Cloud, Big Data, the Internet of Things are among the hottest topics that vendors are driving in 2015, but there are five legal developments in each that are worth tracking.
1. Microsoft and US government go to court
Again, Microsoft is resisting attempts by the US government to get access to the user data it is holding outside the US. Microsoft has been storing user data geographically closer to said user, as this not only reduces lag (improving the user experience) but, in theory at least, reduces the ability of governments to get access to that data.
The revelations by Edward Snowden of wide-scale access by the US government to data under the NSA’s Prism programme - particularly to data of non-US nationals - have given rise to a new global tension in the cloud sector.
More ReadingMicrosoft: Look at our cloudy privacy award. Isn't it so ... meaningful?It's a very freaky cloud, the kind you don't take home to motherGoogle-gulped Stackdriver reborn as cloudy control freakSilicon Valley WAGE-FIX: Tech firms mull new deal to kill staff lawsuitIn the EU? Setting a 'retain that data' rule? Better comply with e-Privacy
While everyone suspected the US government was accessing data, few knew the scale. This has put the spotlight on US cloud providers. If customers believe the US government can access their data because it is held by a US provider, the fear is they will move to cloud without a US angle, meaning the government is potentially damaging the growth of its own cloud industry.
Microsoft is taking a stand. The New York District Court ruled in the US government’s favour allowing it to rely upon the Stored Communications Act to get access to personal data that Microsoft had stored in Dublin. The company has yet to comply with the order running the risk that it will be held in contempt of court, leading to fines.
The latest salvo in this battle of the cloud came in December 2014, when Microsoft’s General Counsel published a list of companies and organisations who had filed “friend of the court” briefs supporting Microsoft’s position. This is an impressive list including technology companies such as Amazon, Apple, Cisco, eBay, HP, Rackspace, Salesforce and Verizon. It also includes 17 major news and media companies such as CNN, ABC, Fox News, Forbes and The Guardian.
This year is likely to be when we finally get resolution, one way or another. At stake is potentially the entire non-USA cloud business of US cloud providers.
While everyone suspected the US was accessing data, few knew the scale. The fear is customers will move to cloud without a US angle, meaning the US government is possibly damaging its own cloud industry
2. Internet of Things will cause privacy concerns
We are all used to making some form of compromise over access to information about our private lives as the cost of living in modern society. For example, we accept surveillance via proliferated CCTV, analysis of our spending habits via store loyalty cards, or the tracking of our movements and data on our smart phones. The Internet of Things expands this on a grand scale. Gartner forecasts there will be nearly five billion connected devices by the end of this year, and 25bn in 2020.
IoT massively increases the opportunity for hackers to get access to our personal data. This prompted the Chair of the US Federal Trade Commission to air her concerns at CES 2015.
The answer, not surprisingly, is for manufacturers of IoT devices to take data security into account early on and to limit data to that which is actually necessary for the use of the device.
This is not new ground. The European data protection laws have long tried to control the flow of personal data. Data security is all about the steps you take to protect the data.
What is interesting is that this is a prominent figure in the US raising privacy concerns. Expect the US and the EU to toughen their stance on privacy issues, in part because of IoT.
3. Massive data security fines get closer
Every month there seems to be another story of data leaks or hacking. Or both. Aside from damage to reputation, it is sometimes cheaper for a business to suffer a data breach than to introduce properly secure systems. But with new, increased data breach fines jumping to up to €100m (or five per cent of global turnover under the new EU Data Protection Regulation) data security is likely to jump up the priority list for budget expenditure.
There will be other changes too, for example, organisations will need to appoint a data protection officer, they will need to actually notify the authorities where there has been a data security breach notification. And of course, there is the infamous “right to be forgotten”.
Recent surveys have shown that, other than this new right to be forgotten, businesses are not aware of, or not prepared for, the new law. The new President of the European Commission, Jean-Claude Juncker, gave June 2015 as the deadline to conclude negotiations for the regulation, as well as the review of the Safe Harbour arrangement with the US.
But progress is slow, with a Euro MP recently complaining that the UK, France and Germany are holding up proceedings.
The so-called ‘right to be forgotten’ regulation is not the answer to Prism but it is an attempt to update EU data protection laws for modern uses of data. While it seems unlikely the new regulation will actually become law in 2015, we can expect it to start taking final form
The regulation is not the answer to Prism but it is an attempt to update EU data protection laws for modern uses of data particularly in relation to mobile, cloud, Big Data and the IoT. While it seems unlikely the new regulation will actually become law in 2015, we can expect it to start taking final form.
Even if the UK votes to leave the EU following the general election later this year, we will still be subject to the regulation if we are to continue trading with the remaining EU members. So, 2015 is a good year to get your data security house in order.
4. Google Spain case will get greater scrutiny
Last year Mr Costeja unintentionally achieved international fame, infamy even. The Court of Justice of the European Union ruled that Google had to remove links from search results about Costeja that were accurate but out-of-date. This was dubbed the “right to be forgotten”, reflecting the 'right' about to be introduced under the new EU Data Protection Regulation. In fact, it is based on the existing law that data must be kept accurate and up-to-date.
The judgement has had far-reaching consequences, polarising debate; on one hand, many individuals are happy that they are able to exercise a greater degree of control over what search engine users may find about them. Others (including me) are left wondering whether making Google Spain a “data controller” for the purposes of the legislation is a step too far.
Even though the respected Article 29 Working Party has published guidance on implementing the judgement, there is still much concern. For example, it seems hard to reconcile this judgement with the mere conduit, caching and hosting defences enshrined in the E-commerce Directive to protect ISPs.
This judgement indicates that protecting personal data trumps these long-established legal principles. With such a disparity in the law, we can expect greater scrutiny of the judgement this year.
5. Cloud standards get closer
There are numerous attempts to introduce cloud standards. There are initiatives from the European Union, official standard-setting organisations such as the International Telecommunications Union and the International Standards Organisation. There are also private standard-setting organisations (such as the UK Cloud Industry Forum with whom I have an association) and government-imposed standards. In all, the European Telecommunications Standards identified 20 bodies producing 150 documents in this area.
A definitive set of standards is some way off, as is a standard cloud contract, and cloud providers have little enthusiasm for one. The European Commission is attempting to introduce a standard approach to cloud SLAs.
In June 2014 its Cloud Select Industry Group published guidelines. A standard SLA is not close to being established, and the guidance is intended to serve as a form of checklist.
Expect standards, contracts and SLAs to receive attention during the course of the year. Of course, once there are generally acceptable standards, the next stage will be for customers to recognise - demand - that their providers should comply with those standards.
This will lead to the advent of certification schemes and organisations to help providers adhere to those standards. ®