After three years of debate, drafts and discord, the European Commission’s work to overhaul the laws governing how the personal data of citizens should be treated is nearing completion, with the final version of the General Data Protection Regulation (GDPR) legislation set for publication before the year is out.
While the finer points are still being hammered out, the proposals aim to introduce a single set of rules governing how personal data should be held and processed by all 28 European Union (EU) member states.
As things stand, the rules and requirements governing how the personal information of EU citizens should be treated can vary markedly from one country to another, and getting to grips with these variations can be a time-consuming and costly process for businesses intent on European expansion.
Daniel Hedley, technology, media and telecoms lawyer at legal firm Thomas EggarLLP, explains: “At the moment, we have a directive and 26 different implementations of it – all of which vary – and 28 different regulators all applying their own policies and interpreting them in their own way; and they only collaborate loosely through something called the Article 29 Working Party.
GDPR and the cloud provider community
The push to replace the continent’s patchwork of data protection rules has been broadly welcomed by the cloud service provider community, albeit cautiously.
While it stands to make it easier for native and US-based cloud providers and hosting firms to win business across Europe, the new regulations will also – for the first time – put them on an equal footing with data controllers when it comes to liability for data breaches and rule violations.
Hedley says that, for this reason, the cloud service provider community needs to be aware of the obligations the upcoming set of rules will impose on them.
“At the moment we have a sharp distinction between the data controller [the enterprises that own the data] and the data processor [cloud providers], as all the legal obligations are on the data controller, but this is going to change,” he says.
Read more about EU data protection and cloud providers
- For nearly 20 years, UK data protection laws have remained fairly static – even in the face of considerable technological advances and the rise of social media and the big-data boom.
- US tech giants could soon come under increased pressure to build European datacentres now the validity of the US Safe Harbour Agreement has been rendered "invalid" by the European Court of Justice.
“Anyone who up to now thought, ‘I’m a processor, I don’t need to think about data protection,’ is soon going to discover that’s not true anymore.”
David Barker, technical director of Surrey-based colocation provider 4D, says the joint liability requirements are likely to prove a big source of concern for cloud firms.
“Traditionally, cloud providers – mainly those in the infrastructure-as-a-service (IaaS) category – haven’t really wanted or needed to know what data is actually being held on their servers, and have simply provisioned a one-size-fits-all solution that you can subscribe to,” he says.
“If we’re becoming liable for the data customers put on to those servers, there needs to be some clear delineation on where the responsibility for that data lies; how the underlying cloud infrastructure is being protected; and how the customer protects any data they put on those virtual servers.”
Law could push up cloud prices
This means cloud firms will have to take a keener interest in what exactly users are planning to store on their infrastructure – which could cause their overheads to rise.
“The costs are going to start to creep up to take into account the additional administration of dealing with these regulations for each customer deployment, and we might even see more bespoke requirements for production systems for larger businesses,” he says.
While this might mean customers have to pay more for services, the alternative – which is either a fine of up to €100m or 5% of the company’s annual global turnover – doesn’t really bear thinking about.
“If you’re looking at a fine of that size, the customer is going to be happy to pay that little bit extra as insurance,” says Barker.
Lillian Pang, director of legal at managed cloud provider Rackspace, says the joint liability requirements also mean cloud providers will be obliged to alert the authorities to data breaches within 72 hours.
“It will require the cloud provider to have a very good incident-response management programme in place,” she says.
“If there is any type of breach coming in, they will need to be able to identify it, and notify the customer about what that breach looks like, so they can notify their users.
“There are going to be quite a few steps involved – especially from the cloud provider perspective, because they’re not necessarily the one who will have the direct relationship with the user in every case.”
Overseas cloud providers and the 'right to be forgotten'
Such a wide-ranging reform of the EU’s data protection landscape last took place 20 years ago – at a time when the internet was an emerging technology, and the amount of user data collected, shared and stored miniscule by today’s standards.
Indeed, the amount of personal data belonging to EU citizens now held and processed outside of Europe has also markedly increased – another area the GDPR seeks to address.
But Steve Durbin, managing director of the non-profit Information Security Forum, fears many overseas cloud providers may not appreciate that the new rules apply to them too.
“US cloud providers who host personal data of EU residents will, in many cases, be subject to EU law – even if the cloud provider’s clients are not themselves established in the EU,” he says.
“Suffice to say the scope of the reform is large enough for this to be viewed as a global data protection law, and organisations would be well advised to begin preparations now.”
This expanding geographical remit is keenly felt throughout the GDPR, particularly where its reworking of the rules around the 'right to be forgotten' are concerned.
Under the terms of the 1995 Data Protection Directive – the legislation the GDPR will replace – an individual can ask for personal data held about them by an EU-based data controller to be deleted, once it is no longer needed.
The updated version expands this, so that the same principles will now apply to non-European companies that process the data of EU citizens – regardless of where their servers are located.
Build law into infrastructure
Aside from this, several parties have flagged the "right to be forgotten" as an essential part of the GDPR for cloud providers to get to grips with.
Philippe Courtot, CEO of network security supplier Qualys, foresees several ways in which the right to be forgotten could trip up ill-prepared cloud providers.
“It depends on the application and what the cloud provider offers, as information can be copied and redistributed into multiple different places – so deleting everything can be difficult,” he says.
“It might be a problem for some cloud providers in how they store data and create multiple copies of information for backup but, if you design your system with this in mind from the start, then it will – of course – be easy to support.”
4D’s Barker says that, to ensure compliance, providers will probably need to collect more metadata around the information they hold about individuals, to make it easy to find where it is stored and delete it.
“Otherwise there is going to be no way a company will be able to say for sure that they’ve deleted every piece of data held on an individual,” he says.
“I think there is going to be an enormous overhead in auditing current datasets and managing the metadata that sits around that.”
Providers will need to develop foolproof systems to confirm the data has been wiped, he warns.
Codifying best practice
Despite all this, Barker points out that much of what the GDPR requires the cloud and datacentre provider community to do is covered by existing legislation, or formalises existing industry best practice.
“For example, some of it is covered under ISO 27001. So, if you’re certified to that ISO standard, a lot of the preparation will be around reviewing what the provider is already doing,” he says.
“If they don’t have the ISO 27001 standard, it is going to be a big change to how you run your business.”
Hedley agrees, citing another of the GDPR’s stipulations, that companies should take a plain-English approach when writing their privacy policies, so users don’t have to second-guess how their data might be used.
“The requirement to have a data protection officer on your staff, if your company is above a certain size, is another example. Most well-run organisations will already be doing that. So, a lot of it is simply codifying good practice.”
For cloud providers yet to secure the ISO 27001, or whose privacy policies currently amount to legalese gobbledegook, there is still time to ensure they operate within the boundaries set by the GDPR, Hedley says.
“From a practical standpoint, once we’ve actually got a final regulation, at least we will know what it is we have to do,” Hedley says.
“There will be a transition period. Assuming the regulation is set and adopted at the end of the year, that doesn’t mean it will come into force. I think the plan is to do that in 2017, so there will be some breathing space."