EU to the rescue
November 2014
Whatever you may think of the EU Parliament, every so often it does hit the nail on the head. A case in point is their proposed changes, next year, to the data protection regulations for companies that provide us with online services. Action is needed; at present, it is a disaster waiting to happen.
We are all affected. Most of the companies we do business with online, whatever they do, will be storing what they know about us in data centres owned by someone else (this is known as “the Cloud”); many people also use the Cloud for backing up data (I certainly do). In theory it is all an excellent idea; the clever stuff happens automatically, our data is safe from natural disasters and is looked after by specialists whilst we get on with running our businesses or living our lives.
So much for the theory. The problem is that there is a huge element of trust involved; you are placing all your personal information, and in the case of a business, information about your customers, in someone else’s hands; you believe them when they say it’s safe, and that no one can read it or hack into it from outside; but you don’t know where they’ve put it or understand how they protect it. What’s more, it is an almost entirely unregulated and lucrative industry; this combination can easily attract chancers and ne’re-do-wells.
It’s only a matter of time before there is a major scandal in one of these data centres, probably through incompetence, but possibly worse. Moreover, if a data centre’s security is breached the buck usually stops with the client, not with the centre itself. Imagine that you are a small business who uses such a service to store the details of all your customers, and some scallywag hacks into it and steals the names and addresses. Your customers are right to be angry with you, because you did not protect their information as well as the law requires; this is despite that fact that the breach in security happened in someone else’s computer at an unknown address and over which you have no control. Under current law, the data centre that allowed the breach might well remain unscathed.
The EU has spotted this injustice, and is proposing to act. Not only do they want to impose much more stringent data security requirements on data centres, but they also want to make them share the consequences of any infraction. It won’t matter where they are, either; if you use the likes of Amazon or Microsoft (both big data centre providers), even though they may not be EU companies, they would still be caught by the rules.
The laws will have teeth, too, with fines of up to 5% of annual worldwide revenue. Think what that would mean to Google, whose turnover is over $50 billion.
The level of these fines might also finally make the Boards of companies take data protection seriously, and a good thing too; at present, it tends to be treated as rather a nuisance and given little priority.
This is a big change to current law, and it highlights the difficulties of providing a legal framework for the internet in general, given how it completely ignores international boundaries.
I don’t think that there is any doubt that increased vigilance and regulation is needed; data is valuable, and we all have a duty to keep safe matters that we are told in confidence. However, following the great Patrick Hutber’s rule that “Improvement means deterioration”, I’m afraid that all these “improvements” will only mean one thing; increased costs, one way or another, and it’s us who will end up paying for it. Plus ça change, as they say in the EU.
