EU cloud vendors liable for breaches

The European Union will introduce rules that make cloud providers legally liable for data breaches.

The Binding Safe Processor Rules (BSPR) will require cloud service providers in the EU to agree to becoming legally liable should any data offences occur at their data centres, lawyers said yesterday.

It will effectively act as an accreditation scheme for cloud providers, meaning it will need vendors to sign up to the initiative.

Eduardo Ustaran, partner at law firm Field Fisher Waterhouse and driving force behind the new rules, said service providers would likely to sign up because it would give them a selling point.

If they refused, they would be seen as unsafe, he said.

Vendors must prove their security models were adequate to get accredited.

"Cloud service providers would be given an accreditation from their data protection authority," Ustaran said.

Verizon Business had pushed for the EU to enshrine the BSPR concept in data protection law.

Field Fisher Waterhouse information law group partner, Stewart Room, said was the “bridge” for cloud adoption that would cover customer fears around legalities of cloud-based data breaches.

However, it will do little to allay fears around the US Patriot Act, which is fast emerging as a real threat to cloud adoption.

The law effectively means the US can search through any US-run cloud provider’s data centres to find information on illegal activities.

For companies planning on using vendors with data centres in the US, this poses a significant obstacle to cloud adoption.

The European Parliament has already raised concerns about the impact of the Patriot Act and its effective overriding of EU data protection laws.

Legal changes incoming

In November, the EU will publish the draft new data protection law, which will form the basis of national legislations for the next 15-20 years. This will replace the current Data Protection Directive and the Data Protection Act in the UK.

Outside of the new Binding Safe Processor Rules, mandatory breach disclosure will be embedded in the draft law.

“We are certain that mandatory breach disclosure laws will be contained with the new EU data protection law. The European Commission has made this clear already,” Room said.

This means companies will be required to report any breaches, making more work for Information Commissioner’s Office (ICO). It makes it much more likely private companies will be reprimanded by the watchdog, if it decides to show its teeth.

Room believes the ICO will order companies to provide records of any breaches on a monthly basis.

This article originally appeared at itpro.co.uk