Europes Data Security Laws Clear Some Clouds, Muddle Others

  /     /     /  
Publicated : 22/11/2024   Category : security


Europes Data Security Laws Clear Some Clouds, Muddle Others


Regulations being mulled over by the European Union will clarify security requirements for many cloud providers -- but could hurt U.S. providers



The European Commission (EC)s plan to rewrite the European Unions data privacy directive and update regulations to account for the increasing amount of personal data online in social networks and cloud services has some U.S. cloud providers on alert.
Critics in the U.S. have
charged
that the proposed law would throw up competitive road blocks for cloud providers. For Europeans, the law would unite a myriad of interpretations of the original privacy directive and allow citizens the right to be forgotten.
But for data security, the proposed privacy legislation has both a silver lining and a darker side, say experts. Cloud providers will have a single set of regulations with which they need to comply, making handling and securing consumer data simpler. However, the new provisions could put non-European companies at a disadvantage and hefty fines -- up to 2 percent of global revenues -- could be levied against firms that do not notify authorities within 24 hours of a breach.
We expect that the new approach will simplify the multi-jurisdictional issues and remove some of the administrative challenges in regards to notifications, Felix Sterling, senior vice president and general counsel for security firm Trend Micro, said in a statement. But (we) also anticipate new compliance challenges. Unfortunately, what this means at the end of the day is that more companies will need to review their risk management approach and security measures in light of the heightened accountability for errors and breaches.
The revision to the European Unions Data Protection Directive
comes nearly two decades
after the original law mandated that member states adopt privacy protections. The proposed law would put in place a single set of regulations, rather than the 27 different individual implementations currently in place. Companies will deal with a single national data-protection agency in the country where they operate. The European Commission estimates that the harmonization will save companies approximately 2.3 billion euros a year.
Right now, there are problems for the cloud providers in dealing with the European states, because they have to comply with all 27 different laws, says Daniele Catteddu, the Cloud Security Alliances managing director for Europe, the Middle East and Africa.
[Cloud services aim to simplify information technology for businesses, but as companies subscribe to a greater number of services and integrate virtual infrastructure into business processes, complexity rises. Can brokers help? See
Cloud Brokers Seek To Simplify, Secure Services
. ]
 
Yet, while companies applaud the single set of regulations, they worry that fight between the U.S. governments search for information on terrorism could put them at odds with European regulations. If a U.S. law enforcement or intelligence agency requests from Microsoft an Italian citizens Hotmail data stored on a server in Ireland, who has jurisdiction: The United States, Italy, or Ireland? In 2011, Microsoft stated that it would have to
obey lawful requests
from the U.S. government and turn over information under the USA Patriot Act, the anti-terrorism law passed following 9-11, even if the information was owned by a non-U.S. citizen. The current proposed update to the European privacy directive would give the EU jurisdiction.
The debate will be a huge food fight between American cloud service providers and the European Union, Tim Mather, advisory director at accounting firm KPMG, said at the Cloud Security Alliance (CSA) Summit in late February.
Lets be quite honest about this: The Europeans want nothing to do with the USA Patriot Act, and this is a way for them to fight back and incidentally give an economic advantage to the European cloud service providers, Mather said.
The current proposed update to the directive would also scuttle the Safe Harbor provisions negotiated by the EU and the United States, which allows U.S. companies to export some data in certain restrictive circumstances. The problem is that the European Commission believes that the keeping data inside a data center in an European country means that its safe, Marc Crandall, senior manager of global compliance enterprise for Google, said at the CSA Summit.
Does location really equal security? I would argue that it does not, he said. But that is an issue that we are going to have to reckon with.
Today, Google has to deal with varying regulations and compliance standards in each European country. In 2010, for example, a judge in Milan, Italy, convicted three Google execs for violating Italian privacy laws, when a controversial video was posted to the companys service. Even though Google helped authorities track down the person who posted the video, the court still held the service culpable.
In the end, however, the degree to which a company is impacted will depend on their business model and their approach to their customers data, says Praerit Garg, president and cofounder of ambient cloud storage provider Symform.
The nature of companies business models ultimately drives their behavior, he says. If their business model is about collecting user information, then those companies are fundamentally at odds with privacy regulations.
Companies whose business model revolves around protecting their clients data will likely only benefit from the European changes, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Europes Data Security Laws Clear Some Clouds, Muddle Others