New European law set to close US Patriot Act data access loophole

At present, under the US Patriot Act data from EU users of US-owned cloud-based services may be shared with US law enforcement agencies without the need to tell the user.

With this and other issues in mind, European Commission justice commissioner Viviane Reding has already met with German consumer protection minister Ilse Aigner to discuss a new directive on data protection.

Subsequently, plans are now being drawn up for an updated law that will compel any non-European company with customers or clients inside Europe to comply fully with European regulations.

An official statement issued today following yesterday’s conference organised by the Industry Coalition for Data Protection – American Chamber of Commerce at the European Union in Brussels reads: “The European Commission will come forward with proposals to reform the 1995 Data Protection Directive by the end of January 2012. We believe that companies who direct their services to European consumers should be subject to EU data protection laws. Otherwise, they should not be able to do business across our internal market.”

In the announcement, Reding states: “The existing European Union rules on data protection were adopted in 1995 when the full potential of the Internet had not yet been realised. In 1993, the Internet carried only 1% of all telecommunicated information. By 2007, that figure had risen to more than 97%.”

In addition, the justice commissioner explained: “Although the basic principles and objectives of the 1995 directive remain valid, these rules are not adapted to some new and emerging technologies and applications like social networks. We need to maintain both objectives of the original directive, to ensure the free movement of personal data across the territory of the Union and to ensure a level of data protection.”

Reding added: “In a world of ever-increasing connectivity, our fundamental right to data protection is being seriously tested.”

Fundamental right to the protection of personal data

Continuing that theme, the statement reads: “We need to increase the effectiveness of the fundamental right to the protection of personal data and put individuals in control of their information. This is where business responsibility comes in. It is also in companies’ interests to respect their customers’ privacy and build up trust so people feel comfortable sharing their personal information.”

“First, businesses must ensure transparency for individuals who must be provided – in a simple and understandable language – with appropriate information about the processing of their data.”

“Internet users must be told which data is collected and for what purposes. They need to know how it might be used by third parties. They must know their rights and which authority to address if those rights are violated. They should be put in a position to make informed decisions about when to disclose their personal information.”

“Second, business responsibility means that, whenever users give their agreement to the processing of their data, it has to be meaningful. In short, individuals should be well informed about privacy policies and their consent needs to be specific and given explicitly.”

“Third, business responsibility means better control for individuals over their own data: that’s why the reform will include easier access to one’s own data. We want to give citizens better data portability. This means that if a user requests their information, it should be given to them in a widely used format which makes it simple to transfer elsewhere.”

“We strongly believe that users should not be bound to one provider simply because it’s inconvenient to move their information from one service to another. We also want to create a right to be forgotten, which will build on existing rules to better cope with privacy risks online. If an individual no longer wants their personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system.”

“Finally, business responsibility means that individuals are swiftly informed when their personal data is lost, stolen or breached. This year, we witnessed a massive security theft in online gaming services affecting millions of users around the world. This incident highlights why companies need to reinforce the security of the information they hold.”

“Frequent data security breaches risk undermining consumers’ trust in the digital economy. Our proposal will introduce a general obligation for data controllers to notify data breaches. In concrete terms, that means notifying data protection authorities and the individuals concerned when a data breach is discovered.”

You can read the statement in full here

The Patriot Act: what’s it all about?

The Patriot Act of the US Congress was first signed into law by (then) President George W Bush on 26 October 2001.

The title of the act is a ten-letter acronym (ie USA PATRIOT). This acronym is short for Uniting (and) Strengthening America (by) Providing the Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act of 2001.

It’s legislation designed as a direct response to the terrorist attacks of 9/11, putting in place dramatically reduced restrictions on law enforcement agencies’ ability to search telephone communications, e-mail communications, medical, financial and other records.

The Act also eases restrictions on foreign intelligence gathering within the United States, at the same time expanding the Secretary of the Treasury’s authority to regulate financial transactions (most notably those involving foreign individuals and entities).

Importantly, this Act also expanded the definition of terrorism to include domestic terrorism. By doing so, it added to the number of activities to which the Patriot Act’s expanded law enforcement powers might be applied.

There are upcoming US Government strictures on the privacy of business data as a result of next year’s full implementation of the Patriot Act. US-owned businesses could be obligated to allow US Government officials access to data. The expected January decision on what happens here could well set a momentous precedent.

New Euro partnership offers ‘safe haven’ from US Patriot Act

In the meantime, Severalnines – the provider of automation and management software for cloud database platforms – and City Network (the ‘data center in a browser’ company) have announced the first fully European ‘Database as a Service’ (DBaaS) solution in beta form.

The City Cloud Database Service is based in (and operated by companies within) the European Union, offering European customers full compliance with the EU Directive on Data Protection 95/46/EC and what’s described as a “safe haven” from the reaches of the US Patriot Act.

EU customers can now benefit from the savings and flexibility enabled by cloud-based database services safe in the knowledge that they will not fall under the jurisdiction of the Patriot Act.

As previously stated, under the US Patriot Act data from EU users of US-owned cloud-based services can currently be shared with US law enforcement agencies without the need to tell the user.

“Small start-ups and large corporations are turning to the cloud in a bid to deploy and manage databases with as little overhead as possible, but they need to know their data is secure and that they retain the right and ability to control who accesses it,” explained Vinay Joosery, chief executive officer at Severalnines.

“A fully-managed database service will enable our customers to further reap the benefits of the cloud,” added Johan Christenson, chairman at City Network.

“We believe that a service owned and operated locally in the EU, and fully-compliant with EU data protection laws, will be very attractive for European companies. US companies with European operations will also benefit from the lower latency of a locally hosted solution.”

The all-new Cloud Database Service explained

The MySQL based City Cloud Database Service enables companies to outsource the configuration and management of their databases and only pay for what they use. Specific benefits include:

• Internet interface for easy provisioning
• zero maintenance or administration – back-ups, patch management and replication handling are fully automated
• performance management – users have visibility of top queries and can drill-down into performance
• high availability – failures are handled automatically to minimise downtime
• scalability – users can add more instances at the click of a mouse
• comprehensive user interface for administering databases
• data import and export functionality to help move MySQL databases within the cloud

The service relies on the Severalnines DataCloud platform, a database automation and management platform that helps companies run flexible databases anywhere, whether on their premises or in the cloud.

It’s based on City Network’s City Cloud computing platform which allows unlimited growth with a focus on stability, security and redundancy.

City Cloud Database Service is available in beta. Companies can apply for the trial by sending an e-mail to: dbaas@citycloud.eu

The service is available free of charge for the duration of the beta period which will run until early 2012. More information is available here

Further information about… Severalnines and City Network

Severalnines provides automation and management software for easily usable, highly available and auto-scalable cloud database platforms.

ClusterControl(TM), the company’s flagship product which is used by developers and administrators of all skill levels, addresses the full deploy-manage-monitor-scale cycle. Severalnines has enabled over 7,000 deployments to date via its popular online configurator for clustered MySQL(R) databases.

With everyone at Severalnines coming from an Open Source background and with a view to supporting other start-up organisation, the company is introducing a start-up program whereby organisations with less than ten employees and less than one million Euro in funding will be given free access to its enterprise software for 12 months.

For more information send an e-mail to: startup@severalnines.com

With more than 10,000 customers across Europe, City Network is one of the leading European hosting companies. Core services include cloud hosting and dedicated environments as well as shared hosting and domain services.

City Network also provides high end back-up services via www.onlinebackup.io

City Cloud is the cloud computing brand. You can find more information about City Network on the dedicated website