Yesterday, EU Justice Commissioner Viviane Reding, Vice-President of the European Commission, and the German Federal Minister for Consumer Protection, Ilse Aigner, released a statement calling for a robust data protection framework. In the statement, the Commissioners stated explicitly that “companies who direct their services to European consumers should be subject to EU data protection laws. Otherwise, they should not be able to do business on our internal market. This also applies to social networks with users in the EU. We have to make sure that they comply with EU law and that EU law is enforced, even if it is based in a third country and even if its data are stored in a ‘cloud.’”
As the EC continues working to revise the 1995 Data Protection Directive with a deadline to produce a proposal by the end of Jan. 2012, this is a very strong statement highlighting the potential challenges for U.S. businesses, and the cloud computing industry, working effectively in Europe under these new regulations. However, the statement does still leave some flexibility for demonstrating compliance through codes of conduct, binding corporate rules, contracts or safe harbor arrangements.
Meanwhile, in the U.S. there seems to be increasing recognition that the clock has all but run out on privacy legislation for 2011, and we continue to wait for the release of the DOC report on data privacy reflecting the Administration’s position on the issue broadly. It obviously gets tiring to keep typing that it’s expected to be released “any day now,” but, it’s reportedly finalized and expected to be released… any day now.
On the Hill, indications after the House Energy and Commerce Cmte. Republican member meeting last week are that Chairman Upton (R-MI) and Sbcmte. Chair Bono Mack (R-CA) are still moving forward with intentions of advancing the SAFE Data Act before the end of the year. But again, indications are that time and opportunities have almost all but run out for passage of data security legislation in 2011.
Also last week, the National Institute of Standards and Technology (NIST) released its much anticipated U.S. Government Cloud Computing Technology Roadmap, a series of three volumes that combine to provide guidance for agencies around cloud computing, and to shorten the adoption cycle, enable near-term cost savings and increased ability to quickly create and deploy safe and secure cloud solutions. The Roadmap is part of a very aggressive strategy by the Administration to implement its “cloud-first” policy, and to develop standards and definitions in key areas such as security, interoperability, portability and eventually procurement. The Roadmap is open for public comment until Dec. 2 SIIA has been highly engaged with NIST’s efforts around cloud computing, and we are reviewing the Roadmap and planning to comment.
David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.