EU Privacy Maze
Monday, November 8, 2010
The patchwork of rules across Europe regarding the handling of data poses a hurdle for Microsoft’s efforts to provide cloud-based services, a senior Microsoft attorney said on Thursday. Countries throughout the Europe Union have differing rules regarding data retention, privacy, consumer rights, cross-border data transactions and data ownership. This means that companies such as Microsoft may not be able to offer certain types of services due to restrictions on how data is moved or questions of law. “What needs to be done is to bring a common set of rules and in a few cases maybe a revision or a new set of rules,” said John Vassallo, vice president for E.U. affairs for Microsoft, speaking on the sidelines of Microsoft’s Government Leaders Forum in London.
Countries that are part of the E.U. are bound by the European Commission’s directives, but their interpretation of those rules is often divergent. For example, under the Data Retention Directive, providers of electronic communications services (ECSes) are required to maintain data such as records of e-mail recipients, for a minimum of six months up to two years, for law enforcement purposes. But when it comes to other data, E.U. countries differ on what constitutes an ECS. Even if two countries agree on what an ECS is, they may differ on how long the provider needs to retain that data, posing more difficulties for companies. Data sovereignty is also a concern. For example, multiple states may have an interest in particular data, but could run into conflicting laws and regulations over which entity would have jurisdiction in case of a problem. If a cloud service provider complies with a demand from law enforcement in one country, that might violate privacy regulations of a user in another jurisdiction. That makes it also harder for cloud services companies to communicate to their customers under what conditions their data may be exposed.
“You must find a system that all countries at least within the E.U. at first and maybe beyond will agree to,” Vassallo said. “These things don’t exist today.” Vassallo said concepts that are being discussed include a “diplomatic immunity” for data, where communications would be treated with the same privilege as diplomats who carry paperwork in briefcases. Another idea is a “data free zone,” or areas where there are harmonized rules for data transactions, similar to free trade zones. A universal agreement for data would mean more transparency for consumers while also allowing for the growth of cloud services, which hold the promise of enabling businesses to in turn offer new services. “The end result is it would be increasing the certainty to 500 million [ E.U.] citizens that their rights are going to be treated equally,” Vassallo said. But “the legislative system is slower than the technology development, and that is always the case,” he said.