Regulatory Developments for Cloud Data Privacy


Data privacy in the cloud continues to be a hot topic for regulators. This week, I’d like to cover two important data privacy developments that have a tie-in to concerns about US surveillance programs and cloud data. The first is the US Email Privacy Act, and the second is the revocation of the US-EU Safe Harbor agreement.

Email Privacy Act

The Email Privacy Act is a proposed US Federal law that would require the government to obtain a warrant before accessing email, text messages, and other private content stored in the cloud by Internet Service Providers.


Currently, under the Electronic Communications Privacy Act of 1986, the government can request access to any cloud-based email older than 180 days. These emails are considered to be “abandoned” and can be reviewed by law enforcement agencies without a warrant (although a subpoena or court order is required).

The Email Privacy Act aims to update this law, taking away the 180-day rule and requiring a warrant for all private content stored in the cloud. The bill is hugely popular, with bipartisan support in the House of Representatives and (not surprisingly) support from Internet giants such as Yahoo and Google.

The bill remains in committee due to concerns that it will hamper law enforcement capabilities. Critics want to see warrant exemptions for emergencies and other circumstances, while privacy advocates say this is not necessary and will undermine the purpose of the legislation. It remains to be seen what impact this debate will have on the final version of the bill.

Safe Harbor and EU Data Privacy

European concerns about US government surveillance programs are also having an impact on data privacy rules for transatlantic data flows. In October 2015, the Court of Justice of the European Union revoked Safe Harbor – an agreement that previously allowed US businesses to self-certify that they are compliant with Europe’s data privacy and protection requirements. The court invalidated the agreement on the grounds that Safe Harbor does not protect EU citizens’ data against US government surveillance programs.

This ruling has implications for thousands of companies, including Google, Facebook, and Microsoft, who relied on Safe Harbor self-certification to transfer EU personal data to US servers. Fortunately, the EU and the US are working on a replacement mechanism to be in place by the end of January, 2016. However, EU data protection authorities have warned that they will start enforcing the data protection regulations, including issuing financial penalties, if a solution is not in place by the end of January.

The next public update on a replacement mechanism is scheduled for December 10th, 2015, when the European Commissioner for Justice, Consumers and Gender Equality will provide a report on the negotiations to the European Parliament’s Civil Liberties, Justice and Home Affairs Committee.

Balancing national security with data privacy

As businesses and consumers move to the cloud, concerns about data privacy and national security will continue to provoke debate. Hopefully regulators will be able to balance the many competing interests in this area, including those from business, law enforcement, and individual consumers who are concerned about their personal privacy.

We’ll be discussing data privacy on an upcoming webinar with Forrester Research, so stay tuned for details and registration information. The topic will be the EU Data Protection Directive, and Safe Harbor will be on the agenda. In the meantime, please visit our Privacy Protection solutions page, where you can learn how TITUS helps organizations protect personal data.

Leave a Reply