Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Europe's Data Security Laws Clear Some Clouds, Muddle Others

Regulations being mulled over by the European Union will clarify security requirements for many cloud providers -- but could hurt U.S. providers

The European Commission (EC)'s plan to rewrite the European Union's data privacy directive and update regulations to account for the increasing amount of personal data online in social networks and cloud services has some U.S. cloud providers on alert.

Critics in the U.S. have charged that the proposed law would throw up competitive road blocks for cloud providers. For Europeans, the law would unite a myriad of interpretations of the original privacy directive and allow citizens the "right to be forgotten."

But for data security, the proposed privacy legislation has both a silver lining and a darker side, say experts. Cloud providers will have a single set of regulations with which they need to comply, making handling and securing consumer data simpler. However, the new provisions could put non-European companies at a disadvantage and hefty fines -- up to 2 percent of global revenues -- could be levied against firms that do not notify authorities within 24 hours of a breach.

"We expect that the new approach will simplify the multi-jurisdictional issues and remove some of the administrative challenges in regards to notifications," Felix Sterling, senior vice president and general counsel for security firm Trend Micro, said in a statement. "But (we) also anticipate new compliance challenges. Unfortunately, what this means at the end of the day is that more companies will need to review their risk management approach and security measures in light of the heightened accountability for errors and breaches."

The revision to the European Union's Data Protection Directive comes nearly two decades after the original law mandated that member states adopt privacy protections. The proposed law would put in place a single set of regulations, rather than the 27 different individual implementations currently in place. Companies will deal with a single national data-protection agency in the country where they operate. The European Commission estimates that the harmonization will save companies approximately 2.3 billion euros a year.

"Right now, there are problems for the cloud providers in dealing with the European states, because they have to comply with all 27 different laws," says Daniele Catteddu, the Cloud Security Alliance's managing director for Europe, the Middle East and Africa.

[Cloud services aim to simplify information technology for businesses, but as companies subscribe to a greater number of services and integrate virtual infrastructure into business processes, complexity rises. Can brokers help? See Cloud Brokers Seek To Simplify, Secure Services. ] 

Yet, while companies applaud the single set of regulations, they worry that fight between the U.S. government's search for information on terrorism could put them at odds with European regulations. If a U.S. law enforcement or intelligence agency requests from Microsoft an Italian citizen's Hotmail data stored on a server in Ireland, who has jurisdiction: The United States, Italy, or Ireland? In 2011, Microsoft stated that it would have to obey lawful requests from the U.S. government and turn over information under the USA Patriot Act, the anti-terrorism law passed following 9-11, even if the information was owned by a non-U.S. citizen. The current proposed update to the European privacy directive would give the EU jurisdiction.

The debate will be "a huge food fight between American cloud service providers and the European Union," Tim Mather, advisory director at accounting firm KPMG, said at the Cloud Security Alliance (CSA) Summit in late February.

"Lets be quite honest about this: The Europeans want nothing to do with the USA Patriot Act, and this is a way for them to fight back and incidentally give an economic advantage to the European cloud service providers," Mather said.

The current proposed update to the directive would also scuttle the Safe Harbor provisions negotiated by the EU and the United States, which allows U.S. companies to export some data in certain restrictive circumstances. The problem is that the European Commission believes that the keeping data inside a data center in an European country means that it's safe, Marc Crandall, senior manager of global compliance enterprise for Google, said at the CSA Summit.

"Does location really equal security? I would argue that it does not," he said. "But that is an issue that we are going to have to reckon with."

Today, Google has to deal with varying regulations and compliance standards in each European country. In 2010, for example, a judge in Milan, Italy, convicted three Google execs for violating Italian privacy laws, when a controversial video was posted to the company's service. Even though Google helped authorities track down the person who posted the video, the court still held the service culpable.

In the end, however, the degree to which a company is impacted will depend on their business model and their approach to their customers' data, says Praerit Garg, president and cofounder of ambient cloud storage provider Symform.

"The nature of companies' business models ultimately drives their behavior," he says. "If their business model is about collecting user information, then those companies are fundamentally at odds with privacy regulations."

Companies whose business model revolves around protecting their clients data will likely only benefit from the European changes, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.