Michael Chertoff was secretary of homeland security from 2005 to 2009. He is co-founder and managing principal of the Chertoff Group, a global security and risk-management firm that advises clients on cyber security, including cloud computing.
A grave threat is said to be stalking Europe. No, it isn’t the financial crisis and the potential demise of the euro. It’s the “rapacious” U.S. approach to privacy — which portends, for those engaged in the development of cloud architecture, a coming “clash” of privacy laws.
According to Viviane Reding, the European Union’s justice commissioner, cloud-based companies that collect personal data are violating fundamental human rights. “We . . . believe that companies who direct their services to European consumers should be subject to EU data protection laws. Otherwise, they should not be able to do business on our internal market,” Reding wrote in November. “This also applies to social networks with users in the EU. We have to make sure that they comply with EU law and that EU law is enforced, even if it is based in a third country and even if its data are stored in a ‘cloud.’ ”
Reding means what she says. Her plans are to back up E.U. data privacy requirements with rules that impose serious fines on businesses for violations. She noted in a December speech, “In a world of ever-increasing connectivity, our fundamental right to data protection is in this moment seriously tested. Although the basic principles and objectives of the 1995 [European data privacy law] remain valid, the rules need to be adapted to new technological challenges.”
Simply put, the fundamental question about international Internet governance over the next decade is going to be whose law dictates control — and the Europeans are making a bold play to say that the answer is “Europe’s.”
This raises a challenge for the private sector and for governments: When the user is a private-sector company, the transition to cloud storage and processing services will create difficult questions over jurisdiction. Imagine you are a company, seeking to do business in Europe. What if a country outside of Europe — say, the one(s) where your servers are maintained — contends that its law also governs, and that law is inconsistent with Europe’s? And what about the law of the home country (say, the United States), where the data-storage provider is headquartered? The conflict of applicable laws will create great uncertainty; uncertainty breeds hesitancy and the loss of entrepreneurial vibrancy. In other words, conflicting legal and technical requirements have the potential to crush innovation.
When the customer is a government, these legal issues are confounded by political concerns. If government data is stored overseas, it may be subject to legal control by another nation. The question is made more acute by Congress’s move in December to require some federal agencies, such as the Defense Department, to use commercial cloud services instead of in-house, or private, clouds. Now we will need to ask when European privacy laws may apply to Defense Department data held in the commercial cloud — hardly a question that U.S. policymakers are eager to answer.
Rather than confront such scenarios across multiple issues, another option should be developed. The globalized nature of the Internet and the distributed nature of cloud architecture suggest the need for a universal set of rules to protect privacy; rules that apply to cloud services everywhere on the network. But there is little reason to be sanguine about the prospects for a satisfactory global privacy regime.
A set of global rules will be difficult to achieve. International structures are notoriously cumbersome and slow-moving; this is a particular challenge in the context of quickly developing cloud technology. And international organizations’ governance structures are often universally inclusive, which means that countries with little interest in Internet freedom or accessibility may have a disproportionate influence on the rules adopted.
The alternative, however, is equally problematic. If development of privacy rules and regulations is left to individual countries, one of three scenarios is likely to result: Heralded by E.U. actions, more fragmented regulation may emerge as non-European countries try to impose their own privacy views on an unruly network. As a condition of access to a market, they will hold hostage providers who use cloud services — in effect, trying to balkanize the Internet. Another possibility is a rush to the bottom as countries compete to attract commercial cloud services by minimizing privacy protections.
The most likely result, however, is a privacy clash as the United States and the European Union compete to impose their will. This is the worst possible outcome, pitting natural allies against each other. U.S. diplomacy should urgently focus on dissuading Europe from unilateral action while developing a comprehensive “Western” approach to cloud privacy. That type of agreement on privacy principles would drive favorable policy development and set the stage for safe and effective expansion of cloud services.