EU cloud vendors liable for breaches

By on
EU cloud vendors liable for breaches

Directive asks vendors to prove security and accept liability.

The European Union will introduce rules that make cloud providers legally liable for data breaches.

The Binding Safe Processor Rules (BSPR) will require cloud service providers in the EU to agree to becoming legally liable should any data offences occur at their data centres, lawyers said yesterday.

It will effectively act as an accreditation scheme for cloud providers, meaning it will need vendors to sign up to the initiative.

Eduardo Ustaran, partner at law firm Field Fisher Waterhouse and driving force behind the new rules, said service providers would likely to sign up because it would give them a selling point.

If they refused, they would be seen as unsafe, he said.

Vendors must prove their security models were adequate to get accredited.

"Cloud service providers would be given an accreditation from their data protection authority," Ustaran said.

Verizon Business had pushed for the EU to enshrine the BSPR concept in data protection law.

Field Fisher Waterhouse information law group partner, Stewart Room, said was the “bridge” for cloud adoption that would cover customer fears around legalities of cloud-based data breaches.

However, it will do little to allay fears around the US Patriot Act, which is fast emerging as a real threat to cloud adoption.

The law effectively means the US can search through any US-run cloud provider’s data centres to find information on illegal activities.

For companies planning on using vendors with data centres in the US, this poses a significant obstacle to cloud adoption.

The European Parliament has already raised concerns about the impact of the Patriot Act and its effective overriding of EU data protection laws.

Legal changes incoming

In November, the EU will publish the draft new data protection law, which will form the basis of national legislations for the next 15-20 years. This will replace the current Data Protection Directive and the Data Protection Act in the UK.

Outside of the new Binding Safe Processor Rules, mandatory breach disclosure will be embedded in the draft law.

“We are certain that mandatory breach disclosure laws will be contained with the new EU data protection law. The European Commission has made this clear already,” Room said.

This means companies will be required to report any breaches, making more work for Information Commissioner’s Office (ICO). It makes it much more likely private companies will be reprimanded by the watchdog, if it decides to show its teeth.

Room believes the ICO will order companies to provide records of any breaches on a monthly basis.

This article originally appeared at itpro.co.uk

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © ITPro, Dennis Publishing
Tags:
cloud data breaches european unioin security
In Partnership With

Most Read Articles

NSW puts digital driver's licence on a blockchain

NSW puts digital driver's licence on a blockchain
ANZ breaks out LEGO to bust staff silos

ANZ breaks out LEGO to bust staff silos
UNSW researchers find FTTP NBN worth the extra billions

UNSW researchers find FTTP NBN worth the extra billions
NSW transit officers can't check credit card tap-ons

NSW transit officers can't check credit card tap-ons
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

How to choose a trusted IT provider
How to choose a trusted IT provider
Why Business Process Modelling Matters
Why Business Process Modelling Matters
Report: ANZ IT Decision Makers - Top Priorities for Endpoint Security 2018
Report: ANZ IT Decision Makers - Top Priorities for Endpoint Security 2018
Managed Security Service Providers for Dummies
Managed Security Service Providers for Dummies
The Cost of Cloud Expertise report
The Cost of Cloud Expertise report

Events

Log In

Username / Email:
Password:
  |  Forgot your password?