Besides, companies will be foolish to oppose the new EU regulations, says David Bradshaw, research manager for SaaS and cloud at analyst firm IDC.
“Critics have focused on the stick – the implications if companies don’t abide by these new regulations,” he told Computing. “But they’ve ignored the carrot of Germany, where most of these regulations are already in place.
“Germany is the EU’s biggest market, and by complying with these regulations companies will be able to operate in the lucrative German market,” Bradshaw adds.
Transatlantic data traffic
When they come into force, the European regulations will cover not just European organisations, but all bodies that process the data of European citizens. That means companies from outside the EU will have to comply with the regulations if they want to do business in the EU that involves handling personal data.
“Companies that target the EU market will need to consider their existing data handling procedures and assess the extent to which they meet the EU’s proposed rules,” says Chris Watson, head of telecoms at law firm CMS Cameron McKenna.
However, how the EU will enforce its regulations on non-EU entities still needs to be addressed, Watson adds.
The need to enforce regulations made in one territory on companies operating across several will result in greater international co-operation in enforcement, says Wilmot.
“The price to be paid for this clarity and harmonisation is that the enforcement regimes on both sides of the Atlantic will be ‘beefed-up’,” he says.
With data regulation becoming more extra-territorial than ever, the regulatory environment will tend to flow with the data, says Bange.
“Where CIOs have ownership of data estates straddling either side of the Atlantic, it’s hard to see how that data will not be pooled, especially where lines of business span geographical borders,” he says.
“The question is whether CIOs are ready to address the increasing data regulation that is also pooled with the data, and flows with the data, whichever side of the Atlantic the data touches,” he adds.
Back in the late 1990s, lengthy negotiations between the EU and US led to the Safe Harbour provisions (which also include Switzerland) and act as a framework for sharing data between the two regions. But ever since the terrorist attacks on 11 September 2001, the US has put emphasis on security above privacy.
The US Patriot Act was implemented in the aftermath of September 11 by the US government to fight international terrorism, and it means the US can obtain data from European companies that have their data stored in US owned datacentres, even if the datacentres are on EU soil.