EU cloud vendors liable for breaches

By on
EU cloud vendors liable for breaches

Directive asks vendors to prove security and accept liability.

The European Union will introduce rules that make cloud providers legally liable for data breaches.

The Binding Safe Processor Rules (BSPR) will require cloud service providers in the EU to agree to becoming legally liable should any data offences occur at their data centres, lawyers said yesterday.

It will effectively act as an accreditation scheme for cloud providers, meaning it will need vendors to sign up to the initiative.

Eduardo Ustaran, partner at law firm Field Fisher Waterhouse and driving force behind the new rules, said service providers would likely to sign up because it would give them a selling point.

If they refused, they would be seen as unsafe, he said.

Vendors must prove their security models were adequate to get accredited.

"Cloud service providers would be given an accreditation from their data protection authority," Ustaran said.

Verizon Business had pushed for the EU to enshrine the BSPR concept in data protection law.

Field Fisher Waterhouse information law group partner, Stewart Room, said was the “bridge” for cloud adoption that would cover customer fears around legalities of cloud-based data breaches.

However, it will do little to allay fears around the US Patriot Act, which is fast emerging as a real threat to cloud adoption.

The law effectively means the US can search through any US-run cloud provider’s data centres to find information on illegal activities.

For companies planning on using vendors with data centres in the US, this poses a significant obstacle to cloud adoption.

The European Parliament has already raised concerns about the impact of the Patriot Act and its effective overriding of EU data protection laws.

Legal changes incoming

In November, the EU will publish the draft new data protection law, which will form the basis of national legislations for the next 15-20 years. This will replace the current Data Protection Directive and the Data Protection Act in the UK.

Outside of the new Binding Safe Processor Rules, mandatory breach disclosure will be embedded in the draft law.

“We are certain that mandatory breach disclosure laws will be contained with the new EU data protection law. The European Commission has made this clear already,” Room said.

This means companies will be required to report any breaches, making more work for Information Commissioner’s Office (ICO). It makes it much more likely private companies will be reprimanded by the watchdog, if it decides to show its teeth.

Room believes the ICO will order companies to provide records of any breaches on a monthly basis.

This article originally appeared at itpro.co.uk

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © ITPro, Dennis Publishing
Tags:
cloud data breaches european unioin security
In Partnership With

Most Read Articles

NBN Co says fibre-to-the-curb build is more complex than it hoped

NBN Co says fibre-to-the-curb build is more complex than it hoped
US military weapons systems found to have vulnerabilities

US military weapons systems found to have vulnerabilities
NBN Co explores 'FTTN in a box' for emergency network fixes

NBN Co explores 'FTTN in a box' for emergency network fixes
AWS Sydney data centre locations leaked

AWS Sydney data centre locations leaked
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Intro to AI for Security Professionals
Intro to AI for Security Professionals
Digital Transformation: Hope, or Hype?
Digital Transformation: Hope, or Hype?
How to choose a trusted IT provider
How to choose a trusted IT provider
Why Business Process Modelling Matters
Why Business Process Modelling Matters
Report: ANZ IT Decision Makers - Top Priorities for Endpoint Security 2018
Report: ANZ IT Decision Makers - Top Priorities for Endpoint Security 2018

Events

Log In

Username / Email:
Password:
  |  Forgot your password?