Recently I blogged about the new EU Data Protection reforms and the challenges that organizations will face when they have to comply to the regulation. There has been a lot of opposition from all camps about how strict these regulations are, whether or not they are going to be enforced and more importantly how are they going to be enforced?
The EU Committee has said that search engines, social networks and certain cloud computing services should specifically be brought within the scope of the forthcoming European data protection reforms. In an official opinion, the European Economic and Social Committee said that “specific mention should be made of the fact that social networks fall within the scope of the regulation, not only when they are involved in profiling for commercial purposes.” The opinion further states that search engines should expressly come within the scope of the regulation and that “the same should go for the sites of servers providing storage space and, in some cases cloud computing software, that can collect data on users for commercial ends.”
This all sounds very sensible but how is the EU going to regulate and enforce the rules across search engines and clouds. Imagine if you had personal data on EU citizens which was held in a Cloud in India and used by a search engine in the US. Who is going to point the finger and say ‘you can’t do that!’ no-one I suspect. It is going to be a complicated business and whilst I do agree that the rules should apply to everyone including government, organizations, search engines, social media sites and cloud being able to manage and monitor who owns the data and what regulation applies to it will be a big challenge. Maybe there will be a new ‘QSA’ function that comes out of all this?