New EU regulations on data security may make Europeans feel safer – but they are likely to make life much harder for the IT departments in some of the world’s biggest tech firms. But while big data companies suffer under the weight of these new regulations, Israel could be thrust into the spotlight. “One of the most effective ways to show compliance is to use top-level encryption on data, and Israel is a world center of encryption technology,” according to Internet compliance expert Dr. Patrick Van Eecke. “Israeli start-ups that partner with big data companies build a good business for themselves.”
Van Eecke is a partner in the Technology, Media and Commercial department of the Brussels office of DLA Piper, the world’s largest international law firm, and is considered by several professional organizations to be one of the world’s top 20 information technology lawyers. “You’d be hard pressed to find someone more knowledgeable than Van Eecke about European IT legal issues, and you won’t find anyone who is more humble regarding that knowledge,” said Jeremy Lustman, head of DLA Piper’s Israel office since 2008, introducing Van Eecke at a special seminar in Tel Aviv dedicated to cyber-legal issues sponsored by DLA Piper and the law offices of Yigal Arnon.
Regulatory compliance – Van Eecke’s specialty – is one of those eye-rolling topics that people tend to tune out, but they do so at their own peril, he told the Times of Israel. “People have been talking about data security and regulations to ensure it for over two decades, but it’s only been in the past several or so years that the topic has come into focus.” That’s because of the high-profile data leaks at Target, Sony, the IRS, and the many other groups that have been in the news in recent years as cyber “candy stores” for hackers to lift data at will. “Governments now get it, and they are developing guidelines that will have a major impact on data companies, both multinationals and start-ups.”
At issue is a revamping of the privacy laws that have driven legislation in European Union countries since 1995. In 2012, the European Commission unveiled a draft European General Data Protection Regulation that will, when it is implemented (probably by the end of the year, said Van Eecke) further limit already tight restrictions on the collection and use of personal data in the ways companies like Google and Facebook have done for the past decade or so. “Since the revelations by Snowden on how the National Security Administration in the US spied on European leaders, there is much more political pressure on European leaders to prevent such incidents from repeating themselves,” said Van Eecke.
Already, laws in most EU countries prevent the collection of data that can be associated with an individual — living or dead — either directly or indirectly. Companies like Facebook and Google that claim to collect “anonymous” information must prove that not only do they not take names, phone numbers, e-mail addresses and other identifying data when they scan user pages or Gmail messages for keywords (which they use to present ads to users), but that they cannot get to that information by checking a user’s IP address (even a dynamic one assigned by an ISP) or any other method.
Those laws apply not only to companies domiciled in EU countries, but to any company that does business with EU customers. “It could even apply to cookies that companies like Google, which operates from the US but puts a cookie on the computers of European users.” In a famous lawsuit several years ago, said Van Eecke, Google was forced to put an expiration date on cookies, even though they tried to argue that, as an American company, the EU privacy laws did not apply to them (Google has since opened offices in most European countries, and has revamped its policies to comply with EU legislative demands).
And things are set to get even more secure in the EU, said Van Eecke. The updated legislation will feature new rights, such as requiring specific consent from users of their data, such as providing them with relevant banner ads — something that could be a devastating blow to any company in the “big data” business, which relies on copious amounts of information on the sites users surf, how long they remain there, etc. In fact, just calling yourself a big data company, Van Eecke said, “will be enough to raise red flags with regulators, and be an invitation for extra scrutiny.” Users will also have the right to be ‘erased’ from companies in areas such as medical and insurance.
Perhaps the biggest blow to big data firms – but potentially a big boon for Israel – is the law’s Article Four provisions, which requires that data collected in the EU remain in the EU, unless it is transferred to a country that is on an EU “whitelist” for data protection. The US is not on this list, but Israel is – which means that big data companies like Google and IBM that have substantial operations in Israel may use Israel as a “way station” for analyzing anonymous data for use in metrics and algorithms (since under Israeli law it is also illegal to export data with personalized information). In addition, Israeli cyber-security and encryption skills are going to become very important to companies seeking to show the EU how committed they are to data security.
“Eventually they are going to have to work out international agreements on data sharing and storage, because the commercial world is going to have a hard time growing under these circumstances,’” said Van Eecke. “The UN is most likely going to draw up regulations, or at least suggestions, on the standards countries should implement to ensure data security. Encryption is certainly going to be among those standards, and Israel is likely to become an important source for that technology.”