Cloud security weaknesses prompt call for global data protection law

European leaders have called for a worldwide agreement on data protection to address the data security weaknesses of cloud computing.

European leaders have called for a worldwide agreement on data protection to address the data security weaknesses of cloud computing.

The call was made today before an international audience of 300 cyber law experts who had assembled at the Council of Europe to discuss the harmonisation of cybercrime regulations.

Francesco Pizetti, president of the data protection authority of Italy, warned that cloud computing had challenged the legal basis on which personal data was handled by corporations.

"It is not possible to continue to guarantee the protection of citizens' data without very strong international rules accepted by all countries around the world," he said.

Udo Helmbrecht, executive director of the European Network and Information Security Agency (ENISA), said the agency was examining cloud computing because of the risks it held for data security.

ENISA will push for European regulation to oblige cloud providers to notify customers about security breaches, said Helmbrecht.

"We need to build trust into the cloud," he said. "If we don't build trust into this environment, the business model will not run."

Jim Reavis, executive director of the Cloud Security Alliance, said the regulatory environment needed clarifying for cloud providers. One uncertainty was how to deal with government requests to access the data they held. Cloud providers might want to make it difficult for "adverse" governments from getting at their data, but should assist governments who had the legal authority to make requests.

"We don't have a lot of good rules and structures for doing that sort of thing," he said. "There's a lot dealing with the legal domains, there's a lot dealing with incident response, there's a lot with the technology of cloud that we need to secure."

Yves Poullet, director of the Research Centre of IT and Law at the University of Namur, warned that "cloud computing is challenging the definitions of privacy" and foreign police might seize data contained in cloud datacentres hosted in their country.

Pizetti said an EU desire for better cloud regulation had been prompted by the US seizure of European banking data held by Swift - a move that caused the firm to close its US datacentres.

He said the Council of Europe's Convention on Cyber Crime would help create an international system of regulation that would make cloud computing safer.

The Council of Europe's annual Octopus conference was a focus for efforts to harmonise cyber laws around the world, mostly to give law enforcers the legal basis on which to gather cross-border evidence and bring prosecutions for cybercrimes such as hacking and fraud.

Alexander Seger, head of economic crime at the Council of Europe, warned that European businesses did not want to use cloud providers who hosted datacentres in countries that did not have adequate legal protections.

Jorg Polakiewicz, head of law reform at the Council of Europe, said both the Convention of Cyber Crime and the Council of Europe's Data Protection Convention were being updated to take account of new technologies such as cloud computing.

Read more on IT outsourcing