Internet privacy breaches sound alarm bells for worried businesses
Differences between EU proposals on data protection and those in the US raise a number of questions
Attendees wear Google Glass while posing for a group photo during the Google I/O developer conference in San Francisco last May. In some cases, governments themselves are responding to privacy worries. Last week, Brazil changed its proposed data-protection law to require that citizen data be hosted within Brazil, prompting complaints from Facebook and Google. Photograph: Justin Sullivan/Getty Images
For businesses, the twin issues of data privacy and protection have never had a higher profile. International data surveillance concerns for individuals and business have been in the headlines for weeks, following the revelations of large-scale US and UK data-spying programs such as Prism by former US government IT contractor Edward Snowden.
Meanwhile, the regulatory oversight by the Irish Data Protection Commissioner of online giant Facebook has drawn global attention as has the fast- tracking here by the Government of a proposed EU-wide data protection regulation during Ireland’s recent EU presidency.
High on the agenda is concern about where data is held and who can legally access it, especially with so many companies moving to the cloud and servers located globally. Businesses however are also concerned about possible costs and disruptions associated with data-protection regulations, especially as such laws are very different in the US and Europe.
Some fear those differences, and US laws allowing surreptitious access to data, will force businesses to operate in different frameworks on either side of the Atlantic or abandon one market or the other.
For example, earlier this year at the RSA Data Security conference in San Francisco, Trevor Hughes, head of the US-based International Association of Privacy Professionals, said in a presentation that he thought the “right to be forgotten” in the proposed EU data- protection regulation – which would require businesses to delete a person’s data on request – would be daunting for companies.
In some cases, governments themselves are responding to privacy worries. Last week, Brazil changed its proposed data- protection law to require that citizen data be hosted within Brazil, prompting complaints from Facebook and Google.
All of these wide-ranging privacy issues have been clocked by Irish businesses, says information security consultant Brian Honan, who has advised businesses and government departments in Ireland, Britain and Europe.
He feels any company that has taken its data-protection security seriously will not have been totally surprised by Snowden’s revelations of US and UK surveillance, “but I do think . . . that the extent to which it’s happening has taken companies by surprise”.
Company concerns aren’t just about governments accessing data on servers, he says. Data-retention legislation in Britain and elsewhere, including Ireland, requires the storage of phone call and internet usage data for residents for up to two years.
“People sometimes used to say, don’t do business with the States because their data protection isn’t as strong as Europe’s. But as people delved into that and discovered programmes like Echelon [a US- UK digital spying programme from the 1990s] and data-retention laws, it seems Europe is not all that great either.