A proposed European Union regulation known as The EU General Data Protection Regulation, which is expected to be passed this year, could change how organizations treat the privacy of personal data. However, very few cloud service providers are able to currently meet these regulations which are likely to come into effect in 2015.
In its survey of more than 7,000 cloud services, IT security company Skyhigh found that only 1 in 100 cloud providers meet all the criteria outlined in the Data Protection Regulation. Cloud providers wanting to do business with European clients will have step up or else face fines as high as €100 million or 5 percent of their annual revenue.
Among the most widely publicized amendments to the proposed regulation is the right for individuals to request deletion of data identifying them, or “the right to be forgotten”.
Almost two thirds (63 percent) of cloud providers maintain data indefinitely or have no data retention provisions stated in their terms and conditions.
Meanwhile, 23 percent of cloud providers request user permission to share data with third parties, making it difficult or impossible to ensure all copies are deleted because of the numerous parties with whom the data is shared.
There are also major issues in data residency requirements, as well as new security provisions.
The Data Protection Regulation forbids storing data in or passing data through countries outside the EU that do not have equivalently strong data protection standards. This only includes 11 countries, and the US, which provides 67 percent of all cloud services, is absent from the list.
Skyhigh notes, however, the current Safe Harbor Certification offered by the EU Data Protection Directive could make it possible for a small number (8.9 percent) of US-based providers with Safe Harbor will continue to be able to operate in Europe.
Another area that will cause problems for cloud providers might be the requirement that companies notify EU regulatory authorities within 24 hours of a data breach, even if the breach occurs in a third-party cloud service.
There may be exceptions if data is made unreadable through encryption, but today only 1.2 percent of cloud providers provide encryption using tenant-managed encryption keys.
Companies not abiding by existing European data privacy laws such as requiring strong passwords, secure workstations, network security, and information security training could be found negligent, causing even higher fines if a security breach is reported.
Many individuals and companies have discussed competing views on free speech and online privacy when it comes to these new regulations, especially in regards to the right to be forgotten. And while many US cloud providers stand to lose business or risk fines by not meeting the EU regulations, Microsoft recently announced that its enterprise cloud contracts meet European Union privacy law standards.
The European Parliament has been fervent about protecting EU citizens from surveillance after the NSA’s mass data collection operations were revealed by Edward Snowden. And distrust in how private data is used by corporations and governments has already hurt confidence in many companies that handle data in the US. More guidelines around the fair use of data could help many companies and individuals in Europe rebuild trust in cloud services.