Some ideas could become the norm for Europe, such as the concept of the "right to be forgotten," which recognizes that individuals have a right not to be tracked across the Internet, which is often done through cookies today. This "privacy by default" concept means that Web browsers, for example, will likely be required to ship turned on by default to their newer "do not track" capabilities to be used in Europe. In Europe, "there are real concerns about behavioral targeting," said Eisenhauer.
Some European legal concepts suggest that even use of deep-packet inspection often a core technology used in security products today to watch for signs of malicious activities on the network could be frowned on under European law, and companies will need to be mindful of how deep-packet inspection is deployed, said Eisenhauer. Even today, use of security and information event management (SIEM) monitoring of employee network usage is something that does not easily conform to European ideas of data privacy.
The proposed EU data-privacy rules require reporting data breaches to the governments and their data-privacy authorities there as well as to the individuals impacted by it very quickly. The regulation also points to possible fines for failing to comply with the proposed regulations, fines that start with 2% of the company's annual worldwide revenue.
However, Eisenhauer adds that Europe's data-privacy regulators in government encourage direct communication about any issues that come up with cloud-service providers and their customers and are far more eager to resolve problems, not mete out punishments.
Many companies, including HP, which is a member of the CSA, are tracking these kinds of regulatory requirements from all across the world that impact the cloud.
"You will have to answer to auditors and regulatory regimes," said Andrzej Kawalec, HP's global technology officer at HP Enterprise Security Solutions. This means that there can't be "monolithic data centers" all subscribing to one mode of operation, but ones tailored to meet compliance in Europe, Asia and North America.
In Switzerland, for example, which is not part of the EU, "the Swiss think the data should remain in Switzerland," he said. But "everyone is getting a lot more stringent" on security and data protection, Kawalec said. Some ideas, such as Europe's notion that even the user's IP address represents a piece of personally identifiable information, are not necessarily the norm in the U.S.
In the U.S., there is also a significant regulatory change afoot related to cloud computing and security and it is arising out of the federal government's so-called FedRAMP program unveiled earlier this year.