Cloud Control: Europe Attempts Data Regulation

Information may want to be free, as the famous dotcom era cliche had it, but those who use it have other ideas.

The capturing, interpreting, manipulating, analyzing, buying and selling of information has become a big business, virtually the next 'it girl' or new, new thing of the tech pantheon. Probably not quite as monumental as the computer or the internet or the smartphone, but significant enough. At least when compared to electric cars, the reshoring of manufacturing or other supposed breakthroughs in the uses of technology. But the institutions that oversee the uses of such information have their own set of interests and concerns.

As universal and unfettered as The Cloud concept may seem, there is no doubt that its very comprehensiveness makes it fair game for regulators concerned about the concentration of power and the potential abuses such focus portends.

The question is whether a too-intrusive manifest will actually make things worse. The problem is the speed and relative freedom with which those who both provide and use the data may operate. They are beholden to almost no one but their investors. The governments involved must consult and negotiate and compromise. Worthy tasks, all, but time-consuming and, inevitably, given the number of points of view involved and the divergence of their interests, strategically blunt rather than sharp.

That someone with the public interest in mind is paying attention is gratifying. Market forces, as salubrious as many believe them to be, can and have been manipulated to serve less than expansive ends. The only question is what the goals are and whether the structures in place will be able to effect the objectives eventually delineated. JL

Danny Hakim reports in the New York Times:

The words “cloud computing” never appeared in a 119-page digital privacy regulation introduced in Europe last year. They do now.

Even before revelations this summer by Edward J. Snowden on the extent of spying by the National Security Agency on electronic communications, the European Parliament busied itself attaching amendments to its data privacy regulation. Several would change the rules of cloud computing, the technology that enables the sharing of software and files among computers on the Internet.

And since the news broke of widespread monitoring by the United States spy agency, cloud computing has become one of the regulatory flash points in Brussels as a debate ensued over how to protect data from snooping American eyes.

Cloud technology has become a routine part of digital life, whether it is used for Web-based services to send e-mail or store photographs or to warehouse troves of business or government records. It has enabled the convenient sharing of data among mobile devices and enhanced the ability of people to collaborate and share documents. It has also cut the cost of doing business.

But transmitting data among mobile phones, tablet computers and clouds, even while encrypted, makes it more accessible to snooping.

The European Union wants to regulate the cloud even if that makes its use more complicated. One proposed amendment would require “all transfers of data” from a cloud in the European Union to a cloud maintained in the United States or elsewhere to “be accompanied with a notification to the data subject of such transfer and its legal effects.”

Another amendment takes it further, barring such transfers unless several conditions are met. Not only must consent be provided by the subject of the data, but the person must be “informed in clear, unambiguous and warning language through a separate and prominently visible reference” to “the possibility of the personal data being subject to intelligence gathering or surveillance by third-country authorities.”

Lawmakers are also proposing to revive an amendment that American diplomats largely succeeded in getting dropped from the original data privacy regulation that would impose guidelines for handling court orders from countries outside the European Union. The amendment requires the operator of data servers to inform both a local “supervisory authority” as well as the subject of the request, which could run afoul of American law.

And there are other potential conflicts between European and American laws. The European Commission is considering imposing sanctions on companies that turn over records to American law enforcement authorities if the move violates European privacy regulations.

While policy-making on cloud computing is proceeding on more than one track in Brussels, the tracks all appear to be heading in the same general direction: a more robust regulatory regime delineating how data is handled and released. Policy makers hope to have a new regulation in place before the European elections next May.

The stances from politicians across the European Union are similar.

“We need to realize that European citizens will not embrace the cloud if they are worried for their privacy or for the security of their data,” said Neelie Kroes, the European Commission vice president in charge of telecommunications and information policy, in a statement.

Viviane Reding, the European Commission’s justice minister, said in her own statement that she wanted to see “the development of European clouds” certified to strict new European standards.

She said that European governments could promote such a move “by making sure that data processed by them are only stored in clouds to which E.U. data protection laws and European jurisdiction applies.”

“For the private sector, such European clouds could become also attractive as they could advertise, ‘These are European clouds, so your personal data is safe,’ ” she said.

Some have gone further. Thierry Breton, a former French finance minister and the chief executive of a French information technology company called Atos, has proposed what he called a “Schengen for data,” referring to the law that allows citizens within the euro zone to cross borders without a passport.

But creating a virtual free trade zone for data — if such a thing is possible — raises questions about what happens outside that zone. A spokesman for Mr. Breton, who is on a panel advising the commission’s strategy on cloud computing, said that his statement was “not about protectionism” but about ensuring “customers will receive the proper level of guarantees in terms of data protection and access across Europe.”

It is not entirely clear what creating European clouds would really entail, or how one would draw digital borders. Large American providers of cloud services, like Amazon, have data centers throughout Europe. And even European companies with American subsidiaries are vulnerable to American law enforcement requests, a point of contention between the governments.

American technology companies, as well as the American government, have voiced unease publicly and privately.

In a recent speech, Cameron F. Kerry, the general counsel of the United States Commerce Department, said: “It would be a sad outcome of the surveillance disclosures if they led to an approach to Internet policy-making and governance in which countries became a series of walled gardens with governments holding the keys to locked gates.”

“But that is where we will end up if all data has to stay on servers located in the nation in which a citizen lives or where a device is,” he said. In his view, the regulation might restrict the flow of information among citizens, as is the case in China with barriers that are called the Great Firewall. “The digital world does not need another Great Firewall — in Europe or anywhere else.”

Anna-Verena Naether, policy manager for DigitalEurope, a trade group of international technology companies, including American and European giants like Apple, Microsoft and SAP, said, “We have to make sure it doesn’t lead to a Fortress Europe approach.”

Mark Taylor, a partner at the London office of Hogan Lovells, a law firm that represents a number of businesses that use cloud services, as well as companies that provide it, said, “There’s a risk of going too far and effectively putting a significant element of this in reverse, and in the current economic situation my feeling is you have to be jolly careful about anything that’s going to have a broader economic impact.”

In addition to the debate over the digital privacy legislation, the European Commission created the European Cloud Partnership last year as part of a broader strategy to promote cloud computing. A mix of public officials and industry executives serve on its steering board.

One of them, Reinhard Posch, an Austrian government official, said Europe should move toward “fostering a functioning single market for cloud computing.”

But that does not necessarily mean putting walls around where data can be stored, he said. “We have to get a little deeper than just to talk about where the bits are stored,” he said. “The bits may be stored anywhere; it’s more the question of how are they secured.”

Sophia in ‘t Veld, a Dutch member of the European Parliament who sponsored one of the cloud computing amendments, said, “This extreme market dominance of a few American players is very unhealthy, but I am against putting a fence around Europe and excluding anybody. But it has to be very clear what the rules are that we play by and there has to be more competition from Europe.”