Whatever your feelings on Ed Snowden and his revelations of the NSA’s massive online spy program, it can’t be denied that the leaks are having some kind of positive effect – at least people are debating what level of privacy people should be allowed to expect online, even if nothing concrete has been done about it. But in the EU at least, it looks as if we’re about to see the first firm response to the revelations.
The New York Times reports that the EU’s digital privacy regulation, introduced last year, could be about to get some amendments dealing specifically with the area of “cloud computing”, an industry that’s almost totally dominated by US-based firms.
Specifically, EU policymakers have determined that they want to protect their countries’ citizens from privacy abuses – something that clearly isn’t happening online right now, with an internet dominated by US companies subjected to US laws.
It’s not just the NSA that has a ‘cavalier’ attitude to privacy when it comes to sucking up user data – especially in the case of non-US citizens – there’s the added problem of companies like Google and Facebook sucking up as much data on people as the possibly can, selling this data without people’s knowledge in their relentless pursuit of advertising revenues.
In the NYT article, it notes that non-US citizens’ data is afforded virtually no protection whatsoever, especially in the case of the NSA, which brazenly points out that its PRISM program is aimed at foreigners. It’s this state of affairs that the EU wants to change, and policymakers have made a number of proposals on how they intend to do that.
One example is a proposed amendment that companies have to notify users every time their data is sent to a server based in the US, while a second goes further and suggests that companies request user consent each and every time data is sent to the US, whilst also requesting that said companies notify users of any data request from the NSA or other intelligence agencies. Meanwhile a third amendment proposes that companies handling user data inform both the authorities in the user’s country, as well as the user, whenever US authorities make a request to access that data.
The problem with all this is that a great majority of data requests from US intelligence agencies come alongside a gag order, which means that the companies are prevented from notifying users that they’re under investigation. Previously, American lobbyists in Europe had managed to remove the third amendment from the EU’s original digital privacy regulation, but it now looks like the NSA has undone all of their hard work.
It’ll be interesting to see what happens next. If the proposed amendments go through, US cloud computing companies could find it impossible to comply with EU regulations whilst also acceding to the NSA/FBI’s endless thirst for data, something that could make it extremely difficult for them to operate in Europe. Even more worrying is that some are already gearing up for this possibility, with a number of politicians proposing the “development of European clouds” as an alternative to US cloud providers.
Viviane Reding, the European Commission’s justice minister, points out in a statement that data stored in the EU could well be an attractive advertising proposition:
“For the private sector, such European clouds could become also attractive as they could advertise, ‘These are European clouds, so your personal data is safe.”
Given how the US currently dominates the cloud computing industry, the creation of a European cloud industry to rival that of the US would likely take some years even with European governments backing it. Nevertheless, the threat to US firms is real – as Wikibon’s Scott Lowe noted in an earlier report, there is evidence to suggest that American cloud computing firms have already been harmed by the NSA’s spying, while a second report from the Information Technology and Innovation Foundation last August revealed that the total cost to the US cloud industry could be as high as $35 billion over the next three years.