A massive 99% of cloud services providers would not meet Europe's new data protection requirements
That’s a startling bold assertion being bandied around by cloud security firm Skyhigh Networks, which claims that, having analysed its own CloudRegistry of over 7000 cloud services, most providers will fall foul of one or more of a myriad of data protection requirements.
Now, ordinarily I’d tend to veer away from vendor-sourced research that happens to find problems that happen to align just nicely with the vendor’s own solutions, but in this instance I’m making an exception.
This is partly because of the sheer bold scale of the claim being made and partly becuase it’s the most pessimistic reflection of my own underlying fears about the damage the European Commission could do in its pursuit of ever more draconian data protection rules.
A brief scout around previous stories on diginomica can leave no-one in any doubt about my suspicions about some of the agendas being pursued under the veil of data protection, including a dangerous focus on putting up protectionist barriers around Europe and striking ludicrously grandiose postures against Washington.
All this has of course been helped by the Edward Snowden NSA revelations, providing the more, shall we say, fervent in the Commission with ammunition to spread fear, uncertainty and doubt around in equal measures.
As the indomitable European Justice Commissioner Vivianne Reding said in March:
Following the US data spying scandals, data protection is more than ever a competitive advantage.
That was on the occasion ofthe European Parliament formally adopting the compromise text of the proposed EU General Data Protection Regulation, with 621 votes in favor, 10 against and 22 abstentions for the Regulation. The Regulation is now expected to take effect in 2015.
Skyhigh’s research identifies a number of key areas of concern, beginning with the controversial right to be forgotten that came into being following a ruling by the European Court of Justice. This concept has been one of the most argued about in the negotiations around the new regulations, but the ECJ ruling has thrown the cat among the proverbial pigeons outside of those formal discussions.
SkyHigh argues that as organizations must notify individuals and receive their consent before storing or using personal data in any way. If those individuals request that data be deleted, organizations are legally required to permanently delete all copies of the data, including any copies stored by third party providers.
But with 63% of cloud providers maintaining data indefinitely or having no provisions for data retention in their terms and conditions, a further 23% building the right to share data with third parties into their contracts and the average organization using in excess of 700 cloud services, that presents an nightmare of management.
Charlie Howe, Skyhigh Networks EMEA director, comments:
One of the most well-publicised and controversial amendments to the new regulation is the right for individuals to request deletion of data identifying them. It’s a complex issue but, given the media interest surrounding it, one that’s unlikely to blindside cloud providers.
It’s fair to say that the right to be forgotten could turn out to be a massive headache for many organisations – cloud service providers themselves and those companies using these services. It’s not just an issue for Google.
- PRISM exploitation drives EU’s data protection overhaul (diginomica.com)
- preaches from data privacy bully pulpit over right to be forgotten (diginomica.com)Europe
- Don’t undermine Europe’s cloud SLA work with US-targeted data protection paranoia (diginomica.com)
- No Euro-vision as UK defies Brussels over anti-Safe Harbor demands (diginomica.com)
A more familiar problem is that of data residency. The General Data Protection Regulation requires data is not stores in or transfered through countries outside the European Economic Area that do not have equivalently strong data protection standards.
Only 11 countries meet EU privacy requirements today and they don’t include the United States, where 67% of all cloud services are headquartered.
That’s why we have Safe Harbor and that’s why many in the Commission are all for using threat of withdrawal from that scheme as a mechanism to bully the US into toeing the European line.
Data residency is already a significant issue under the current EU Data Protection Directive and it will continue to be so as the new regulations come into effect – especially as only 8.9 percent of US-based providers have the Safe Harbor Certification, which provides exemption to these regulations.
Actually there are signs that the US Federal Trade Commission (FTC) is taking being seen to do something here more seriously, signing off final orders in June that settle charges against 14 companies for falsely claiming to participate in the Safe Harbor scheme. Given that only ten such enforcement actions have been issued since 2000, that’s not bad going, although when measured against the 400 false claims made in 2013, it’s not making that much of an impression.
On the subject of notification following a data breach, the new regulation would require organizations to notify EU regulatory authorities within 24 hours of a data breach, even if the breach occurs in a third party cloud service. But many providers, realising that a breach may occur as a result of a third party, seek to pass the burden for this on to the clients. Some national regulations are more flexible than others, states Howe, but problems still arise:
Some existing regulations including the UK General Data Protection Regulation and France Data Protection Act allow organisations to circumvent breach notification requirements if data is made inaccessible to third parties using encryption. Unfortunately, only 1.2 percent of cloud providers today provide the tenant-managed encryption keys required to do so.
As I said, I'm inherently sceptical of vendor research at all times, but this one has the awful ring of truth about it, although I'd provide the caveat that the public data on the research methodology etc is far from transparent.
This article doesn't really take us much further forward in the debate, but it's just another reminder of the potential threat to the European cloud industry from well-intentioned/politically-motivated (delete as applicable) efforts to rewrite existing legislation.