When the EU drafts a new data protection law in November, it will introduce rules designed to ensure cloud providers are offering a safe service, IT Pro has learned.
The Binding Safe Processor Rules (BSPR) will ask cloud service providers working in the EU to agree to becoming legally liable should any data offences occur at their data centres, lawyers said yesterday.
It will effectively act as an accreditation scheme for cloud providers, meaning it will need vendors to sign up to the initiative.
However, the driving force behind the new rules, partner at Field Fisher Waterhouse Eduardo Ustaran, said service providers were certain to sign up as it would give them a much-needed selling point and, if they didn't, they would be seen as unsafe to use.
To get that accreditation, vendors would have to prove their security models were adequate as well, Ustaran said.
"Cloud service providers would be given an accreditation from their data protection authority," Ustaran told IT Pro.
Verizon Business is one organisation that has been pushing for the EU to enshrine the BSPR concept in data protection law, which is now set to happen.
Stewart Room, partner in FFW's Privacy and Information Law Group, described it as the "bridge" for cloud adoption, given the fears around being legally liable if data offences occur in the cloud.
However, it will do little to allay fears around the US Patriot Act, which is fast emerging as a real threat to cloud adoption. The law effectively means the US can search through any US-run cloud provider's data centres to find information on illegal activities.
For companies planning on using vendors with data centres in the US, this poses a significant obstacle to cloud adoption.
The European Parliament has already raised concerns about the impact of the Patriot Act and its effective overriding of EU data protection laws.
Legal changes incoming
In November, the EU will publish the draft new data protection law, which will form the basis of national legislations for the next 15-20 years. This will replace the current Data Protection Directive and the Data Protection Act in the UK.
Outside of the new Binding Safe Processor Rules, mandatory breach disclosure will be embedded in the draft law.
"We are certain that mandatory breach disclosure laws will be contained with the new EU data protection law. The European Commission has made this clear already," Room said.
This means companies will be required to report any breaches, making more work for Information Commissioner's Office (ICO). It makes it much more likely private companies will be reprimanded by the watchdog, if it decides to show its teeth.
Room believes the ICO will order companies to provide records of any breaches on a monthly basis.
-
Manners cost nothing, unless you’re using ChatGPTOpinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
-
Westcon-Comstor unveils new managed SOC solution for Cisco partnersNews Powered by Cisco XDR, the new offering will enable partners to tap into new revenue streams, the company said
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
