EU cloud vendors liable for breaches

Powered by SC Magazine

Directive asks vendors to prove security and accept liability.

The European Union will introduce rules that make cloud providers legally liable for data breaches.

The Binding Safe Processor Rules (BSPR) will require cloud service providers in the EU to agree to becoming legally liable should any data offences occur at their data centres, lawyers said yesterday.

It will effectively act as an accreditation scheme for cloud providers, meaning it will need vendors to sign up to the initiative.

Eduardo Ustaran, partner at law firm Field Fisher Waterhouse and driving force behind the new rules, said service providers would likely to sign up because it would give them a selling point.

If they refused, they would be seen as unsafe, he said.

Vendors must prove their security models were adequate to get accredited.

"Cloud service providers would be given an accreditation from their data protection authority," Ustaran said.

Verizon Business had pushed for the EU to enshrine the BSPR concept in data protection law.

Field Fisher Waterhouse information law group partner, Stewart Room, said was the “bridge” for cloud adoption that would cover customer fears around legalities of cloud-based data breaches.

However, it will do little to allay fears around the US Patriot Act, which is fast emerging as a real threat to cloud adoption.

The law effectively means the US can search through any US-run cloud provider’s data centres to find information on illegal activities.

For companies planning on using vendors with data centres in the US, this poses a significant obstacle to cloud adoption.

The European Parliament has already raised concerns about the impact of the Patriot Act and its effective overriding of EU data protection laws.

Legal changes incoming

In November, the EU will publish the draft new data protection law, which will form the basis of national legislations for the next 15-20 years. This will replace the current Data Protection Directive and the Data Protection Act in the UK.

Outside of the new Binding Safe Processor Rules, mandatory breach disclosure will be embedded in the draft law.

“We are certain that mandatory breach disclosure laws will be contained with the new EU data protection law. The European Commission has made this clear already,” Room said.

This means companies will be required to report any breaches, making more work for Information Commissioner’s Office (ICO). It makes it much more likely private companies will be reprimanded by the watchdog, if it decides to show its teeth.

Room believes the ICO will order companies to provide records of any breaches on a monthly basis.

This article originally appeared at

Copyright © ITPro, Dennis Publishing

EU cloud vendors liable for breaches
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
Sign up to receive iTnews email bulletins
Latest Comments
In which area is your IT shop hiring the most staff?

   |   View results
IT security and risk
Sourcing and strategy
IT infrastructure (servers, storage, networking)
End user computing (desktops, mobiles, apps)
Software development

Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results