Israeli cyber-security companies that can promise to effectively protect user information from prying eyes may want to send rogue NSA operative Edward Snowden a thank-you letter. It’s because of Snowden, in large part, that the European Union is significantly tightening its rules on what data companies are allowed to access and how they are allowed to process that data — providing new opportunities for Israeli firms.
“For Israeli companies, the new rules may appear to be onerous, but there could be a great business opportunity for many of them in Europe as a result,” according to Patrick Van Eecke, one of the leading legal experts in Europe on cyber-security policy issues. “There are many companies around the world that specialize in collecting data, but they are not clear on the implications of Europe’s new policies — and as a result, there is opportunity for companies from Israel, many of which do understand the policies.”
Van Eecke is a partner in the Technology, Media & Commercial department of the Brussels office of DLA Piper, the world’s largest international law firm, and is considered by several professional organizations to be one of the world’s top 20 information technology lawyers. “You’d be hard pressed to find someone more knowledgeable than Van Eecke about European IT legal issues, and you won’t find anyone who is more humble regarding that knowledge,” said Jeremy Lustman, head of DLA Piper’s Israel office since 2008, introducing Van Eecke at a special seminar in Tel Aviv dedicated to cyber-legal issues.
At issue is a revamping of the privacy laws that have driven legislation in European Union countries since 1995. In 2012, the European Commission unveiled a draft European General Data Protection Regulation that will, when it is implemented (probably next year, according to Van Eecke) further tighten already strict restrictions on the collection and use of personal data in the ways companies like Google and Facebook have done for the past decade or so. “Since the revelations by Snowden on how the National Security Administration in the US spied on European leaders, there is much more political pressure on European leaders to prevent such incidents from repeating themselves,” said Van Eecke.
Already, laws in most EU countries prevent the collection of data that can be associated with an individual — living or dead — either directly or indirectly. Companies like Facebook and Google that claim to collect “anonymous” information must prove not only that they don’t take names, phone numbers, email addresses and other data that can identify an individual when they scan user pages or Gmail messages for keywords (which they use to present ads to users), but that they cannot get to that information by checking a user’s IP address (even a dynamic one assigned by an ISP) or any other method.
Those laws apply not only to companies domiciled in EU countries, but to any company that does business with EU customers. “It could even apply to cookies that are put by companies like Google, which operates from the US but puts a cookie on the computers of European users.” In a famous lawsuit from several years ago, said Van Eecke, Google was forced to put an expiration date on cookies, even though its lawyers tried to argue that, as an American company, the EU privacy laws did not apply to it (Google has since opened offices in most European countries, and has revamped its policies to comply with EU legislative demands).
And things are set to get even more secure in the EU, said Van Eecke. The updated legislation will feature new controls, such as requiring specific consent from users for each type of use of their data, e.g., showing them relevant banner ads. This could be a devastating blow to any company in the “big data” business, which relies on copious amounts of information on what sites users surf to, how long they remain on a site, etc. In fact, just calling yourself a Big Data company, Van Eecke said, “will be enough to raise red flags with regulators, and an invitation for extra scrutiny.” There will also be the user’s right to be “forgotten,” with companies in a wide range of industries — insurance, medical, etc. – required to erase the records of customers who demand it.
Companies will also have to appoint a “privacy coordinator” under the new rules — one who cannot be fired, and who will ensure that the strict rules are followed. And in a piece of legislation that “you really have to be European to understand,” said Van Eecke, the EU will step into the role of parent, prohibiting children under 12 from giving their own consent to the collection of data by any means — and forbidding parents from granting consent on behalf of their kids.
It comes down to the way Europe works, based on traditions going back hundreds of years, said Van Eecke. “There are major philosophical differences between Europe and the US. In Europe they see a need to legislate just about everything — and if there isn’t a law allowing it, it’s not permitted. In the US, if it’s not prohibited, it’s allowed.”
That difference reflects itself in the data protection legislation the US and Europe have developed over the years. In the EU, the regulation seeks to take into account as many scenarios as possible, and apply a uniform policy to them. Congress in the US has not passed any such comprehensive laws, but instead has focused on specific sectors. One example is the medical profession, which must comply with HIPAA, the Health Insurance Portability and Accountability Act, which includes provisions for safe storage of electronic medical records.
Countries around the world follow one of these models. Following the US model are China, Thailand, Turkey, India, Canada, and others; the EU model is followed by South Africa, Argentina, Brazil, Australia — and Israel.
Because Israel’s legislation is very close to that of Europe, Israel is on an EU “white list,” which means that European companies do not have to seek special government permission before exchanging data with Israeli companies, unlike the case with countries like China, which EU countries cannot exchange data with unless they get permits. This saves Israeli companies a great deal of paperwork and bureaucratic rigamarole — not to mention time and money, said Van Eecke.
The US, obviously, is not on Europe’s white list — but it has another arrangement with the EU. “The US is covered under a ‘safe harbor’ agreement, for which US companies qualify by filling out a questionnaire that certifies them as complying with European data regulations.” That nobody checked the level of compliance (a company’s claim that it was in compliance, until now, was sufficient) wasn’t such a major issue — until the Snowden revelations, said Van Eecke.
And with those revelations comes Israel’s big EU opportunity. “The Europeans are understandably very upset that companies like Google and Microsoft shared data about them with the NSA,” said Van Eecke. “They are threatening to end the Safe Harbor agreement with the US, and you can be sure that governments are going to be watching every move of the American companies very closely.”
Already, The New York Times reported last week, companies like Microsoft and IBM have lost business in the EU and elsewhere; a report by Forrester Research cited in the Times story said that US companies could face as much as $180 billion — 25 percent of industry revenue — in lost business in the cloud computing, web hosting and outsourcing markets because of compliance issues. And under the new legislation, the stakes will be higher than ever. “The EU is proposing a fine of up to 4% of a company’s annual turnover, instead of nominal sums, as is the case now,” said Van Eecke. “Imagine what that would do to the bottom line of a company like Facebook.”
As a result, companies around the world are racing to figure out ways to comply with the EU rules — and Israel has some of the solutions they need. “One way to ensure compliance is to develop systems that truly anonymize data,” said Van Eecke. “A one-way cryptography key, in which the company gets data from users with all information encrypted, would satisfy the requirements. Security companies that can provided trusted third-party solutions for data transfer between users, cloud servers, and company databases that ensure that there are no data leaks or transfer of personal information on the way will do well too.
“Israel has many interesting companies working in the Big Data area, as well,” said Van Eecke, “and if they partner with cyber-security companies that have effective data protection, they will do very well in this new, hyper-secure era.”