Cloud Services Struggle to Comply with EU Privacy Laws

A California-based security company has revealed that 99 percent of cloud services currently operating in the European Union are not yet compliant with data laws that the EU is set to implement in the coming year.


European Commission in Brussels. Photo: Sébastien Bertrand / Wikimedia Commons

The EU’s General Data Protection Regulation was first introduced as a draft in 2012 as a replacement for the 1998 Directive by the European Commission. This new regulation threatens a fine of up to €100 million to companies not found to be compliant with these new protection laws. ZDNet cites the recent controversial “right to be forgotten” legislation as a particularly troublesome aspect of the updated regulations.

The General Data Protection Regulation affects companies either based in the EU or working with information that pertains to EU citizens.

Security company Skyhigh Networks compiled data for over 7,000 vendors and discovered that only one percent are currently compliant.

At present, two-thirds of the EU’s cloud-based services are located in the US, where only a small percentage have the Safe Harbor certification that exempts them from European data protection laws.

Companies operating under US data protection laws have the option, under the 1998 directive, to enter into the US-EU Safe Harbor program (a similar framework for operating in compliance with Switzerland’s data laws exists in the form of the US-Swiss Safe Harbor program). Organizations must comply with a separate set of Safe Harbor Privacy Principles. These principles allow for exemptions from certain Directive regulations in situations where it would conflict with US federal or state government. According to the Safe Harbor website:

Adherence to these Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that create conflicting obligations or explicit authorizations… or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts.

The EU’s “right to be forgotten” may experience some pushback from regional vendors, many of whom still defend their right to share information with third parties. Privacy advocates in favor of the “forgotten” ruling hope it will provide EU citizens with protection from the public display of information that is “outdated or irrelevant.”

Wikipedia founder Jimmy Wales, while admonishing the ruling as a form of censorship, acknowledged that the ruling would more appropriately serve its purpose if the legislation were clearly phrased in a manner that explicitly protects private data such as financial and health records. At present, however, Google is managing over 90,000 right to be forgotten requests that include links to public sources such as news articles.

The regulations could be a step forward in emphasizing EU-based vendors. In the wake of reports about the US administration’s international surveillance, EU citizens and lawmakers alike have echoed the need for more European cloud services. Although many of the US-based cloud services affected by these regulations are not in compliance with the new privacy laws, some believe this may encourage more widespread use of European services and, consequently, less reliance on US services.

Skyhigh Networks reassures vendors that there is still time to adjust their operations and comply with EU regulations. The shift may involve expenses and resources that smaller vendors may have difficulty attaining in such a short amount of time. Even tech giant Google has stated its own difficulties complying with the “right to be forgotten” ruling. Responding to these individualized requests is a process that cannot be automated and requires hiring additional personnel to manage the new workload.

Google illustrated the troubles it faces in verifying the accuracy of information in these requests (including the omission of information that may provide a broader context). Google asked the European Commission a series of questions on how to best implement these rules, such as how to differentiate which content is “in the public interest” and how to determine the scope of “right to be forgotten” for public figures.