Crossing Borders in the Cloud
Traveling across international borders can be as tricky for data as it is for a person, even when that information is transferred in the cloud. If you have any doubts, just ask the financial sector.
The quick and easy exchange of information first occurred across international borders in the 1990s, when businesses began utilize the Internet in its early stages. Since the European Union had such strict data protection laws, businesses in the United States began entering into Safe Harbor Agreements, which provided legal protection for personal data that belonged to EU citizens. At the time, it was the only way Web-based services could tap into the European market.
The catch with Safe Harbor Agreements is that they were only available to businesses covered by the Federal Trade Commission or the Department of Transportation. Since banks and other financial institutions aren’t under either group’s jurisdiction, they couldn’t offer Safe Harbor Agreements.
The inability for the financial industry to offer Safe Harbor Agreements changed once the EU enacted Binding Corporate Rules (BCRs), which allowed financial companies the opportunity to enter into contractual agreements that bound them to the safe processing of a EU citizen’s data.
However, the situation remained murky since these agreements were created when computing power was owned and operated by the corporation using it. Even today this leaves American businesses exposed legally, since neither Safe Harbor or BCR agreements can stand up to a fully distributed cloud.
Kristen J. Matthews, head of the privacy and data security group at the law firm Proskauer, explains that since cloud computing transfers personal data outside of the group bound by corporate rules, the BCR is insufficient. But since cloud computing is becoming increasingly popular, the law needs to catch up to the technology.
This is exactly what some lawyers and legislators are trying to do. Brad Smith, general counsel and executive vice president for Microsoft, has been lobbying the EU to standardize data retention requirements and increase flexibility for the processing of EU data. Smith has also contacted the U.S. Congress to get a “Cloud Computing Advancement Act” created to not only enhance privacy and security protection for cloud computing, but allow the cloud to blossom.
Read the full article here.