EU cloud vendors liable for breaches

By on
EU cloud vendors liable for breaches

Directive asks vendors to prove security and accept liability.

The European Union will introduce rules that make cloud providers legally liable for data breaches.

The Binding Safe Processor Rules (BSPR) will require cloud service providers in the EU to agree to becoming legally liable should any data offences occur at their data centres, lawyers said yesterday.

It will effectively act as an accreditation scheme for cloud providers, meaning it will need vendors to sign up to the initiative.

Eduardo Ustaran, partner at law firm Field Fisher Waterhouse and driving force behind the new rules, said service providers would likely to sign up because it would give them a selling point.

If they refused, they would be seen as unsafe, he said.

Vendors must prove their security models were adequate to get accredited.

"Cloud service providers would be given an accreditation from their data protection authority," Ustaran said.

Verizon Business had pushed for the EU to enshrine the BSPR concept in data protection law.

Field Fisher Waterhouse information law group partner, Stewart Room, said was the “bridge” for cloud adoption that would cover customer fears around legalities of cloud-based data breaches.

However, it will do little to allay fears around the US Patriot Act, which is fast emerging as a real threat to cloud adoption.

The law effectively means the US can search through any US-run cloud provider’s data centres to find information on illegal activities.

For companies planning on using vendors with data centres in the US, this poses a significant obstacle to cloud adoption.

The European Parliament has already raised concerns about the impact of the Patriot Act and its effective overriding of EU data protection laws.

Legal changes incoming

In November, the EU will publish the draft new data protection law, which will form the basis of national legislations for the next 15-20 years. This will replace the current Data Protection Directive and the Data Protection Act in the UK.

Outside of the new Binding Safe Processor Rules, mandatory breach disclosure will be embedded in the draft law.

“We are certain that mandatory breach disclosure laws will be contained with the new EU data protection law. The European Commission has made this clear already,” Room said.

This means companies will be required to report any breaches, making more work for Information Commissioner’s Office (ICO). It makes it much more likely private companies will be reprimanded by the watchdog, if it decides to show its teeth.

Room believes the ICO will order companies to provide records of any breaches on a monthly basis.

This article originally appeared at itpro.co.uk

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © ITPro, Dennis Publishing
Tags:
cloud data breaches european unioin security
In Partnership With

Most Read Articles

Centrelink loses welfare payments overhaul chief

Centrelink loses welfare payments overhaul chief
Key EDS witness bought internet degree

Key EDS witness bought internet degree
ACCC questions consumer need for higher-priced 100Mbps NBN services

ACCC questions consumer need for higher-priced 100Mbps NBN services
Toll Group may have lost over 200GB of data in ransomware attack

Toll Group may have lost over 200GB of data in ransomware attack
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Why is DevSecOps important to your business?
Why is DevSecOps important to your business?
Architecting Hybrid IT & Edge for Digital Advantage
Architecting Hybrid IT & Edge for Digital Advantage
TechTarget: Organizations Increasing Their Adoption of NFV
TechTarget: Organizations Increasing Their Adoption of NFV
Modernise IT by Reducing Your Reliance on AD
Modernise IT by Reducing Your Reliance on AD
The Maturity of Zero Trust in Australia and New Zealand
The Maturity of Zero Trust in Australia and New Zealand

Events

Log In

Username / Email:
Password:
  |  Forgot your password?