The European Union should update its laws to better suit cloud computing, Microsoft’s top lawyer urged in Brussels. Laws covering data protection and data retention go back to the mid-1990s and need to be revised to take into account the massive and constant flow of data between users’ computers and multiple cloud servers that can be located anywhere in the world, Microsoft head legal counsel Brad Smith said in a speech.
E.U. laws "are starting to show their age," he told students, E.U. officials and industry executives.
The data retention law passed in 2006, when cloud computing was mostly limited to online e-mail accounts, calls on the 27 E.U. member states to each set their own length of time for the retention of data, between six and 24 months.
Under the directive, authorities can request access to details such as IP address and time of use of every e-mail, phone call and text message sent or received. A request to access the information can be done only with a court order.
Smith said countries have chosen widely varying retention times. A subscriber to cloud services in, Italy, for example, which has a relatively short data retention regime, may see their data stored in Ireland, with one of the longest retention times. The discrepancy makes compliance by telecom and cloud services companies complicated, Smith said.
He urged the E.U. to change the law, either by setting a standard length for retention time, such as a year for all E.U. member states, or by applying mutual recognition principles, so that each country applies the retention time of the country where the user’s data is being stored. Greater harmonization is needed in the 1995 data protection directive too, Smith said. "At the time it was passed, data moved location occasionally. In the cloud it is constantly moving," he said.
While technology and its uses have moved on since 1995, the importance of privacy hasn’t changed, Smith said.
And in a thinly veiled attack on Microsoft rival Google, he added: "Some firms based on the West Coast don’t think privacy is so important. I disagree. The right to privacy is the right to choose who sees your information, and it is as important now as it was 15 years ago."
Data transfers are global, and while Smith acknowledged that a global data protection treaty is unlikely in the near future, he suggested that trading partners including the U.S. and E.U. should try to forge an agreement similar to the bilateral free trade agreements they both sign up to in other commercial fields.
His final piece of advice for E.U. lawmakers concerned broadband access to the Internet – a prerequisite if cloud computing is to take off in the way many people predict it will in the coming years.
"Governments need to consider how to enhance broadband, both wired and wireless," Smith said.
For wireless connections, he urged the E.U. to free up more radio spectrum for services that run in the cloud.
Under the directive, authorities can request access to details such as IP address and time of use of every e-mail, phone call and text message sent or received.