Last year, I highlighted five legal issues for cloud firms and consumers to watch out for in 2015. Here’s a quick recap of how those topics developed during the year.
1. Microsoft and the US government go back to court
Microsoft is taking a stand against the ability of US law to reach into its Dublin data centres and, against the backdrop of the annulment of the Safe Harbour agreement, this might be a long battle.
It is worth teasing out a couple of points from a legal perspective. First, the US government is relying on a US law dating from 1986 which is even more out of touch with the modern world than the 1995 Data Protection Directive which the EU Commission has spent years trying to replace. Second, Microsoft is resisting handing over the data on the basis that this law should not apply, but that Irish law should apply instead. Finally, Microsoft is saying that although the data is in its possession, it doesn’t own the data – the customer does.
Microsoft has got the support of some of its competitors along with trade associations, advocacy organisations and media companies; in fact, 86 bodies in total have filed submissions to the court. Even the Irish government has filed a brief saying the US government should recognise Irish sovereignty.
The case went to the appeal court in September and may yet be set for a long journey to the US Supreme Court. The result could affect US cloud operations in Europe, particularly once the new EU data protection laws come into force.
2. The Internet of Things will cause privacy concerns
Should we be concerned that energy companies might adjust their utility pricing based on when you remotely adjust your heating or lighting? Is it a good thing that insurance companies might adjust your life or health insurance on the basis of the fitness readings from your wearables? IoT and wearables will continue to languish in 2016. That gives us all a big longer to work out the privacy implications.
3. Massive data security fines get closer
The General Data Protection Regulation has reached its final form. It needs to go through a few administrative hurdles but should become law in 2018, at which point the new level of fines will be €10,000,000/two per cent of global turnover for many potential breaches or €20,000,000/four per cent global turnover for the key data obligations.
Generally, the UK Information Commissioner is viewed as being fairly pragmatic and helpful and there is a belief that he won’t use the increased fines as an opportunity of making an example of offenders. After all, while he can currently fine offenders a maximum of £500,000, so far he has not exceeded the £325,000 fine which he levied against Brighton and Sussex University Hospitals NHS Trust in 2012.
However, there is bound to be at least one EU supervisory authority who will be looking for an early scalp. The Schleswig Holstein data commissioner, for example, has been very vocal about the (in)validity of EU-US data transfers. It will be interesting to see how their approach to enforcement changes under the new law.
4. Google Spain case will get greater scrutiny
In its transparency report, Google announced it had reviewed 1.3 million URLS since May 2014 and removed 42 per cent of them. The reaction from the media following the European Court of Justice’s so-called “right to be forgotten ruling” has been fairly predictable, with high levels of indignation and some sites actively listing the links that search engines have removed from their results.
Since then, the European Court of Justice has further increased the protection of personal data by upholding the ability of a supervisory authority to fine a company based in another country and US President Barack Obama signed a law curtailing NSA snooping powers (a little). It’s all about protecting data at the moment and this doesn’t look likely to abate any time soon.
5. Cloud standards get closer
A standardised cloud would be good for customers but not necessarily for providers. After all, locking a customer into proprietary tech can be a great way of locking in the revenues too. What we need are cloud standards. The trouble, though, is that there are already too many of them with more on the way. Real cloud standardisation still feels a long way off. ®