New EU Privacy Directive Will Have Serious Cloud Restrictions

The latest revelations from the documents leaked by former NSA analyst Edward Snowden could cloud termsnot have been more timely for EU’s privacy advocates. Two weeks ago was the summit of the 28 EU heads of government in Brussels and – while the spying scandal was not originally on the agenda – the meeting was hijacked by the recent reports showing massive transfers of European citizens’ data and, more seriously, continuously spying on politicians, heads of government and  other high-placed officials.

Just a few days ago the German, French, and Spanish foreign ministers summoned their respective US ambassadors to express their anger, demanding clear explanations of those activities and the immediate cessation of them. Also both the French president and the German chancellor received assuring calls from US President Obama that their phones are not subject to any current tapping. But neither Obama nor White House spokesman Jay Carney actually confirmed or denied that Merkel’s phone had been previously tapped.

Recently the EU parliament approved, in a landmark vote, the revision of the Data Privacy Directive (the otherwise know as “cookie” directive), including heavy restrictions on data collection and sharing, plus “the right to be forgotten”. While a few weeks ago many European leaders wanted to scale down the restrictions on foreign internet and cloud computing companies that operate in the Union, now all of them are in favor of stricter European controls, plus heavy fines. As currently written, the directive includes fines that could run as high as 5% of a company’s annual global revenue, replacing a previous cap of 2%.

This would seriously complicate life for American companies such as Google, Facebook, Microsoft, Yahoo!, and others that have been exposed as voluntarily sharing private data communications with the US secret services. The new amendments will enable EU citizens to demand that IT companies erase personal data from the Internet, and forbid any transfer of such data outside European borders.

The current Privacy Directive, the “cookie directive”, doesn’t mention cloud computing at all, since it was written before the term became widely known in the IT community. But the new legislation is full of explicit cloud computing terminology. Some US companies believe the EU wants to develop its cloud computing infrastructure by requiring all data to be held locally. If that is the case the US government is only helping.

The damage is already done. Neelie Kroes, the EU Commissioner for the Digital Agenda, has already warned that US companies could lose billions in cloud computing contracts, and many CIOs and CEOs of European enterprises are putting a hold on new cloud infrastructure that is badly needed.

Uncertainty is the biggest threat: What would be the long-term impact of what the European Parliament has done? This is what both suppliers and customers are wondering. If the legislation is implemented in the current form the consequences for foreign suppliers of cloud services will be enormous. Right now, as a result of the recent revelations, there is little resistance left in European leaders’ minds to ratcheting up restrictions in the new privacy laws.

Another view shared by politicians is that governments, courts and parliaments have lost control of their intelligence services, and they need to rein them back in. This is also the view of most European citizens, especially ones who suffered totalitarian regimes and want full transparency and privacy protection.

As Viviane Reding, Vice President of the European Commission, EU Commissioner for Justice, said: “The vote is a strong signal: as of today data protection is made in Europe.”

I believe both cloud computing companies and their customers’ CIOs should prepare for a new reality of cloud services in Europe, and plan for the most restrictive regulations. The ones that have the data centers’ infrastructure and legal foundation will stand to win.

Image credit: Shutterstock