What good does a Euro Cloud do for privacy if GCHQ is involved with many of these surveillance activities?
If you were to build Euro Cloud, is a European citizen going to be any better protected than they are at the moment? The civil liberties [argument], while genuine, is not the real driver to build Euro Cloud. The real driver is economic activity; Europe can have its own cloud, to compete with the American one, and that brings in jobs an euros and pounds, and therefore tax.
Euro Cloud will not protect the citizen in a significant sense against surveillance, because every country surveills – including every country in Europe – so there’s always going to be a problem. Part of the NSA and Snowden story is that some governments have been a lot more supportive to America than people might have expected. That’s no comment about lawfulness. If we have a cloud in England, will England open it up to America? Yes. Don’t forget, there’s also very good reasons to do that. It’s the job of surveillance and intelligence agencies to protect national security.
Is the ‘Snowden effect’ a long-lasting one? Will it do any permanent damage to US cloud providers?
There are lots of big numbers being quoted. I read that $40 billion has been lost to the US tech industry – I don’t believe that. But yes, there will be lasting damage. The privacy agenda has really expanded beyond the awareness of journalists, privacy lawyers, and geeks, into the minds of the mass consciousness, which is absolutely a good thing. Once privacy embeds into the mass consciousness, and schoolteachers become interested in it, they’ll start to teach awareness and online, safety. You could probably say that the awareness that Snowden has generated will literally, not figuratively, literally help to save children from child abuse.
I think that Snowden might be bad for national security; I don’t make any comment on that, so there are probably lots of negatives, amongst all the positives. The internet has brought so many advantages, and if we get scared of it, it’s going to be shockingly bad. Whilst privacy advocates are advocating a need for privacy, and highlighting failure, they ought to remain conscious about creating fear and panic, which would be irresponsible.
Are the privacy advocates justified in their outrage?
It is so big and so vast as a topic that it is absolutely reasonable for privacy advocates and civil libertarians to feel outrage. If the outrage moves to moral panic, panic creates fear and fear creates all these negative effects discussed above.
Have you personally had business leaders approach you with specific concerns about the NSA or government status? Has that had an effect on purchasing contacts?
Yes. In my practice, that question is starting to become quite common. I’ve had American tech companies asking whether they need to relocate into Europe. I won’t tell you what my advice has been, but it’s a real question, undoubtedly on the business agenda.
It’s entirely reasonable for businesses to be asking questions about the legality of their data strategies, because law reform and privacy is going to be about people being fined a lot, and sued a lot, like health and safety and employment law.
Are heavy fines and fear tactics a positive strategy?
We do need heavy fines, and I do think we need fear, but it shouldn’t be exclusively that. When you create a regime which is purely about deterrent, rather than incentive, you create a risk of perverse incentives. Disclosure of a security breach to a regulator without legal duty just creates a funnel to enforcement action, so a sausage machine. You stick the organisation in one end of the sausage machine, crank the handle of breach disclosure, and out the other end comes a fine. If that’s what it’s going to be about, lots of businesses will say ‘sod that for a game of soldiers – there’s no way I’m breach disclosing’.
So yes, fines should be there in the regime, but there needs to be a positive incentive. In general terms, this should be an amnesty from the toughest penalties that law can apply, provided that [the breached] co-operate in good faith with the entity to whom they disclose, and deal with reasonable requests for remediation. You then get the positive incentive that you will not be fined if you deal with the security and privacy risk properly.
The information commissioner once called himself a “toothless tiger”, what’s your opinion on the power of the ICO? Should they be given sharper teeth?
They should have a bigger fining power. If an organisation behaves terribly, and doesn’t do the right thing, then it should face the risk of financial consequence. I think that the information commissioner’s office is maturing through its activity. A point will come when they will be landing mega-fines, and will not worry about the lawfulness of that activity, because they’ll be so good at their job that they’ll be able to hit very, very hard, without worry of it being overturned on appeal. Now, when that happens, that’s a perfect storm for businesses.
There have been major roadblocks to the EU’s proposed data protection legislation, but what’s the status and how can organisations prepare?
The European Parliament dissolves in May, so in theory, legislation will die with the Parliament – that’s the theoretical point, but there are powers to continue legislation. There’s a chance that they may all (Data Protection legislation, Payment Services Directive and Cybersecurity Directive) kick into force by May; there’s a chance that one might, and the other two may go over. What I’m envisioning is a united legal picture, in a few years’ time.
By 2020, organisations are going to be getting mega, mega fines around data protection and security in the economy. Organisations are really in a last-chance saloon on this. The advice to businesses is to get rid of your silo mentality. Stop being in the bunker, raise heads, and deal with this holistically. Don’t get lost in the weeds on this; don’t agonise around debates about opt-ins and opt-outs, and international transfers – it’s a distraction. Analyse the legal framework for what it is. Build a governance structure that connects the board to the individual on the ground. Perform a risk assessment and identify the solutions. Create your system, determine your rules and carry out monitoring, training and awareness, and audits. Finally, make sure that you’ve got a robust transparency mechanism in place to deal with breach response.
Stewart Room, speaker at Infosecurity Europe, delivered the keynote at the Infosecurity Europe Press Conference in London in January 2014. The Infosecurity Europe education agenda can be viewed here.