In 1995 the EU drew up legislation based on old recommendations from the 1980’s to ensure the data security of its members. This original legislation, the Data Protection Directive, forbade companies in the EU from transferring personal data to countries outside the EU who lacked data security and protection laws.
The rules were:
1. Notice - subjects to be given notice when their data is collected
2. Purpose - data to only be used for purposes stated
3. Consent - data will not be disclosed without subject’s consent
4. Security - collected data to be kept secure from any potential abuses
5. Disclosure - subjects to be informed as to who is collecting their data
6. Access - subjects to be allowed to access their data and make corrections to any inaccuracies
7. Accountability - subjects to have a method available to them to hold data collectors accountable for not following the principles
This legislation was amended in late 1990's into the Safe Harbour Principles which added the terms that companies were prevented from losing or revealing personal data.
This basically means that your information can be stored anywhere around the world, as long as the legislation is complied with, but is prevented from being held in countries lacking strong privacy and data security laws which could potentially compromise your data’s security.
So Where Did It All Go Wrong?
With relation to data security, In June 2011, Gordon Frazer, Microsoft UK’s Managing Director was quoted as saying "Cloud data, regardless of where it is in the world, is not protected against the Patriot Act." The Patriot act is an American law passed to allow the US government to intercept data if it is suspected to be related to terrorism, but has been marred with controversy concerning its sometimes frivolous invocation.
However it wasn’t until June 2014, when a privacy campaigner by the name of Max Schrems took a legal battle to the European Court of Justice concerning his Facebook data and its use in the USA. In October 2015 the CoJ invalidated Safe Harbour due to prior revelations concerning the NSA gathering the private data of millions of EU citizens, therefore contravening the Safe Harbour principles ensuring data privacy and security.
On 2nd February 2016, the EU and USA agreed in principle to a replacement dubbed “Privacy Shield”, and have since been working on the content. It’s essentially the same as Safe Harbour but adds the stipulation that the NSA is allowed to gather the data of EU citizens, but will be subject to vague limitations. Included in this however, is also the right for an EU citizen to challenge the collection of their data if they think is has been misused, which US President Barack Obama states will "give EU citizens access to US courts to enforce privacy rights in relation to personal data transferred to the US for law enforcement purposes”
Considering the current trend for cloud hosting, and the needs of many businesses for data security, one may wonder whether Privacy Shield will go far enough in protecting the rights of EU citizens. It’s entirely possible that businesses and individuals will leave the cloud, opting instead for their own data centres, safe in the knowledge that the data is held securely on their own servers, inside biometrically secured and CCTV monitored data centres.