Category Archives: data protection

data protection, European Commission, News & Analysis, Policy and Regulation, Privacy Shield

Privacy Shield rubber stamped amid dissent

dataThe European Commission has formally adopted the controversial ‘Privacy Shield’ framework intended to replace the previous Safe Harbour agreement, reports Telecoms.com.

Both schemes covered the transfer of data between the EU and the US, with the balance between free movement of data and the protection of individuals a tricky one to strike. Privacy Shield has many critics who fear it does little to address the issues faced by Safe Harbour. In spite of that the EC has decided to plough forward as anticipated.

“We have approved the new EU-US Privacy Shield today,” said Andrus Ansip, Commission VP for the Digital Single Market. “It will protect the personal data of our people and provide clarity for businesses. We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions.”

“The EU-U.S. Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses,” said Věra Jourová, Commissioner for Justice, Consumers and Gender Equality. “It brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints. The new framework will restore the trust of consumers when their data is transferred across the Atlantic. We have worked together with the European data protection authorities, the European Parliament, the Member States and our U.S. counterparts to put in place an arrangement with the highest standards to protect Europeans’ personal data”.

Not everyone in Brussels was convinced, however. “The Commission has today signed a blank cheque for the transfer of personal data of EU citizens to the US, without delivering equivalent data protection rights,” said the Green Party MEP Jan Philipp Albrecht. “The ‘Privacy Shield’ framework does not seem to address the concerns outlined by the European Court of Justice in ruling the Safe Harbour decision illegal. In particular the individual rights of consumers are still too weak and blanket surveillance measures are still in place. In this context, the Commission should not be simply accepting reassurances from the US authorities but should be insisting on improvements in the data protection guaranteed to European consumers.

“The European Parliament already underlined concerns about the lack of general data protection provisions in the US when the initial Safe Harbour decision was concluded in 2000. Independent data protection authorities are still lacking in the US. EU justice commissioner Jourova must now make clear that, once the EU’s new General Data Protection Regulation enter into force in 2018, there will also be a need to revise the Privacy Shield decision.”

Elodie Dowling, VP, EMEA General Counsel at BMC Software reckons there’s still plenty of work to do. “Following negotiations between EU and US officials, the formal adoption of Privacy Shield has officially started today in the EU’s 28 member states,” said Dowling. “Starting August 1, it will then be for businesses across the US and the EU to innovate and comply around this in order to create a culture of trust amongst their customers.

 

“However, with the ongoing discussions generated throughout the negotiation period, it’s unlikely that the official adoption of the Privacy Shield closes the loophole completely. For example, it remains unclear the type of ‘assurances’ the US has provided to the EU to ensure mass surveillance does not apply or, if it does, that it happens in a transparent and framed manner for EU citizens. Surely this particular item is going to be carefully considered by data privacy activists.”

data protection, European Commission, News & Analysis, Policy and Regulation, Privacy Shield, Safe Harbour

EU moves forward with Privacy Shield despite EDPS warning

Europe US court of justiceThe European Commission has announced it will continue ahead with the EU-US Privacy Shield despite the European Data Protection Supervisor claiming the pact is not robust enough, reports Telecoms.com.

Since Safe Harbour was struck down by the European Court of Justice last year, the industry has been in limbo as politicians were unable to draft an agreement between the US and EU, which met the criteria for data protection in the European market. In May, European Data Protection Supervisor, Giovanni Buttarelli, outlined his concerns on whether the proposed agreement will provide adequate protection against indiscriminate surveillance, believing the pact would not be strong enough to stand up.

“Today Member States have given their strong support to the EU-U.S. Privacy Shield, the renewed safe framework for transatlantic data flows,” said Vice-President Andrus Ansip and Commissioner Věra Jourová in a joint statement. “This paves the way for the formal adoption of the legal texts and for getting the EU-U.S. Privacy Shield up and running. The EU-U.S. Privacy Shield will ensure a high level of protection for individuals and legal certainty for business.”

Despite the European Commission pushing forward with the draft, there have been a number of individuals and parties within the EU who have criticised the agreement. For some, the EU-US Privacy Shield is simply a reheated Safe Harbour, with very little to address the concerns of the original agreement.

Article 29 Working Group is another influential group has highlighted to the industry the pact has made progress, though it did identify a number of shortcomings when looking at mass surveillance and oversight. The new agreement does encourage organizations to be more considered and conservative when sharing data with US, however critics of the new agreement have claimed there are still too many exceptions where the US and its intelligence agencies can move around the agreement. Despite the concerns, the European Commission has ploughed ahead.

On the other side of the argument, Microsoft has somewhat unsurprisingly confirmed its support of the pact, though it has stated it should go further. In any case, a large vendor expressing its support for an agreement which would enable the organization to do more business in Europe should not be met with astonishment.

“It is fundamentally different from the old ‘Safe Harbour’: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice,” said the announcement. “For the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data.”

“And last but not least the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms. During the formal adoption process, the Commission has consulted as broadly as possible taking on board the input of key stakeholders, notably the independent data protection authorities and the European Parliament. Both consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice. Today’s vote by the Member States is a strong sign of confidence.”

It would appear the European Commission is moving forward to demonstrate to the industry progress is being made, though could be seen as a flimsy approach. With the concerns expressed by influential and respected bodies within the industry, it should not be seen as a surprise if the agreement is struck down once again by the European Court of Justice.

AI, Artificial Intelliegence, cyber security, data protection, EMC, IoT, News & Analysis

What did we learn from EMC’s data protection report?

a safe place to workEMC has recently released its Global Data Protection Index 2016 where it claims only 2% of the world would be considered ‘leaders’ in protecting their own assets, reports Telecoms.com.

Data has dominated the headlines in recent months as breaches have made customers question how well enterprise organizations can manage and protect data. Combined with transatlantic disagreements in the form of Safe Habour and law agencies access to personal data, the ability to remain secure and credible is now more of a priority for decision makers.

“Our customers are facing a rapidly evolving data protection landscape on a number of fronts, whether it’s to protect modern cloud computing environments or to shield against devastating cyber-attacks,” said David Goulden, CEO of EMC Information Infrastructure. “Our research shows that many businesses are unaware of the potential impact and are failing to plan for them, which is a threat in itself.”

EMC’s report outlined a number of challenges and statistics which claimed the majority of the industry are not in a place they should be with regard to data protection. While only 2% of the industry would be considered leaders in the data protection category, 52% are still evaluating the options available to them. Overall, 13% more businesses suffered data loss in the last twelve months, compared to the same period prior to that.

But what are the over-arching lessons we learned from the report?

Vendors: Less is more

A fair assumption for most people would be the more protection you take on, the more protected you are. This just seems logical. However, the study shows the more vendors you count in your stable, the more data you will leak.

The average data loss instance costs a company 2.36TB of data, which would be considered substantial, however it could be worse. The study showed organizations who used one vendor lost on average 0.83TB per incident, two vendors 2.04TB and three vendors 2.58TB. For those who used four or more vendors, an average of 5.47TB of data was lost per incident.

Common sense would dictate the more layers of security you have, the more secure you will be, however this is only the case if the systems are compatible with each other. It should be highlighted those who lost the larger data sets are likely to be the larger companies, with more data to lose, though the study does seem to suggest there needs to be a more co-ordinated approach to data protection.

And they are expensive…

Using same concept as before, the average cost of lost data was $900,000. For those who have one vendor, the cost was $636,361, for those with two, 789,193 and for those with three vendors the cost was just above the average at 911,030. When companies bring in four or more vendors, the average cost of data loss rises to 1.767 million.

China and Mexico are the best

While it may be surprising, considering many of the latest breakthroughs in the data world have come from Silicon Valley or Israel, China and Mexico are the two countries which would be considered furthest ahead of the trend for data protection.

EMC graded each country on how effective they are were implementing the right technologies and culture to prevent data loss within the organizations themselves. 17 countries featured ahead of the curve including usual suspects of the UK (13.5% ahead of the curve), US (8%), Japan (1%) and South Korea (9%), however China and Mexico led the charge being 20% and 17% respectively ahead.

While it may not be considered that unusual for China to have a strong handle on data within its own boarders, Mexico is a little more surprising (at least to us at Telecoms.com). The country itself has gone through somewhat of a technology revolution in recent years, growing in the last 20 years from a country where only 10% of people had mobile through to 68% this year, 70% of which are smartphones. Mexico is now the 11th largest economy in terms of purchasing power, with the millennials being the largest demographic. With the population becoming more affluent, and no longer constrained by the faults of pre-internet world, the trend should continue. Keep up the good work Mexico.

Human error is still a talking point

When looking at the causes of data loss, the results were widespread, though the causes which cannot be controlled were at the top of the list. Hardware failure, power loss and software failure accounted for 45%, 35% and 34% respectively.

That said the industry does now appear to be taking responsibility for the data itself. The study showed only 10% of the incidents of data loss was blamed on the vendor. A couple of weeks ago we spoke to Intel CTO Raj Samani who highlighted to us the attitude towards security (not just data protection) needs to shift, as there are no means to outsource risk. Minimizing risk is achievable, but irrelevant of what agreements are undertaken with vendors, the risk still remains with you. As fewer people are blaming the vendors, it would appear this responsibility is being realized.

Human error is another area which still remains high on the agenda, as the study showed it accounts for 20% of all instances of data loss. While some of these instances can be blamed on leaving a laptop in the pub or losing a phone on the train, there are examples where simple mistakes in the workplace are to blame. These will not be removed, as numerous day-to-day decisions are based off the back of intuition and gut-feel, and a necessity for certain aspects of the business.

An area which could be seen as a potential danger would be that of artificial intelligence. As AI advances as a concept, the more like humans they will become, and thus more capable of making decisions based in intuition. If this is to be taken as the ambition, surely an intuitive decision making machine would offer a security defect in the same way a human would. Admittedly the risk would be substantially smaller, but on the contrary, the machine would be making X times many more decision than the human.

All-in-all the report raises more questions than provides answers. While security has been pushed to the top of the agenda for numerous organizations, receiving additional investment and attention, it does not appear the same organizations are getting any better at protecting themselves. The fact 13% more organizations have been attacked in the last 12 month suggests it could be getting worse.

To finish, the study asked whether an individual felt their organization was well enough protected. Only 18% believe they are.

5G, data protection, IoT, Networks, News & Analysis, USA

What does Clinton have in store for the tech industry?

Location United States. Red pin on the map.Hillary Clinton has recently released her campaign promises for the technology sector should she be elected as President Obama’s successor in November, reports Telecoms.com.

The technology agenda focused on a vast and varied number of issues within the technology industry, including the digital job-front, universal high-speed internet for the US, data transmission across jurisdictions, technological innovation and the adoption of technology in government. Although the statement does indicate a strong stance on moving technology to the top of the political agenda, there does seem to be an element of ‘buzzword chasing’ to gain support of the country’s tech giant.

“Today’s dynamic and competitive global economy demands an ambitious national commitment to technology, innovation and entrepreneurship,” the statement read. “America led the world in the internet revolution, and, today, technology and the internet are transforming nearly every sector of our economy—from manufacturing and transportation, to energy and healthcare.”

But what did we learn about America’s technology future?

Focus on 5G and new technologies

One of the more prominent buzzwords through the beginning of 2016 has been 5G as it is seemingly the turn-to phrase for the majority of new product launches and marketing campaigns. The Clinton has aligned themselves with the buzz in committing to deploying 5G networks (no timeframe), as well as opening up opportunities for a variety of next gen technologies.

“Widely deployed 5G networks, and new unlicensed and shared spectrum technologies, are essential platforms that will support the Internet of Things, smart factories, driverless cars, and much more—developments with enormous potential to create jobs and improve people’s lives,” the statement said.

The deployment of 5G has been split into two separate areas. Firstly, the use of the spectrum will be reviewed with the intention of identifying underutilized bands, including those reserved for the government, and reallocating to improve the speed of deployment. Secondly, government research grants will be awarded to various vendors to advance wireless and data technologies which are directed towards social priorities including healthcare, the environment, public safety and social welfare.

A recent report highlighted from Ovum highlighted the US is on the right track for the deployment of 5G, as the team believe it will be one of the leading countries for the technology. Ovum analysts predict there will be at least 24 million 5G subscribers by the end of 2021, of which 40% will be located in North America.

Europe US court of justiceData Transmission between US and EU

From a data transmission perspective, the Clinton team are seemingly taking offence to the European Court of Justice’s decision to strike down Safe Harbour, and the varied reception for the EU-US Privacy Shield. It would appear the Clinton team is under the assumption the deal between the EU and US was struck down for economic reasons, as opposed to data protection.

“The power of the internet is in part its global nature. Yet increasing numbers of countries have closed off their digital borders or are insisting on “data localization” to attempt to maintain control or unfairly advantage their own companies,” the statement said. “When Hillary was Secretary of State, the United States led the world in safeguarding the free flow of information including through the adoption by the OECD countries of the first Internet Policymaking Principles.

“Hillary supports efforts such as the U.S.-EU Privacy Shield to find alignment in national data privacy laws and protect data movement across borders. And she will promote the free flow of information in international fora.”

While it is could be considered encouraging that the mission of the Clinton team is to open up the channels between the two regions again, it does seem to have missed the point of why the agreement was shot down in the first place. The statement seemingly implies EU countries refused the agreement on the ground of promoting the interests of EU countries in the EU, as opposed to privacy concerns and the US attitude to government agencies access to personal information.

Safe Harbour, the initial transatlantic agreement, was shot down last October, though its proposed successor has come under similar criticism. Only last month, the European Data Protection Supervisor, Giovanni Buttarelli, outlined concerns on whether the proposed agreement will provide adequate protection against indiscriminate surveillance as well as obligations on oversight, transparency, redress and data protection rights.

“I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court,” said Buttarelli. “Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’s time to develop a longer term solution in the transatlantic dialogue.”

The Clinton team can continue to discuss changes to the transatlantic data transmission policy should they choose, however it is highly unlikely any positive moves are to be made until it gets to grips with the basic concerns of EU policy makers.

Navigating big dataAccess to Government data

Currently there are certain offices and data sets which are accessible to the general public, though this is an area which will be expanded under a Clinton regime. The concept is a sound one; giving entrepreneurs and businesses access to the data could provide insight to how money could be saved, used more efficiently or even new technologies implemented to improve the effectiveness of the government, though there could be a downside.

“The Obama Administration broke new ground in making open and machine-readable the default for new government information, launching Data.gov and charging each agency with maintaining data as a valuable asset,” the statement said. “Hillary will continue and accelerate the Administration’s open data initiatives, including in areas such as health care, education, and criminal justice.”

The downside has the potential to ruin any politician. The program is opening the door for criticism from all sides, and will offer ammunition to any opposition.

Connecting American Citizens

One of the most focused points of the document was around the country’s commitment to ensuring each household and business has the opportunity to be connected to high-speed broadband. While this could be considered an effective sound-bite for the party, it is not a new idea by any means. A recent report highlighted there is currently a surprising number of Americans who do not currently have access to broadband. Although it may be expected those in the rural communities would struggle at times, the report indicated 27% and 25% of New York and Los Angeles respectively would be classed in the “Urban Broadband Unconnected” category, which could be considered more unusual.

Connect America Fund, Rural Utilities Service Program and Broadband Technology Opportunities Program are all well-established operations (Rural Utilities Service Program has been around since 1935) which had been drums for previous presidents to bang also. Clinton has said very little new here or has made little commitment to the initiatives.

The team have however committed to a $25 billion Infrastructure Bank which will enable local authorities to apply for grants to make improvements. This is a new concept which Clinton plans to introduce though the details on how it will be funded, what the criteria for application will be or whether there are any stipulations on which vendors the money can be spend with, are not detailed.

data protection, data residency, News & Analysis, Policy and Regulation

UK citizens trust EU countries with data more than the UK

EuropeWith the countdown to Brexit vote in its final days, research from Blue Coat has highlighted British respondents would be more trusting if their data was stored in the EU country as opposed to the UK.

Although only marginal, 40% of respondents believe the EU is a safer bet for storage of data, whereas only 38% elected the UK. Germany was perceived as the most trustworthy state, though this could be seen as unsurprising as the country is generally viewed as having the most stringent data protection laws. France ranked in second place, whereas the UK sat in third.

While the true impact of Brexit will only be known following the vote, the role of the UK in the technology world could be impacted by the decision. The research showed a notable favouritism to store data in countries which are part of the EU and under the influence of the European Commission’s General Data Protection Regulation. When looking across the Atlantic to the US, within the UK has more trust than the rest of Europe, though it could still be considered very low. In the UK, 13% said they would trust the US with their data, whereas this number drops down to 3% where France and Germany are concerned.

“The EU regulatory landscape is set to radically change with the introduction of the GDPR legislation and this research highlights the level of distrust in countries outside the EU,” Robert Arandjelovic, Director of Product Marketing EMEA, Blue Coat Systems. “Respondents prefer to keep their data within the EU, supporting new European data protection legislation.

“More concerning is the fact that almost half of respondents would trust any country to store their data, indicating too many employees simply doesn’t pay enough attention to where their work data is held. This presents a risk to enterprises, even if their employees treat where it is being hosted with little interest.”

While the impact of the Brexit vote is entirely theoretical at the moment, leaving the union could spell difficult times for the UK as EU countries favour those which are in the EU. What is apparent from the statistics is the US still has substantial work to do to counter the ill effects of the Safe Harbour agreement, which was struck down last October. The survey indicates the replacement policy, the EU-US Privacy Shield, has not met the requirements of EU citizens as trust in the US is still low.

data protection, EU, News & Analysis, Policy and Regulation, regulation

75% of apps not compliant under EU data protection rules

Research from Netskope has claimed more than 75% of business apps lack key capabilities to ensure compliance under EU General Data Protection Regulation.

The company tracked 22,000 apps of which three quarters failed to meet minimum requirements of the EU, falling down in areas such as deleting personal data in a timely manner or violating data portability requirements.

The companies who have not met the required standards now have just under two years to ensure compliance, when GDPR comes into play in 2018. Failure to meet the criteria will see a company fined up to $22 million or up to four percent of annual worldwide revenue, whichever is greater.

“The shift to the cloud presents an increasing complexity and volume of security challenges for enterprises, including regulations like the EU GDPR,” said Sanjay Beri, CEO of Netskope. “With the deadline for compliance looming, complete visibility into and real-time control over app usage and activity in a centralised, consistent way that works across all apps is paramount for organisations to understand how they use and protect their customers’ personal data.”

The number of sanctioned apps containing malware increased from 4.1% to 11% in the period between reports. More of a quarter of the instances of malware was detected in files that had been shared with others within the organization. In terms of cloud data loss prevention, cloud storage applications accounted for 73.6%, with Webmail coming in at second with 22.1%.

Data Encryption, data protection, News & Analysis, Policy and Regulation, regulation, surveillance, UK Legislation

UK Government passes spy bill with strong majority

Lady Justice On The Old Bailey, LondonThe House of Commons has voted in favour of the Investigatory Powers Bill which gives UK intelligence agencies greater power to examine browsing histories and hack phones, reports Telecoms.com.

The bill, which now passes through to the House of Lords, has been under scrutiny since last year, with the latest version being reviewed since March. The original version of the bill, known as the ‘Snooper’s Charter’ by critics, came up against strong opposition from a host of technology companies who have registered privacy concerns. The bill itself will require technology companies to collect and store data on customers, while also allowing intelligence agencies to remotely access smartphones and other devices.

“The Bill provides a clear and transparent basis for powers already in use by the security and intelligence services, but there need to be further safeguards,” said, Harriet Harman, MP for Camberwell and Peckham and Chair of the Joint Committee on Human Rights. “Protection for MP communications from unjustified interference is vital, as it is for confidential communications between lawyers and clients, and for journalists’ sources, the Bill must provide tougher safeguards to ensure that the Government cannot abuse its powers to undermine Parliament’s ability to hold the Government to account.”

Although proposed by the Conservative party, the bill was strongly supported by the Labour party as well as the majority of the commons, with opposition primarily coming from the Scottish National Party. Despite privacy and civil rights concerns from the SNP, the bill passed with a vote of 444 to 69. The vote in the House of Lords is expected to take place in the next couple of months with the bill being passed to law in January 2017.

The bill was deemed as a high priority for intelligence agencies within the UK, it has been under scrutiny from the Joint Committee on Human Rights, after concerns it could potentially violate privacy and civil rights. As part of the review, extended protection will also granted to lawyers and journalists.

“The Joint Committee heard from 59 witnesses in 22 public panels,” said Victoria Atkins, MP for Louth and Horncastle, speaking on behalf of the Joint Committee on Human Rights and the Bill Committee. “We received 148 written submissions, amounting to 1,500 pages of evidence. We visited the Metropolitan police and GCHQ, and we made 87 recommendations, more than two thirds of which have been accepted by the Home Office.”

One of the initial concerns was a permanently open backdoor which could be accessed by intelligence agencies without oversight, which has seemingly been addressed. Intelligence agencies will have to request access, which will be granted should it not be too complicated or expensive. What the definition of complicated or expensive has not been given, however it does appear to end concerns of a government ‘all-access-pass’. Whether this is enough of a concession for the technology companies remains to be seen.

Box, data protection, data residency, News & Analysis, Public Cloud

Box sets target on US government and Europe following 37% growth in Q1

Box co-founder and chief executive Aaron Levie briefing journalists and analysts in London this week

CEO Aaron Levie briefing journalists and analysts in London 

Box has reported healthy growth over the last quarter, increasing revenues 37% to $90.2 million, which the company has attributed to a more diversified portfolio. Public sector organizations and the European market are now in the crosshairs for future growth.

The US government is an area which has seemingly been prioritized by CEO Aaron Levie and the Box team moving forward, following the announcement Box for Government achieved FedRAMP certification from the Department of Defence. As the Department of Defence claims it has some of the highest degree of scrutiny around cloud platforms and technology, the team believe the certification will create a ripple effect throughout the US.

As a number of state and local government agencies lean on federal standards for guidance on what cloud technologies to adopt, the certification could lead to positive strides for the company. Levie highlighted the certification, as well as the partnership with IBM, has created a healthy sales pipeline for the team over recent months in the public sector segment.

The company added more than 5,000 customers to its ranks over the period, taking the total number to more than 62,000 businesses. Box now has 46 million users worldwide, of which 13% are now paying. Levie also highlighted work on its customer services processes has paid off over the quarter as customer churn rate is now below 3%.

“In Q1 we achieved record revenue of $90 million, up 37% year over year,” said Levie. “We also continue to gain operational efficiency and demonstrate leverage in our business model as we move towards our commitment to achieve positive free cash flow in the fourth quarter and in January 2017. Looking ahead underlying demand for Box remains very strong and our competitive position in the market has never been better. “

We created record sales pipeline in the quarter with several seven figure deals in the mix. This has been driven by the growing demand for a modern approach to enterprise content management, our differentiated product offerings and our maturing partnerships that are becoming an integral part of our go to market strategy.”

Box’s expansion strategy over recent months has been built upon the diversification of its product portfolio, but also its partner ecosystem. Firstly from a product perspective, the team launches Box Zones which enables organizations to dictate where data is stored around the world. This offering was brought about through the partnership with IBM.

Data residency is proving to be a sensitive area in recent months due to the confusion over data residency concerns following the decision of the Court of Justice of the European Union to strike down the Safe Harbour agreement, and the subsequent criticism its successor, EU-US Privacy Shield, has received. The Box Zones offering would appear to be the company’s means of negating the impact of data residency by removing the concern of transatlantic data transmission. The team claim the offering has not only gained traction with new customers, but also created a number of upselling opportunities for companies who have operations in regions where data protection rules are more stringent than the US.

Aside from Box Zones, the team has also launched a number of new offerings including its Governance product, KeySafe and the aforementioned Box for Government offering. Aside from creating new opportunities in the US, the product diversification has also been credited with growth in new regions, which is a key pillar for the Box expansion plans.

From a partner ecosystem perspective, the quarter saw a number of new announcements as well as positive wins out of longer standing relationships. Box announced a new partnership with Adobe in April, aiming to simplify working with digital documents in the cloud, though Levie was particularly focused on the relationship with Microsoft, which has yielded positive results throughout the quarter.

“And nowhere is our ecosystem strategy more relevant than our partnership with Microsoft which continues to yield significant dividends,” said Levie. “For the first time ever customers can now collaboratively edit their Office documents that are stored in Box or edit them on their iPad or iPhone. Adoption of Office 365 continues to be a key driver for new customers to invest in Box as well as allow existing customers to expand their usage of Box.”

Partnerships currently influence around 20% of Box’s revenues which aside from Microsoft also includes AT&T and IBM. The partnership with IBM has been particularly successful in the company’s drive towards Europe, where the option to store data in Big Blue’s German and Irish data centres is attractive, according to Levie.

Cloud computing, data protection, data residency, EU-US Privacy Shield, European Commissio, News & Analysis, Policy and Regulation, Safe Harbour

EU-US privacy debate continues as EDPS says try again

EuropeOn-going efforts to provide clarity and guidance on transatlantic data transmission are unlikely to be seen soon as the European Data Protection Supervisor (EDPS) has outlined concerns over the robustness of the Safe Harbour successor, EU-US Privacy Shield.

European Data Protection Supervisor, Giovanni Buttarelli, outlined his concerns on whether the proposed agreement will provide adequate protection against indiscriminate surveillance as well as obligations on oversight, transparency, redress and data protection rights.

“I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court,” said Buttarelli. “Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’s time to develop a longer term solution in the transatlantic dialogue.”

This is in fact the second time in a matter of months an official body has expressed concerns over the EU-US Privacy Shield, as the Article 29 Working Group voiced its concerns over the mass surveillance and oversight shortcomings that it believes are found in the pact. Back in April, WP29 commented Privacy Shield had made progress but still hadn’t covered the cracks which had Safe Harbour kicked out last year.

“The WP29 notes the major improvements the Privacy Shield offers compared to the invalidated Safe Harbour decision. Given the concerns expressed and the clarifications asked, the WP29 urges the Commission to resolve these concerns, identify appropriate solutions and provide the requested clarifications in order to improve the draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU,” said the WP29 group in its official opinion at the time.

The new Privacy Shield agreement does in fact encourage European businesses and organizations to be more considered and conservative when sharing data with US entities, however critics of the new agreement have highlighted there are still too many exceptions where the US and its intelligence agencies can move around the agreement.

While the opinion of the WP29 is respected throughout the industry, it was not a concrete sign that anything within the Privacy agreement will change. This is the same for the EDPS. There are no guarantees the agreement will be changed following Buttarelli making his opinion public, though it may be a good indicator as to what need to be done to ensure the pact stands up to scrutiny under the spotlight from the European Court of Justice. This is certainly the case for David Mount, Director of Security Solutions at Micro Focus.

“Buttarelli talks of a need for significant improvements before the agreement can be viable, which raises a key point around the self-certification aspects of Safe Harbour as it once was,” said Mount. “In the past, businesses could self-certify as compliant with Safe Harbour by simply ticking a box. But this does not create a transparent and trusting climate – in fact it does the very opposite, as is the case in any self-regulated environment.

Twitter comments“Any new agreement must be more robust, as per Buttarelli’s comments, and addressing the key issue of self-certification would be a significant step. It will be interesting to see how the EU Commission responds to the EDPS and how negotiations will continue to address the varying issues of self-certification and trust.”

Support for the agreement has been mixed as some European corners have voiced concerns, and some US opinions have been relatively positive, though this may be considered unsurprising. MEP Jan Philipp Albrecht and Edward Snowden were two who demonstrated a critical stance (see accompanying picture), while Microsoft become one of the first major US tech companies to confirm its support of the EU-US Privacy Shield.

Back in April, John Frank, Vice President EU Government Affairs at Microsoft said “we recognize that privacy rights need to have effective remedies. We have reviewed the Privacy Shield documentation in detail, and we believe wholeheartedly that it represents an effective framework and should be approved.”

Although Microsoft has demonstrated a desire to bring the issue to an end, it has also found itself on the wrong side of data requests from the US government, proving it’s no push over. The company has been involved in a drawn out lawsuit, as Microsoft has refused the US government access to data which is has stored in its Dublin data centre, telling the government it “must respect the sovereignty of other countries”.

The company has also filed a lawsuit against the US government and its associated agencies, arguing the right that customers should have the right to know when the state accesses their emails or records, as well as creating the Data Trustee model. The Data Trustee model is seemingly an effort to rebuild trust in the US business, as it hands control of its data over to a European company, in this case Deutsche Telekom, who have to give consent for a Microsoft employee to access the data.

“Businesses have already started looking to alternatives for legitimate data transfers out of the EU in case the Privacy Shield option, once formally adopted, should be taken away,” said Deema Freij, Global Privacy Officer at Intralinks. “For example, Binding Corporate Rules and EU Model Clauses are still seen as strong alternatives. Businesses have been switching to EU Model Clauses to transfer personal data to the US, which they can continue to do on an ongoing basis.

“The responsibility for businesses is only going to increase when the General Data Protection Regulation (GDPR) comes into full effect in May 2018. The next two years will be a huge test for organisations across the world as they begin to realise that data sharing practices will continue to fall under close scrutiny as the concept of data privacy evolves further.”

The EU-US Privacy Shield has made progress in addressing the concerns voiced by European citizens, companies and legislative bodies in recent months, though it is unlikely to be the final answer. In three months, two separate, independent and widely respected opinions have highlighted the short-comings of the agreement, which doesn’t inspire a huge level of confidence. How the Privacy Shield creators react to the opinion is yet to be seen, though it could be one of the deciding factors on how long the transatlantic data transmission argument continues.

data protection, Data Trustee, Deutsche Telekom, Enterprise IT, enterprise mobility, News & Analysis

DT keeps data out of US reach with new mobility platform

UnternehmerinA Deutsche Telekom subsidiary has announced a new cloud-based Enterprise Mobility Management offering called Hosted MDM Basic, which has been built on MobileIron’s Cloud platform.

The offering will be hosted in Deutsche Telekom data centres located in Germany, using MobileIron’s platform, will create a Data Trustee proposition, which complies with German data protection rules, generally considered to be the strictest throughout the EU. The Data Trustee model was coined during the Microsoft’s dispute with the US government over access of data held by the company in its Dublin data centre.

Deutsche Telekom acted as a ‘trustee’ of the data, meaning employees could not access the data without consent from the Telco. The arrangement aims to put the data of Microsoft’s European customers outside the reach of the US government and its intelligence agencies.

The on-going discussion surrounding data transmission, access and residency has been a challenging area, following the European Court of Justice’s decision to dismiss the Safe Harbour agreement. The subsequent proposition, US-EU Privacy Shield, has also been dismissed by a number of individuals throughout the EU, as it apparently still does not offer the required levels of security and assurance. The Data Trustee model is seemingly a means for companies taking data protection into their own hands, as they do not appear to be willing to wait for assurances from the US.

“Mobile technology gives us the ability to get data and act on it more quickly so organizations that are serious about using mobile technologies can dramatically increase their velocity,” said Barry Mainz, CEO at MobileIron. “Our integration with Telekom Deutschland combines MobileIron’s industry-leading mobile security platform with Telekom Deutschland’s data trustee capabilities.”

The company claims the offering provides simplified security and control of Android, iOS and Windows devices, but also manages mobile apps, content, and devices, automatically enforce policies, and retire mobile devices when they are lost or when an employee leaves the company.