Personal Data Privacy & Europe’s Cloud Regulation: RESIGNATION??? (a personal conclusion extracted from the VII National ISACA Congress)

This is the third and probably last one of this consecutive series of posts I’ve dedicated to Personal Privacy.

 

 As I already said in previous posts, these days fortunately I’ve caught in an “work jam” (I’ve said “fortunately” because I leave in a country, Spain, where the current unemployment rate is about 25%, difficult to understand for anyone, but fortunately it seems to be changing). This work-jam is the reason this post has been delayed so far, despite after the meeting I’m going to speak about I felt compelled to write immediately, just after finishing it, but you know, I have to meet other obligations.

 

The fact is that yesterday I was invited by an excellent professional and business man, Javier Peris (a good friend of mine) to the VII National Congress of IT Government, Auditing and Security and (Congreso Nacional de Auditoría, Seguridad y Gobierno de TI) organized by ISACA at my born town, Valencia (the third biggest city in Spain). In spite of the work-jam I decided to attend because of friendship. The well-structured and interest of the subjects to be covered and the quality of the speakers and other involved professional as well as stakeholders. As in precedent Congresses, this year all of the speakers were great too, and these is the reason my worries during and after the meeting are stronger. (By the way the Congress ends today but I’m not been able to attend; so maybe some of my worries could be solved today).

 

Going to the subject, one of the most appealing event (in my opinion and in spite of other interesting subjects focused by other speaker as Carmen Serrano, Florencio Cano, Javier Zubieta o Javier Cao) was a round table about “Cyber War”.

 

During the whole discussion I was amazed to discover no one face up the unfortunate recent facts disclosed by Snoweden. I thought, perhaps, people were afraid the discussion became about political issues instead of the technical aspects and business consequences. ISACA’s Congress (as this blog is) is a technical meeting, but treating that subject is very easy that the discussion evolves toward important political issues related with the subject. Due to I share that fear about the evolution of the discussion I decided to wait (and people who knows me will guess how difficult it was to me) to see when someone would introduce the argument that Europe has been (probably it follows currently) cyber attacked by the United States of America.

 

Let me say it once again, I’m not going to discuss if we can be allied in the NATO with a country that spies our Europe Prime Ministers as well as our business leader(and take advantage of it, as themselves recognized for the cases of Brazil or Japan espionage), neither I’m going yo discuss if USA behavior is evolving toward a “policy state” and/or Aldous Huxley’s “Big Brother” society, HOWEVER I really wonder (because that was was one of the other subjects treated in the ISACA Congres) if Europe can keep signing the Safe Harbour  agreement with US about complying with the EU Directive 95/46/EC on the protection of personal data. I also wonder myself how we can “sell” security prevention, assessment, auditing and consulting tasks about “data privacy” knowing not only hackers but Governmental agencies under NO-Legal-control can break and the latter infringe it with complete impunity.

 

Recently, in my last post, titled “Personal Data Privacy & Europe’s Cloud Regulation: the privacy approach (Spain and other European countries are the leaders)”,as its title announces I showed how Spain and Other European countries are the in the firsts position of the privacy protection ranking. Here, in Spain, we have the LOPD law that fully agrees and math the EU Directive 95/46/EC on the protection of personal data; besides the Spanish Public Administration must follow the “National Security Layout” (ENS or “Esquema Nacional de Seguridad”) and recently it has been released a law for securing “critical industries”. All of them are good (although many people think they could be better) because of its focus on improve IT security of subjects that “affect” to the citizens (in one way or other).

 

Consequently, in summary  and without going deep in this subject) they are also good for today business in, at least, two ways: citizens will trust in, and also because it fosters business about how to implement the appropriate security measures, to meet the regulation compliances, and to audit all of them (some of the ISACA Congress speakers treated these points). So I wonder myself how no on introduce early the problems of consequences of US behaviour.

 

Therefore, at the end, I decided to deliver the question to the round table. And the conclusion of the answers, and of the silences, was VERY WORRYING:

 

“RESIGNATION” !!!

 

And now it's when I understand better why (although very slowly) the European Commission wants to regulate more strictly about some related subjects, despite that measures (as I stated in the post titled “Personal Data Privacy & Europe’s Cloud Regulation: the dilemma”) may cause a negative impact in both business and innovation.

Personal Data Privacy & (Europe’s) Cloud Regulation: the privacy approach (Spain and other European countries are the leaders)

The more the data disclosed by Snowden are analyzed, the bigger Personal Data Privacy worries become, as the news from my last post are showing; so let me come back to the subject, but from another point of view.

 

In my last post, speaking about the dilemma between Personal Data Privacy and Europe’s Cloud Regulation, we simplify the problem and make a trick: we mix any kind of personal data from basic data (name, age, sex, …, phone numbers, addresses: post, e-mail, social networks, etc.), to phone and internet conversations and communications, trough hobbies, preferences, likes and so on.

 

Of course a lot of legal and ethical business can be done with those data (if you decide to make them public): from direct one-to-one marketing that offers only what you can really be interested in (e.g. adventure travels if you love them) and doesn’t disturb you what anything else (e.g. not offering you meal foods if you are vegetarian), to corporate image watching or legal technology watching, through social network based results forecasts, and so on. But also it must be ensured that these data are not used to discriminate you on the basis of your religion, political or sexual preferences for mentioning only a clear example. So I think all of us will agree that some protection is needed, especially when we are speaking about human and civil rights. In reverse, copying from other blog, maybe you can agree with Britain’s Foreign Secretary, William Hague who last June said: “If you are a law-abiding citizen of this country going about your business and your personal life you have nothing to fear about the British state or the intelligence services listening to your phone calls or anything like that”, but my perception is that a lot of citizens (as me) will think that those unfortunate words are laying the foundations for a dangerous police-state mentality.

 

The BSA (Business Software Alliance), an organization I have a lot of discrepancies with (because of the way they use to get its goals), in the beginning of the year published a report (see my post titled “Cloud Computing Countries Ranking, or the Cloud Confusion even among market analyses: BSA vs Gartner vs IDC” on 25th March 2013) about the best 24 countries prepared for the Cloud. The countries were scored taking into account their laws and regulations for provision of cloud watching seven areas: 1.- data privacy, 2.- cyber security, 3.- cyber crime control, 4.- preservation of intellectual property, 5.- technology interoperability and legal harmonization, 6.- free trade, and 7.- infrastructure IT; in other words, if they have a comprehensive suite of modern laws that support and facilitate the digital economy and cloud computing. And its result was that the top ten countries are Japan, Australia, Germany, United States, France, Italy, UK, Korea, Spain, and Singapore. (Please, note the big European countries presence: Germany in the 3rd place, and France in the 5th, Italy in the 6^th, United Kingdom in the 7th and Spain in the 9^th, contradicting in some way the aforementioned Gartner report). Moreover, curiously BSA does take into account as first criterion “data privacy”, so I wonder what its weigh was in the final score, because it isn’t the strong point of the United States, is it?. So I think we need to explore deeper this “data privacy” criterion …

 

Focusing only on the latter subject, I mean the data privacy criterion, the top 5 countries ranked best for privacy are Spain, the Czech Republic, Iceland, Norway, and Slovenia, according to BackgroundChecks.org that uses 6 criteria (the fist 4 are positive and the 2 last are negative) to rank them:

1. Government has privacy laws
2. There are fines for violating privacy laws
3. Government actively protect free speech
4. Government does not restrict access to Internet
5. Government use spyware
6. Government filters or censors the Internet

 

This picture is extracted from an infographic that you can find here: http://techcitynews.com/2013/10/15/these-5-countries-were-ranked-best-for-privacy-infographic/.

 

This infographic also has an area dedicated to the countries that spies to its citizens as US, China, Malaysia, Syria, Nigeria, Iran and Bahrain, explaining the reasons why they have the dubious honour of being placed in this shame corner. (Note: you can get it in the above reference/link)

Personal Data Privacy & (Europe’s) Cloud Regulation: the dilemma

Currently the Personal Data Privacy is on everyone’s lips after this summer revelation by Edward Snowden about a US Government data collection program called PRISM, and it becomes even more fashionable right now that the analysis of released top secret documents have  shown  the extent of spying by the National Security Agency (NSA) on electronic communications has reached some European Prime Ministers, or for mention another example “Le Monde” journal has revealed that the NSA gathered more than 70 million French phone calls in a single month “targeting not only people suspected of being involved in terrorism but also high-profile individuals from the world of business or politics”.

 

So, I’d like to come back in this blog to the Data Privacy and its relationship with the intrinsically free Cloud data movements, and the possible impact on a (not wished, but perhaps needed) Cloud Regulation: for example, the European Parliament busied itself attaching amendments to its data privacy regulation before Snoweden’s revelations and now is weighing to address cloud computing that will actually signify a Cloud Regulations. In short, it’s basically a dilemma between:

• On one hand, it is about the progress, the technical advances and the global business that Cloud technologies can foster. In a post written about a year ago (“Europe behind the US on Cloud”),  analyzing the Gartner’s report about why Cloud penetration is more delayed in Europe than in US and according Gartner, it was stated that a possible cause was these Personal Data Privacy Regulations that were seen as a protectionist barrier that precludes Cloud business growing (basically because of the Europe’s diverse and ever-changing data privacy regulations inhibit the movement of personal data to the cloud, and EU policy-making processes and practices can hinder business). And it’s clear to me that, in exchange, also non EU companies (mainly American ones) are suffering this policy because they become less competitive having to adapt their products and/or services to E.U. privacy laws. Therefore, at the end, business and technical advances are slowing …

• On the other hand, it is about human and civil rights. As an European citizen, I’ve got no doubt about some data privacy protection is needed, without which Aldous Huxley’s “Big Brother” world will happen and police-state mentality will success. Even, someone perhaps could to persuade me that it might be fair for Governments to have access to our private communications via the internet, in some circumstances under the right and well-known conditions and under the control of a trustworthy independent judiciary. It’s difficult to debate about. And, at the end will be driven to the important and even more difficult debate about how democracy can protect itself (from terrorism and other radical ideas) without leaving been “democracy” (in other case, terrorism will have won the war, even it loses the battles). But this a technical post, so let me keep close to technical/economical subjects.

 

Of course some people (in both sides of Atlantic, but more in the west side) will think that these European laws are less about data security and more about limiting the power of American corporations and making easier the growing of European companies. However many EU officers and Parliament members have states that “it’s not about protectionism but about ensuring customers will receive the proper level of guarantees in terms of data protection and access across Europe”, because as Neelie Kroes (the European Commission vice president in charge of telecommunications and information policy) said, “we need to realize that European citizens will not embrace the cloud if they are worried for their privacy or for the security of their data”. And I share these ideas.

 

Furthermore, about this economic impact, it also be noted that, in reverse, NSA is accused of conducting industrial espionage in countries all around the world, even allied countries, and the reason to do that is “we collect this information for many important reasons: for one, it could provide the United States and our allies early warning of international financial crises which could negatively impact the global economy. It also could provide insight into other countries’ economic policy or behavior which could affect global markets” (I’ll come back to this subject in further post).

 

Besides, another point to be taken into account is that personal data are been monetized in different ways by a lot of companies. Two very different factions of people exist, one who values privacy and one that could care less (and, of course, in the middle a lot of variants): for some people, privacy is not valued (they do no bear that its personal data are monetized and shared across platforms), but for others, privacy is sacred (they will even restrict their online presence and social networking). The problem, shown with clarity by the Snowden’s disclosures, is that neither faction actually knows much about what the US government (and other companies) can access and what it cannot and what is the real and full usage that is going to be made with those data.

 

In the other side, there’s a risk of going too far and effectively putting a significant barrier to business, and in the current economic situation that could have a broader and negative impact in European and non European companies and businesses. So, finding the balance is key and it’s not easy to solve this dilemma between Personal Data Privacy and Business Regulation, even harder when the business is around a technology like the Cloud where free movements of data is intrinsic a one of its advantages, so they can travel (or be copied for availability reasons) from a country to another changing the jurisdiction over them and the laws to be applied.

 

And another conclusion is that also data security must be improved (the use of strong encryption that can protect user data from all but the most intense decryption efforts).

 

Finally, another worrying reflection to made is that NSA has shown that it is also subjected to the same risks of Data Loss (it doesn’t matter the way) as any other business company, and Snowden is certainly not the only one who had access to those private data of other people …