Tougher EU data protection rules are planned for adoption late this year or early next. Yet as things stand an overwhelming majority of cloud providers would foul of one or another of the new measures.
The General Data Protection Regulation, likely to be enforced from 2016 or 2017, replaces the 1995 directive and could introduce fines of up to €100m ($134m), along with rules on notifying breaches, data location and the right to be forgotten.
However, only one cloud provider in 100 would meet all aspects of the new law that affects firms either based in Europe or handling data about EU citizens, according to cloud security company Skyhigh Networks, which compiled figures from its database of more than 7,000 cloud services.
"It's staggering how few cloud providers are prepared for the new EU regulations," EMEA director at Skyhigh Networks Charlie Howe said in a statement. "Fortunately, there's still time for providers to get into shape. This means addressing a number of complex issues now."
Under the proposed regulations, individuals would be able to request the deletion of data about them. But 63 percent of cloud providers maintain data indefinitely or make no provisions for data retention in their terms and conditions.
A further 23 percent of cloud providers explicitly maintain the right to share data with a third party, which would further complicate ensuring the deletion of all copies of personal data, according to the Cupertino, California-based company.
"The right to be forgotten could turn out to be a massive headache for many organisations — cloud service providers themselves and those companies using these services. It's not just an issue for Google," Howe said.
The data residency requirements could also prove an issue for many cloud vendors because only 11 non-European countries satisfy EU privacy requirements. The US is not one of them, yet it is the location for two-thirds of cloud services.
Only 8.9 percent of US-based providers have Safe Harbor Certification, which provides exemption to EU data-protection regulations, Skyhigh Networks said.
The new rules would give organisations 24 hours to inform EU regulatory authorities of a data breach. However, even knowing that a breach had occurred could be problematic if the business in question is using a cloud service.
Furthermore, many cloud providers expressly put the responsibility on the customer to detect breaches and this can be an almost impossible task, Skyhigh Networks said.
Organisations can get round breach notification requirements under some existing legislation if the data is made inaccessible to third parties using encryption.
"Unfortunately, only 1.2 percent of cloud providers today provide the tenant-managed encryption keys required to do so," Howe said.
"Existing European data privacy laws also require that organisations take steps to protect personal information. The challenge is that not all cloud providers offer tools to secure data natively. In fact, only 2.9 percent of cloud services enforce secure passwords."
More on data protection
- Microsoft ordered to hand over overseas email, throwing EU privacy rights in the fire
- House of Lords brands right to be forgotten as 'unworkable and unreasonable'
- 'Big data must operate within data protection law,' says watchdog, 'and here's how'
- Google granting half of 'right to be forgotten' requests
- Google to face-off with data watchdogs over 'right to be forgotten' stance
- VMware opens second UK data centre as part of its hybrid cloud plan
- Google gets 18-month deadline to overhaul data handling in Italy
- You want privacy? Give us the money and the powers so we can do the job, says watchdog