Research reveals 99% of cloud service providers would not meet new data protection requirements
Mon 11 Aug 2014
99% of cloud service providers would fall short of Europe’s new data protection legislation, according to research by cloud security firm Skyhigh Networks.
Having analysed its own CloudRegistry of over 7000 providers, Skyhigh suggested that the majority of cloud services would fail to meet the new data protection requirements imposed by the European Commission.
The research particularly points to the disputed right to be forgotten, following recent rulings by the European Court of Justice. This regulation has been one of the most controversial topics among Europe’s new data protection rules and presents a complex management issue for cloud providers.
Under this ruling, companies have to inform users and receive their consent before storing and using their data – if those users request their information to be deleted, the companies are legally required to permanently delete all personal and third party copies of the data.
However, as the research found, 63% of cloud services store data indefinitely or have no provision for data retention in their contracts. What’s more, only 23% cover the right to share data with third parties in their terms and conditions, and the average company uses over 700 cloud services. Findings such as these serve to highlight the extent of the logistical nightmare for cloud providers trying to comply with such strict requirements.
“One of the most well-publicised and controversial amendments to the new regulation is the right for individuals to request deletion of data identifying them,” said Charlie Howe, Skyhigh’s EMEA director.
“It’s a complex issue but, given the media interest surrounding it, one that’s unlikely to blindside cloud providers. It’s fair to say that the right to be forgotten could turn out to be a massive headache for many organisations – cloud service providers themselves and those companies using these services. It’s not just an issue for Google,” he continued.
Another issue underlined by the analysis was that of data residency. The General Data Protection Regulation states that data must not be stored or passed through countries which lie outside of the European Economic Area (EEA) and do not impose similarly strict data protection standards.
The obvious stumbling block here is that the US does not meet EU privacy specifications – a country which is home to 67% of the world’s cloud headquarters.
Howe explained that even with the Safe Harbor framework, which bridges the legal differences between the two countries, data residency is still a “significant issue, […] as only 8.9 percent of US-based providers have the Safe Harbor Certification, which provides exemption to these regulations.”
A further regulation requires that cloud service providers notify EU authorities of a data breach within 24 hours, even if this breach involves a third party provider. This is again problematic, as Howe suggested:
“Some existing regulations including the UK General Data Protection Regulation and France Data Protection Act allow organisations to circumvent breach notification requirements if data is made inaccessible to third parties using encryption. Unfortunately, only 1.2 percent of cloud providers today provide the tenant-managed encryption keys required to do so.”