At a FeWeb+ seminar about legal and privacy issues my cloud related questions didn’t get a clear answer, so I decided to do some research on the latest developments in this area. It seems the cloud environment is still something of a “gray zone” and it’s often unclear which laws apply.
The situation now
Being an EU citizen myself I already knew that the privacy laws are far more strict here than they are in different parts of the world, including the US.
If a EU visitor submits his personal data to a US server and his data is stored there we have a conflict between the stricter EU and the US privacy rules. To overcome this problem a directive has been created, called the International Safe Harbor Principles (1).
In short, these principles force the US or other non-EU companies to comply with a minimal set of privacy requirements. Google, for one, is following these Safe Harbor principles. (2)
In fact European companies are not allowed to send personal data to non-EU companies that don’t comply with these rules. Although I’m pretty sure lots of smaller websites online today are just ignoring this either because they really don’t know (or maybe don’t care) about them. You don’t happen to have a US based host, do you?
The role of the US Patriot Act is less clear to me. This could potentially give the US government access to data.
The situation tomorrow
Cloud computing has only been around for a few years and laws are trying to catch up with this growing phenomenon. As I’m writing this article the EU commission is in the progress of updating it’s privacy rules (i.e. making them stricter?).
In May 2011 they will consult stakeholders on regulation for cloud computing, and in 2012 the commission will probably propose it’s EU strategy for cloud computing. (3)
Since the internet is a global network maybe it would be wiser to find a solution on a global scale, e.g. under the World Trade Organisation (WTO)
Too many EU restrictions would definitely hurt the growth of cloud services in Europe, and right now the legal “gray zone” is keeping a lot of companies from jumping onto the cloud.
Having a (small) EU business that’s investing heavily in cloud services myself I would not like to see the EU take measures that force us to host on EU servers only. I consider the fact that the cloud servers are spread all over the world to be an advantage.