Changes in data protection are happening so fast that it’s difficult to predict what the landscape will look like in few months. In the midst of the US’s Cybersecurity Information Sharing Act (CISA), the legislative earthquake that was the Safe Harbour ruling and the EU’s moves against net neutrality, the UK has introduced the Investigatory Powers Bill – also known as the ‘snooper’s charter’ – into parliament.
The fun isn’t likely to stop soon. Waiting in the wings is the (potentially highly controversial) judgment involving Microsoft and the US Department of Justice, the replacement for Safe Harbour, and the EU’s new data protection directive.
So what do each of these rulings and legislative initiatives actually mean for businesses and consumers?
Starting with the striking down of Safe Harbour, an agreement that provided a legal framework for the safe transfer of data from EU countries to the US, the impact is likely to be most felt if and when a replacement agreement is created.
Larger tech companies such as Google and Facebook won’t break stride because they already have a lot of data storage infrastructure in Europe. Smaller data-heavy companies are going to bear the brunt of the change as they will have to absorb significantly increased costs.
The bigger issue is that the end of Safe Harbour marks a clear divergence in how the EU views data protection versus the US. Many countries within the EU believe that individuals do not have enough protection, and government oversight and interference has grown too big. This position was showcased by the passage of the CISA in the US last month.
CISA makes it easier for private companies to share data with the US government. In practice, it puts pressure on tech companies to offer more private information to security agencies and means that an individual could have his or her data spread across seven different US government departments.
Consequently, a return to Safe Harbour is unlikely to be on the cards unless the data from EU citizens is afforded more protection.
It’s important to point out at this juncture that the EU’s response to data protection is far from homogenised. The major outlier is the UK.
The Investigatory Powers Bill, which in its current form seeks to restrict how much companies can encrypt data and increase the UK government’s power in relation to accessing personal data, is more aligned with the US approach to data protection. Both the US and UK are prioritising security over the right to a personal life online.
Slightly removed from data protection, but no less relevant, the EU recently opened the door to end net neutrality. With this move comes the danger of a two-speed internet that handicaps start-ups.
This is just a brief overview of all the change that has happened in the last month or so. It paints a picture of a rapidly evolving environment, impacting how data is used and protected right across the globe. We’re moving away from an ostensibly harmonised attitude to the free flow and use of data, to a more fragmented, protectionist position.
Undoubtedly, we need better data protection. The EU, via the European Court of Justice, has an attractive approach, but it could also do better. Its new data protection directive is far from perfect. Ambiguous phrases such as ‘legitimate interest’ in relation to the use of data undermine many of the protections the directive purports to uphold.
For businesses, such an uncertain environment is cause for concern. It is likely to become harder for small-to-medium sized tech companies to operate efficiently in both the US and Europe.
Investment in data storage infrastructure and legal advice will have to increase, but the biggest danger is further change. The US government’s move to force Microsoft to provide access to data held outside the country could have far-reaching consequences and mark a further rupture with Europe.
If this happens, it could send a chilling effect across the whole tech industry that makes it incredibly hard for start-ups to scale globally. Put it this way, if Facebook was created in 2015 it would be unlikely to reach worldwide dominance quite so quickly or easily.
What needs to happen is a reassessment of online data as a whole. Firstly, individuals need to take more responsibility for the information they share online. Secondly, businesses need to better protect the information they hold and work within an ethical framework that restricts the opportunity for data to be misused.
Finally, governments should better apply the principle of an individual’s right to a private life to the online world. The balance has shifted too far in favour of government oversight in the name of security.
Sourced from Mike Weston, CEO, Profusion