EU to legislate on cloud security

 

Providers asked to become legally liable for any data offences.

The European Union plans to introduce new data protection laws in November designed to ensure cloud providers are offering a safe service.

The Binding Safe Processor Rules (BSPR) will ask cloud service providers working in the EU to agree to be legally liable for any data breaches or losses that occur at their data centres, lawyers said yesterday.

It will effectively act as an accreditation scheme for cloud providers, meaning it will require suppliers to sign up to the initiative.

It comes after a sweeping review of Europe's data protection laws.

Eduardo Ustaran, partner at Field Fisher Waterhouse, said service providers were certain to sign up as it would give them a much-needed selling point. If they didn’t, they would be viewed as unsafe.

To get that accreditation, vendors would have to prove their security models were adequate, Ustaran said.

"Cloud service providers would be given an accreditation from their data protection authority," Ustaran said.

Verizon Business is one organisation that has been pushing for the EU to enshrine the BSPR concept in data protection law, which is now set to happen.

Stewart Room, partner in FFW’s Privacy and Information Law Group, described it as the “bridge” for cloud adoption, given the fears around being legally liable if data offences occur in the cloud.

However, it will do little to allay fears around the US Patriot Act, which is fast emerging as a real threat to cloud adoption. The law effectively means the US can search through any US-run cloud provider’s data centres to find information on illegal activities.

For companies planning on using vendors with data centres in the US, this poses a significant obstacle to cloud adoption.

The European Parliament has already raised concerns about the impact of the Patriot Act and its effective overriding of EU data protection laws.

Mandatory data breach disclosure

In November, the EU will publish the draft new data protection law, which will form the basis of national legislations for the next 15-20 years. This will replace the current Data Protection Directive and the Data Protection Act in the UK.

Outside of the new Binding Safe Processor Rules, mandatory breach disclosure will be embedded in the draft law.

“We are certain that mandatory data breach disclosure laws will be contained with the new EU data protection law. The European Commission has made this clear already,” Room said.

This means companies will be required to report any breaches, making more work for Information Commissioner’s Office (ICO). It makes it much more likely private companies will be reprimanded by the watchdog.

Room believes the ICO will order companies to provide records of any breaches on a monthly basis.

This article originally appeared at itpro.co.uk

Copyright © ITPro, Dennis Publishing


EU to legislate on cloud security
EU's Neelie Kroes.
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
EU's Neelie Kroes.
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1803

Vote
Do you support the abolition of the Office of the Information Commissioner?