Chertoff's Take On the Clash Between Cloud Computing and Privacy...
The European Union has always had far stronger data privacy laws than the United States, for better or worse. Michael Chertoff, the former Secretary of U.S. Homeland Security, writes in a Washington Post op-ed today that we are now on the brink of a major "clash" in privacy laws between the two sides.
At the heart of the debate is how to handle extra-jurisdictional cloud-based services. See, these days, when companies store their data, they don't do it primarily on their own hard drives or within their company's own private network. They increasingly use cloud computing - meaning they pay a third-party firm to store their data for them. This can be a problem from a privacy perspective because the protection of people's private information is normally regulated by national laws, but if that data is located in a cloud based outside of a given nation's territorial borders, it's often a mystery as to which nation has jurisdiction and which laws even apply.
Here's why Chertoff claims we are on the brink of a major clash over this issue. A recent E.U. press release asserts that "companies who direct their services to European consumers should be subject to EU data protection laws". This might not seem so significant except that it's a fundamental shift that essentially sets forth a policy of: we don't care where your company is based, nor where you store your data; if you want to make your service available to European consumers, you will have to follow E.U. law.
Simply put, the fundamental question about international Internet governance over the next decade is going to be whose law dictates control — and the Europeans are making a bold play to say that the answer is "Europe's."
The big fears whenever there are such conflicts between competing legal regimes are that 1) regulatory uncertainty could lead to a stifling of innovation and entrepreneurship, 2) the Internet could be balkanized with ever-more fragmented regulations, and 3) a "race to the bottom" could occur as countries compete to attract commercial cloud services by minimizing privacy protections.
Chertoff argues that the solution is for "U.S. diplomacy [to] urgently focus on dissuading Europe from unilateral action while developing a comprehensive 'Western' approach to cloud privacy."
He doesn't say anything more about what this "Western" approach might look like. Would it more closely reflect U.S. or E.U. privacy legal traditions (which are significantly different from each other)? How would you overcome the political obstacles of convincing citizens the benefits of favoring the other's tradition, or set of cultural preferences, over their own? This is no small task.
Lacking more detail, Chertoff's main point seems to be, simply, that we should avoid conflict in this arena.
It's a point well taken, but in the meantime we're left in the muddle, searching, with no resolution in sight.