The data center is sited in Luleå on the northern Swedish coast, and it went live on Wednesday. As with Google’s new Finnish data center, Facebook is counting on the northern European environment to help cut cooling costs – not by way of seawater cooling, this time, but using good old cold air. The remaining excess heat is used to keep the associated offices warm.

According to a post on Wednesday, water is nonetheless providing hydroelectric energy for the operation. This accounts for all of the data center’s electricity needs, and the post states that “the supply is also so reliable that we have been able to reduce the number of backup generators required at the site by more than 70 percent.”

The Luleå facility is almost entirely based on Facebook’s Open Compute Project designs, which also help on the energy efficiency front by doing away with extraneous materials. The company reckons the data center averages 1.07 on the power usage efficiency (PUE) scale.

Having a data center in Europe is a very good idea when it comes to meeting European data protection laws (which are probably about to get tougher). The only reason Facebook can legally process EU citizens’ personal data in the U.S. is its membership of the U.S-EU Safe Harbor program — after Edward Snowden’s leak, that arrangement now looks shaky to say the least.

It’s hard to say what the fallout from the scandal will be just yet, but processing those citizens’ data within EU borders may help Facebook stay on the right side of the law.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• How the mega data center is changing the hardware and data center markets
• Locating data centers in an energy-constrained world
• AWS Storage Gateway jolts cloud-storage ecosystem

For those unfamiliar with the workings of the European Parliament, members of the European Parliament (MEPs) operate in transnational political groupings. Those groups’ representatives speak in order of the size of the group (largest to smallest) and I have included an indication in brackets of how many MEPs each group has, in order to indicate influence.

I apologize in advance for including at best brief quotes from those MEPs who spoke in languages other than English (the translation facility on the livestream was unavailable). The most notable of these was of course the representative of the center-right European People’s Party, the largest of the political groups, who spoke in German. The debate was opened and closed by Tonio Borg, the European commissioner for health and consumer policy, who was standing in for justice commissioner Viviane Reding:

• Tonio Borg (European Commission): “Programs such as the so-called PRISM and the laws on the basis of which such programs are organized potentially endanger the fundamental right to privacy and data protection of EU citizens… The Commission is asking for clear commitments from the United States as to the respect of the fundamental rights of EU citizens to data protection and as to access to judicial redress in the same way as it is afforded to U.S. residents… It will request clarifications as to whether access to data is limited to individual cases and based on concrete suspicions or if it allows bulk transfers of data.”
• Manfred Weber (European People’s Party, 269/754): “For us in Europe it is unacceptable [that different standards of protection apply to U.S. citizens in this program].”
• Claude Moraes (Progressive Alliance of Socialists and Democrats, 190/754): “The events of the last few days… have caused shock to our European citizens. For the S&D group, we are very clear that while security is important this has caused for our citizens a major breach of trust. [At Friday's meeting it is important] to hold to account Eric Holder and the U.S. for what they have done in transferring, allegedly, bulk information of our citizens which may be completely unnecessary in the fight against terrorism. We wish to… ensure the U.S. public authorities, when they are processing EU citizens’ data, do so within our standards.”
• Sophia in ‘t Veld (Alliance of Liberals and Democrats for Europe, 85/754): “500 million EU citizens were very shocked last week to find a foreign nation has access to every detail of their private lives. We get the commissioner for public health to deal with this issue while President Barroso should have got in his helicopter … Why aren’t the prime political leaders of Europe here? … We are failing the European citizens at a time when trust in the EU is at an all-time low – we should be ashamed of ourselves… The member states are speaking doublespeak to their citizens – are we surprised that they are losing trust? … We need political leadership in Europe to defend the rights of our citizens and the time is now.”
• Jan Philipp Albrecht (Greens – European Free Alliance, 58/754): “I completely share the concerns that have been raised by all political groups here. It’s not only data protection, not only a small technical issue, this is about the rule of law and democracy… they cannot be in line with mass surveillance of people all around the world… If we really want to have a safe European cloud need to make sure we have strong data protection rules that are enforceable… We would like to agree on standards with the U.S. [on international data transfer] but we need some movement on the other side of the Atlantic.”
• Timothy Kirkhope (European Conservatives and Reformists, 55/754): “It’s too early to draw final conclusions yet here we are, already pointing the finger, with some expressing anti-American and anti-Commission rhetoric. Protecting citizens from modern threats is a balancing act … it would be worth some people in this room remembering who the real enemy is and where it is and when we want answers that friends listen most when we talk and not when we shout.”
• Jaroslav Paška (Europe of Freedom and Democracy, 35/754) and Marie-Christine Vergiat (European United Left – Nordic Green Left, 34/754) both spoke but I did not understand. Vergiat shouted a lot though, and seemed quite angry at the PRISM revelations. Martin Ehrenhauser (representing non-affiliated MEPs, 28/754) also spoke, stating that “this program offends fundamental rights” and questioning which European security agencies had benefited from PRISM data, as seems to have been the case in the UK and the Netherlands.
• Tonio Borg: “The Commission, I must say, shares the European Parliament’s concerns on this PRISM scandal … We are not happy with level of data protection from the U.S. … The whistleblower [Edward Snowden] said ‘government has granted itself power it is not entitled to.’ We are entitled to ask questions at the next EU summit … I can comment as a former minister for the interior for 10 years [that the] frustration of any law enforcement agency is that while terrorists and organized crime have no rules to go by, law enforcements agencies in a democratic country cannot use anything but the gloves of law in order to fight terrorism… No-one should use this special relationship [between the U.S. and Europe] not to abide by the law. Partnership entails not only rights but deeper obligations. No one should be taken for granted.”

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• AWS Storage Gateway jolts cloud-storage ecosystem
• Will cloud computing push the BRIC market to the front?
• Google and the Ghost of Silicon Valley Past

If you’re just catching up with this news now, the gist is that the U.S. National Security Agency apparently has a direct line into the systems of globally-used U.S. web platforms including Google, Facebook, Apple, Yahoo, Microsoft, Skype and AOL. The companies themselves have denied such backdoors exist, but the U.S. administration has effectively confirmed that they do.

Peter Schaar, Germany’s federal commissioner for data protection, sent me this statement a few minutes ago:

“The U.S. administration must now provide clarification. [The] first statements from the U.S. government [suggesting that] the surveillance would not be directed against U.S. citizens, but only against persons who reside outside the United States, [do] not reassure me at all.

“Given the large number of German users of Google, Facebook, Apple or Microsoft services, I expect the German government… is committed to clarification and limitation of surveillance. In addition, the reports illustrate the importance of strengthening the European data protection law. The dilatory attitude of the EU Interior and Justice Ministers towards the Privacy Policy reform package is a completely wrong signal.”

This response is as expected — read my take from earlier today on the implications for the EU data protection debate here.

Meanwhile, the British Open Rights Group (ORG) has suggested there may be implications here for the UK government, too. Here’s executive director Jim Killock:

“These allegations are profoundly serious, for the UK government as well as USA. Did our government know about this? What will they do to prevent the USA or others from invading British citizens’ privacy in the future?”

This is just beginning. Expect more in the same vein soon — this story will be updated.

UPDATE (7.15am PT): Looks like Killock is asking the right questions. According to a fresh Guardian report, the UK’s intelligence services have been drawing information from PRISM for a couple of years. This raises the possibility that, despite being forced to drop plans for a mass communications logging scheme in the UK due to public opposition, authorities in that country have been covertly achieving some of the same goals through their American partners.

UPDATE 2 (8.50am PT): Having finally understood that this is not just an “internal U.S. matter”, the European Commission has issued a new statement. Here’s the latest from Home Affairs Commissioner Cecilia Malmström:

“We have seen the media reports and we are of course concerned for possible consequences on EU citizens’ privacy. For the moment it is too early to draw any conclusion or to comment further. We will get in contact with our U.S. counterparts to seek more details on these issues.”

UPDATE 3 (9.05am PT): The UK Information Commissioner’s Office (ICO) has also weighed in now:

“There are real issues about the extent to which U.S. law enforcement agencies can access personal data of UK and other European citizens. Aspects of U.S. law under which companies can be compelled to provide information to U.S. agencies potentially conflict with European data protection law, including the UK’s own Data Protection Act. The ICO has raised this with its European counterparts, and the issue is being considered by the European Commission, who are in discussions with the U.S. Government.”

For context, the ICO has previously said that, where a U.S. cloud provider is obliged to cough up a UK citizen’s personal data under the Patriot Act, the cloud provider — Google or what have you — remains responsible for what happens to that data.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• AWS Storage Gateway jolts cloud-storage ecosystem
• Google and the Ghost of Silicon Valley Past
• Connected consumer first-quarter 2013: Analysis and outlook

UPDATE 2: Less blasé reactions are now starting to roll in. That link will also take you to a revised statement from the European Commission, which now concedes this may not be just an internal U.S. matter.

This is a great day to be a conspiracy theorist. Vindication! The National Security Agency – part of the U.S. military – reportedly has a direct line into the systems of some of the world’s biggest web and tech companies, all of which are of course sited in the U.S.

The companies themselves – Google, Facebook, Apple, Yahoo and so on – have denied the existence of these backdoors, but the U.S. authorities have not. They have claimed there are unspecified inaccuracies in the reports carried by The Guardian and The Washington Post, but there has been no substantive denial, other than to say it’s all OK because only non-U.S. citizens outside the U.S. are being targeted.

That last part appears to be nonsense, hence the uproar within the U.S., but let’s for a moment take the Obama administration at its word and pretend it’s not spying on its own citizens. Even in this scenario, the fallout will be tremendous outside American borders.

Great timing

And nowhere more so than in Europe, which is already in the throes of a wide-ranging debate over data privacy. The EU’s new data protection laws are being formulated, with treats in store including enhanced responsibilities for non-EU cloud firms when it comes to protecting the privacy of European citizens. This has prompted a pretty shameless lobbying campaign by U.S. tech firms to see the new rules watered down. Activist members of the European Parliament (MEPs) such as Jan Philipp Albrecht have been fighting back.

Guess which side of this battle just got a boost?

@superglaze Europeans should insist on having their #dataprotection laws applied to their data. This is why we need #EUdataP. #nsa #privacy—
Jan Philipp Albrecht (@JanAlbrecht) June 07, 2013

Unsafe Harbor?

But what about the current EU data protection rules? Time for a quick primer: it is illegal for EU citizens’ personal data to be processed – that includes being hosted on servers — outside the EU, unless the company doing the processing/hosting is in a country that has data protection laws of as high a standard as you find in the EU. The U.S. does not conform to these standards, but of course most of the big web firms are American, so to get around this there is something called a Safe Harbor agreement between the U.S. and Europe.

The Safe Harbor scheme (not recognized by the Germans, incidentally) allows U.S. tech firms such as Google to self-certify, to say that they conform to EU-style data protection standards even if their country’s laws do not. It’s not quite that simple – these companies really do need to jump through some hoops before they claim compliance; just ask Heroku — but it does largely come down to trust.

EU data protection regulators have already called for the system to be toughened up through the introduction of third-party audits, but frankly it now looks like the whole system is in tatters. U.S. companies claiming Safe Harbor compliance include Google, Yahoo, Microsoft, Facebook and AOL, all of which now appear to be part (willingly or otherwise) of the NSA’s PRISM scheme.

As EU data protection rules don’t say it’s OK for foreign military units to record or monitor the communications of European citizens – heck, even local governments aren’t supposed to be doing that – the Safe Harbor program now looks questionable to say the least. A lot of people have already pointed to the U.S. Patriot Act as a threat, and now the effects of that legislation are plain to see.

Cloud impact

All of this is likely to prove very problematic indeed for U.S. cloud firms trying to push further into the European market.

Imagine you’re a European government wanting to move your IT systems into the cloud. For some, nationalism and protectionism already come into play at this point – witness the French (of course) and the two national clouds that they have under development.

Now imagine you’re a U.S. firm trying to drum up business in that context. You can say you have an EU data center and you’re even willing to set up a mini-cloud in the country, just to put everyone’s mind at rest. You can say it and you can mean it, but can you really be surprised when you get laughed at because everyone now sees U.S. internet companies as being in league with the NSA? Even if you’re Amazon, which isn’t part of PRISM, you have a problem.

But that’s just business. The NSA revelations will have a far worse impact than that.

Goodbye moral high ground

This is where it gets really depressing. It’s not like previous U.S. statements on internet freedom in places such as China and the Middle East have emerged without some pointing out the perceived hypocrisy of it all. But now those people, who may have seemed a tad on the paranoid side at the time, can slip into told-you-so mode.

Let’s be clear about this: the NSA’s PRISM program is not quite the same thing as what the Chinese have in place. We’re not talking about overt clamping-down on freedom of speech, or the blocking of certain terms on microblogs when anti-government stories are doing the rounds.

But whatever is happening with the data being collected, the very fact that it is being collected means governments doing much worse things can now turn around and call the U.S. a hypocrite every time it tries to criticize them. At the very least, the perception of U.S. online freedom will no longer be what it was earlier this week – but it is possible that these latest revelations will lead some authoritarian regimes to be a little less cautious with their own online crackdowns.

The PRISM leak is going to be damaging for U.S. firms and the country’s image abroad, but its long-term effects may be worse than that.

But hey, lemons to lemonade, right? If you’re a web firm – particularly one dealing in communications of any kind – based in a country with meaningful data protection rules and checks on governmental intrusion, you now have a pretty strong selling point that wasn’t so clear a few days ago. We’re still waiting for the official reaction to emanate from data protection authorities here in Europe, but there’s every chance that they will be giving their citizens a strong steer in that direction.

And while we’re trying to see the upside:

So, who else is pumped about Google Glass?—
PRISM US Gov (@PRISM_NSA) June 06, 2013

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• A near-term outlook for big data
• How the mega data center is changing the hardware and data center markets
• Dissecting the data: 5 issues for our digital future

“It’s easy to make big money when you get to keep all the profits,” the Glass Balcony post points out, before complaining about the impact of these low-outlay ways on real people:

“Relying on automated support systems is no longer adequate. As the amount of online fraud grows over the years, automated systems are becoming less efficient. There is no accurate measure for that, however it’s anecdotally known that it’s more common nowadays for Google to shut down perfectly well-standing and long-standing AdSense accounts for invalid activity without providing the actual reasons for shutdown. Ditto for PayPal withholding the funds of customers.”

We all marvel at how quickly these companies grow and at their bounteous financials, but we don’t often enough sit back and consider why it is these companies can perform so well.

A huge part of that is down to enabling technologies, from the web itself to cloud computing and, yes, natural language processing and other technologies that will make automated customer service more useful and reliable. But that’s only part of the picture.

At this stage in the game, these companies are playing by different rules to everyone else. In the context of the post I mentioned above, customers are not customers: instead, they are users. If the exchange of money isn’t central to the relationship, as it is with an e-commerce operation such as Amazon, then customer support becomes an afterthought – after all, most of the users aren’t paying with anything more than their personal data anyway, so what should they expect?

But that’s only one facet. Pull back, and this iconoclasm becomes even more concerning.

Taxing times

I’m not suggesting that Amazon, Google and Facebook are breaking any laws, but they certainly don’t pay much tax either, relative to their revenues. In Europe, this is becoming a big issue, which is unsurprising given our current age of austerity. After all, if small businesses are struggling in this economic and technological environment, is it really fair that the megacorps taking their business away (particularly in retail) are so big and international that they don’t have to play by the same rules?

Bear in mind that Amazon is supposedly operating at a loss. The company’s margins are so low that it can destroy most competition, yet it somehow continues to expand. If the company paid taxes at the rate that small businesses need to, this situation would be entirely unsustainable.

The economic benefits for anyone other than Amazon are sometimes hard to see. Small businesses that would have paid their taxes in full are going under, and those public revenues are not being replaced. Of course these web giants are based somewhere – usually the U.S. – but their money often goes through a dizzying series of countries before it finds some tax haven where it can rest quietly. And from the companies’ perspective, why not? They operate everywhere; they can pick and choose.

That can sometimes lead to a sense that the web giants don’t feel beholden to any particular society. Consider these extraordinary quotes from Larry Page at yesterday’s Google I/O Q&A session:

“The pace of change in the world is increasing… We haven’t adapted mechanisms to deal with that. Maybe some of our old institutions like the law and so on aren’t keeping up with the rate of change that we’ve caused through technology. The laws when we went public were 50 years old. The law can’t be right if it’s 50 years old, that’s before the internet…

“We also haven’t built mechanisms to allow experimentation. There’s many exciting things you can do that you just can’t do because they’re illegal or against regulation. That makes sense, we don’t want our world to change too fast, but maybe we should set aside a small part of the world. I like going to Burning Man, for example, that’s an environment where people can try different things.”

Some have mocked Page for “wanting to start his own country”, but that risks missing Page’s point. He just sees Google as a special case that should enjoy at least limited exemptions from the rules that apply to smaller, pre-internet-style concerns. “If your rules weren’t written for us,” he seemed to say, “they shouldn’t apply to us.”

Competition

I sympathize with this view to a very limited extent: the pace of technological change does mean that regulators and legislators need to speed up their own operations if they want to keep up. Where Page and I part company, though, is that he wants Google to be hassled less and I want to see, for example, new data privacy laws that put meaningful and practical limitations on what companies such as his can do.

The great benefits of the free market system are supposed to be its enabling of genuine, merit-based competition and the resulting benefits to society. What we’re seeing here is a reduction in competition and variety, the concentration of wealth in the hands of a few giants, and the rise of players so big as to feel untouchable. The lack of genuine customer service mentioned at the start of this article is both symptomatic of this situation and one of its many drivers.

That sense of invulnerability and entitlement will affect us all, not only in terms of public finances, but in other fields too, such as data protection. These companies are worth more than many countries, and you can tell they know it.

In short, I’m worried about where this industry is going. I’m all for progress – I’d have chosen a strange field of journalism if that wasn’t the case – but perhaps it’s time to aim for a wider evaluation of what’s going on here. It’s not about being positive or negative. It’s about making sure that the massive societal changes this industry is effecting work out for the benefit of society as a whole.

After all, that’s why many of us are in this game to start with.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Social media in Q1: commerce and discovery dominated
• Google doesn’t like walled gardens — except its own
• Sector RoadMap: Content personalization in 2013

The short answer is no. The Sunday Times (paywall alert) may have billed its story as being about the potential sale of 27 million people’s details to the cops, but the reality is somewhat less alarming. As Ipsos Mori has been forced to explain in response to the exposé:

“In conducting this research we only receive anonymized data without any personally identifiable information… We do not have access to any names, personal address information, nor postcodes or phone numbers. We can see the volume of people who have visited a website domain, but we cannot see the detail of individual visits, nor what information is entered on that domain. We only ever report on aggregated groups of 50 or more customers. We will never release any data that in any way allows an individual to be identified.”

So what does this data tell us? According to the original article, it provides insights based on “gender, age, postcode, websites visited, time of day text is sent [and] location of customer when call is made”.

Reverse engineering

Now, as we discussed recently, it is easier than you might think to de-anonymize data due to the uniqueness of our personal movement patterns — as long as you have the will, the datasets and the pieces of identifying information that can be correlated with the anonymized individuals effectively described in those datasets. So those horrified reactions to the weekend’s revelations are not entirely groundless. They are over-the-top, though.

There is a significant difference between a register of communications (who contacted whom and when) and a pool of anonymized data where the most fine-grained nugget of information that might be reverse-engineered would tell you that Person X visited the Gmail domain while within a 100 meter radius of the corner of Oxford Street and Tottenham Court Road. To assume equivalence between the two ideas is to ignore the elements of intent, will, data-crunching capacity and, frankly, competence. In short, there are far easier ways for the police to track individuals through their handsets, such as just going to the carrier and demanding to do so.

(The Sunday Times said sources claimed “officers had been enthusiastic about the potential for tracking users of pay-as-you-go phones,” but – quality of sources notwithstanding — I suspect those officers may have been slightly overestimating their own data-crunching powers. They may have also overlooked the fact that the operators would have no idea of their pay-as-you-go users’ age or gender, making it near-impossible to tease out an individual from the anonymized mass. Either way, they backed off once the story broke.)

Not damning

And then there’s the matter of this data’s innocent utility. Of all the sources of “big data” that is both largely untapped and genuinely useful, mobile operators must be among the most potentially fruitful. In societies where everyone is carrying a phone, there can be no better way to establish the density and fluidity of traffic flows and footfall. This data is gold dust, not just for retailers, but also for town planners and councils. It shows us how our cities and roads really work, and it can help us make them more efficient and pleasant to live in or use.

I feel a bit sorry for EE in this particular case. After all, its rivals Telefonica (trading as O2) and Vodafone are also offering up their customer data for analytics purposes – Telefonica’s “Dynamic Insights” program is being carried out in partnership with market research firm GfK, while Voda launched its mobile analytics play just last Friday.

“Everyone is doing it” would be a lousy apology in itself, but I don’t think any of these carriers or their partners are doing anything wrong, as long as their datasets are suitably anonymized. If people could feasibly be personally identified from this data, the carriers and their market research partners would instantly find themselves on the wrong side of existing data protection legislation — the fines in the UK for this stuff are pretty paltry, but they would also quickly lose the trust of their customers, so there’s little motivation for the telcos and their partners to cross the line.

It’s great that people are concerned and watchful about their privacy, and long may they continue to be. However, this is a case where the potential benefits of the data are both great and realistically attainable, and where the downsides are so unfeasible as to be worth discounting, at least at this stage. It’s now up to the carriers to explain this to their customers in understandable and honest terms.

There will be great battles worth fighting in the war over our personal data and its exploitation. This ain’t one of them.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

The company has come under criticism for not having a European data center in the past, largely due to compliance issues – Salesforce is part of the EU-U.S. Safe Harbor framework, which means it’s allowed to handle European citizens’ personal data, but many customers would prefer the certainty that a locally sited data center allows. (We will be discussing such issues at our Structure:Europe conference in London on 18-19 September, by the way.)

Salesforce said last year that it hoped to open a data center in the UK in 2013, but this appears to have been pushed back a little now. According to a statement today, the new data center – the firm’s sixth — will be completed in 2014 in partnership with NTT Communications’ local arm, NTT Europe.

In a statement, Salesforce CEO Marc Benioff said Europe had provided the greatest revenue growth – 38 percent — for the company in the 2013 fiscal year:

“We are doubling down on Europe with the announcement of our new data centre in the UK, which will support continued customer success in EMEA.”

Robin Balen, NTT Europe’s wholesale data center business chief, added that the new facility would be “powered 100 percent by renewable energy sources.”

Innovation Challenge

Meanwhile, Salesforce has also teamed up with a group of European venture capital firms – Notion capital, Octopus Investment and MMC Ventures – to launch a €5 million ($6.6 million) Innovation Challenge for startups.

Startups are invited to pitch their enterprise cloud apps that could run (surprise!) on Salesforce’s platform. There will be pitching events through Europe between September and November, and the winners will get seed funding. Apps will need to be at least in the beta stage, with demonstrable “traction, customer success and user adoption.”

“This is a unique opportunity for innovative start-ups in the enterprise app market here in Europe to receive commercial support to allow them to compete on a global stage,” Octopus principal Luke Hakes said in a statement.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Google and the Ghost of Silicon Valley Past
• AWS Storage Gateway jolts cloud-storage ecosystem
• Will cloud computing push the BRIC market to the front?

In a blog post, Heroku’s Zeke Sikelianos said the platform-as-a-service oufit had been seeing great demand from the non-U.S. world, and its second region was now live as a public beta, following a private beta with customers such as Swedish television network TV4.

“Deploying our app closer to our users in Heroku’s Europe region gave us a 150ms improvement in web performance. Based on this win for our users, we’re moving all of our apps to the Europe region,” the post quoted TV4 CTO Per Åström as saying.

The European region, which runs out of Amazon’s Irish data center, comes with all the same features as the U.S. region. Over 60 add-ons are already available for the region, such as Heroku Postgres and ClearDB, and others are on their way. The company has introduced heroku fork to its command-line interface in order to ease the migration of apps from the U.S. region, by copying relevant data and configuration variables.

Data location

European data protection laws are more stringent than those in the U.S., so the two parties have set up a Safe Harbor program for American companies whose services involve the handling of EU citizens’ personal data. Heroku still isn’t part of that program, so technically it’s still not kosher to run services for EU citizens on the platform, even though it’s now using an EU data center.

“Heroku is not yet a registered participant in the Safe Harbor program,” the post read. “We’ve laid the groundwork for becoming Safe Harbor certified and expect to have it soon.

“The Europe region public beta is designed to let you build high-performance apps for European users. It does not currently address data residency or jurisdiction concerns. You should assume that some portions of your app and its data will be in, or pass through, data centers located in the U.S.”

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Examining open hybrid cloud options for the enterprise
• Platform as a Service in 2012
• Emerging trends in the non-relational database market

This all follows on from the great Street View data collection scandal of 2010, where it emerged that Google’s vehicles weren’t just photographing roads and buildings, but also scraping fragments of emails, photos and passwords from open wireless networks that they passed. Google logs Wi-Fi access points in order to help its geolocation services locate the user more quickly, but the collection of data being transmitted over those access points was, Google has always argued, a terrible accident – the company blamed this on rogue code in its software.

Germany, the birthplace of data protection law, was always going to come down harshly on Google over what happened almost three years ago, and indeed Caspar levied almost the maximum €150,000 fine at his disposal for a merely negligent data protection breach. If he had not been convinced by Google that the breach was accidental, he would have faced a €300,000 cap – still hardly enough to make a difference to a company the size of Google.

Here’s what Caspar said in a statement:

“In my estimation this is one of the most serious cases of violation of data protection regulations that have come to light so far. Google did cooperate in the clarification thereof and publicly admitted having behaved incorrectly. It had never been the intention to store personal data, Google said. But the fact that this nevertheless happened over such a long period of time and to the wide extent established by us allows only one conclusion: that the company internal control mechanisms failed seriously…

“As long as violations of data protection laws are punishable by discount rates, the enforcement of data protection laws in a digital world with its high potential for abuse will be all but impossible.”

Under the proposed new EU-wide data protection regulation, companies could be fined up to 2 percent of their annual turnover for such breaches, a level that Caspar said would “enable violations of data protection laws to be punished in a manner that would be felt economically.”

Incidentally, Germans need not worry about Street View cars scraping their data anymore, not just because Google says it has cleaned up its act, but also because the company stopped taking new Street View pictures in the country a couple of years back. This was after Google allowed Germans to apply to have their properties manually blurred out – so many people took the company up on this that it required the hiring of scores of temporary workers to carry out the blurring, and eventually Google just gave up.

Regarding Monday’s fine, Google released the following statement:

“We work hard to get privacy right at Google. But in this case we didn’t, which is why we quickly tightened up our systems to address the issue. The project leaders never wanted this data, and didn’t use it or even look at it. We cooperated fully with the Hamburg [data protection authority] throughout its investigation.”

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Google and the Ghost of Silicon Valley Past
• Survey: How apps can solve photo management
• Sector RoadMap: Content personalization in 2013

The group is called the Article 29 Working Party and, while it doesn’t make laws, it does have a great deal of influence over those who do, and over the way in which privacy laws are interpreted. Its opinion (PDF warning) on mobile apps will be unwelcome in many quarters because it states that just about everyone in the mobile industry — app developers, app store proprietors and even OS and device vendors — has a range of legal obligations around protecting and properly collecting and processing user data.

Compliance with E.U. data protection law means sticking to several principles. First and foremost, the user needs to give full and unambiguous consent to having their data processed. Data processing has to be for a legitimate purpose — like the app’s stated use case — and everyone has a responsibility to keep personal data secure.

Even those mobile players who are trying to stick to the rules may find the task more complex than they first imagine. Here’s an example given by the regulators (with bold type reflecting my emphasis):

“An app provides information about nearby restaurants. To be installed the app developer must seek consent. To access the geolocation data, the app developer must separately ask for consent, e.g. during installation or prior to accessing the geolocation. Specific means that the consent must be limited to the specific purpose of advising the user about nearby restaurants. The location data from the device may therefore only be accessed when the user is using the app for that purpose. The user’s consent to process geolocation data does not allow the app to continuously collect location data from the device. This further processing would require additional information and separate consent.

Similarly, for a communication app to access the contact list, the user must be able to select contacts that the user wishes to communicate with, instead of having to grant access to the entire address book (including contact details of non-users of that service that cannot have consented to the processing of data relating to them).”

How about app stores? Here, the working party recommends that apps “should not just be rated by users for how ‘cool’ they are, but also on the basis of their functionalities, with specific reference to privacy and security mechanisms”.

These kinds of recommendations may seem a tall order, but they are doable. However, the working party seems under no illusion about the challenge it faces. Here’s the whole problem with ensuring the rules get stuck to, distilled into a single passage:

“A high risk to data protection comes from the degree of fragmentation between the many players in the app development landscape. A single data item can, in real time, be transmitted from the device to be processed across the globe or be copied between chains of third-parties. Some of the best known apps are developed by major technology companies but many others are designed by small start-ups. A single programmer with an idea and little or no prior programming skills can reach a global audience in a short space of time. App developers unaware of the data protection requirements may create significant risks to the private life and reputation of users of smart devices. Simultaneously, third-party services such as advertising are developing rapidly, which, if integrated by an app developer without due regard, may disclose significant amounts of personal data.”

There’s the rub. The creation and distribution of apps can involve many, many parties, with services interlinked in a way that’s hard to keep track of — especially since one of the fundamentals of EU data protection law is that the user is kept fully informed of what’s happening with their data, the likelihood of proper compliance breaks down on that point alone. That’s before we even get to the thorny issue of who is situated where and whether sending data to that location means breaking the rules, or how many opportunities for a security breach get opened up by having so many links in the chain.

It’s one thing imposing these rules on a big cloud provider, but what about the one or two-person team that comes up with some app that taps into multiple APIs linking to services around the world? Are they supposed to have a designated data controller within their organization, keeping an eye on compliance? That’s hardly going to be top of their agenda when their app may have been created and set live practically on a whim.

What the Article 29 Working Party is doing here is noble — and I don’t mean that dismissively. We should all be thinking about this stuff. Low barriers to entry shouldn’t be an excuse for ignoring a cumulative effect of privacy erosion.

The question is, are these guidelines going to stay a wishlist, or are we going to see Europe’s regulators enforce them? That’s what these opinions often presage, so we may soon find out what privacy regulation really means in the mobile age.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.