in business here.
This would seem to discourage smaller non-EU providers from doing business in the EU. The EU probably thinks that’s good—no, maybe even great! Creates EU jobs! Favors EU companies! What’s not to like about it? On the other hand, many European companies certainly have enjoyed either the latest tech or the lowest cost services delivered online from USA, India, and elsewhere.
Consider an American subsidiary in Brussels who previously left data work back home in low-cost Idaho. When regulations force that work to move to Europe, prices will up.
Here is a “through-the-rose-coloured-glasses” example from the EU:
How will the new rules work in practice?
Example: a multinational company with several establishments in EU Member States has an online navigation and mapping system across Europe. This system collects images of all private and public buildings, and may also take pictures of individuals.
With the current rules:
The data protection safeguards upon data controllers vary substantially from one Member State to another. In one Member State, the deployment of this service led to a major public and political outcry, and some aspects of it were considered to be unlawful. The company then offered additional guarantees and safeguards to the individuals residing in that Member State after negotiation with the competent DPA, however the company refused to commit to offer the same additional guarantees to individuals in other Member States.
Currently, data controllers operating across borders need to spend time and money (for legal advice, and to prepare the required forms or documents) to comply with different, and sometimes contradictory, obligations.
With the new rules:
The new rules will establish a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Any company - regardless of whether it is established in the EU or not - will have to apply EU data protection law should they wish to offer their services in the EU.
For example, “stock video” companies in USA who sell content online will have to move into Europe-based datacenters to comply.
While much of GDPR seems healthy, let’s hope the Law of Unintended Consequences doesn’t pervert the EU goal by turning up a lot of scenarios that EU government couldn’t foresee.
After all, trying to regulate the blue sky of international internet services is a “cloudy” business, indeed.