Austria’s supreme court is to decide soon whether to open the floodgates. If the court rules that Max Schrems et al can sue Facebook over its handling of their personal data, and if their suit is successful – or looks like it might be – then every law firm in Europe will be trying to persuade every consumer in Europe to sue every internet service in the world. It could make PPI (running total £24bn) look like very small beer in contrast.
That’s the apocalypse scenario; one hopes it won’t be that dramatic. We are, though – to stretch my metaphor – facing something of a perfect storm at the moment. We have ever-increasing concerns over privacy and data-handling, led by individuals in the EU but with the clear support of some EU governments. At the same time, we have the on-going crackdown on encryption, which is not only somewhat incompatible with the demands for enhanced privacy but also risks another fragmentation of the internet: the more we treat encryption as a weapon, the greater the export controls. We’ve got the slow-burning but persistent problem that most of our internet services are funded by advertising, which not only requires precisely the kind of data-sharing the privacy mavens oppose, but which may also be largely fraudulent in the first place. And half the world’s governments are busy investigating half the world’s internet unicorns for everything from market abuse to breach of local regulations.
We’ve seen some interesting, if early, signs of uncertainty in the tech investment world – with Square’s rather confusing IPO – not only underpriced on the day, but at about half the value investors were promised – and Uber’s reported difficulties, so far, in completing its latest funding round at a rumoured $70bn valuation. Bubble? Maybe. Uncertainty risk? For sure.
So what? I’m not a tech investment analyst; this is a security blog. The point is that what applies to the headline internet firms also affects the rest of us. Not just in terms of their services, but in terms of the data protection and security environment for our own businesses. It’s much harder now than it used to be to give definitive advice.
Want to go Office365? A year ago, you could point to the SafeHarbor details on Microsoft’s website, mime a big tick, and move on to focusing on functionality. Now? Not so much.
Want to offshore your call centre, or move your CRM into the cloud, or use tracking cookies in your advertising, or collate and analyse user data globally? More questions, fewer easy answers, and greater costs in implementation and compliance.
If you are a data controller or data processor, and you handle data on individuals other than your own staff, and this stuff isn’t right at the top of your discussion and decision agenda…you may be in for a rude surprise.