Category Archives: European Commission

European Commission, News & Analysis, OTT, Policy and Regulation, regulation

Europe looks to set new rules for OTT in September

EuropeThe European Commission is set to release new rules in September, which will aim to tighten up how OTT’s such as WhatsApp and Skype are regulated in the European markets, according to the Financial Times.

How Over-the-top players are regulated has been a point of contention within the European markets in recent years, as it does fall into a grey area currently. Although telcos are under guidance from the European Commission regarding SMS and traditional voice calling, these rules do not directly address the services offered by the OTT’s, such as Facebook’s WhatsApp, which has been stealing business off the telcos. According to the FT, this grey area will be addressed in September, when the commission will release new rules focusing on how OTT’s comply with security requests from the state, and also how customer data can be monetized.

According to the reports, the commission will make an initial announcement in September, before providing more clarity in a separate review of the EU’s “ePrivacy” law later in the year. This is one of a number of moves across the industry to redefine regulation in light of how quickly technology has advanced over the last few years. French authorities for example, will decide in September whether Google, Viber and Skype should be registered as a telecoms provider, a move which has the potential for widespread ripples.

The reports will come as good news to various players in the telco industry, who have not been happy with the light-touch regulation which is in place for the OTT’s. Back in 2014, Spanish giant Telefónica complained there wasn’t a level playing field, as the OTT’s do not have to comply with the EU’s regulation on issues such as user rights, antitrust, security, net neutrality or Significant Market Power (SMP) obligations. The complaint, which is largely a fair one, was built on the idea that if OTT’s offer similar, or almost identical, services, they should be held accountable to the same rules.

These complaints were furthered last year, as a group of European operators, including Orange, Deutsche Telekom, Telefónica and KPN, wrote to the President of the European Commission urging changes to the regulatory landscape to enable the telcos to better compete with the new waves of OTT’s. While the telcos have been held accountable to strict regulation in recent years to ensure competition and a fair deal to the consumer, the growth in popularity for OTT’s has proved to be a tough time for the industry.

Only recently Ofcom released its Communications Market Report 2016 which added weight to the claims OTT’s are becoming increasingly popular across various demographics. The report claims the number of people who are now using instant messaging services such as WhatsApp is up from 28% to 43% in the UK. This surge in popularity has seemingly come at the expense of more traditional means of communication, such as SMS and email, which demonstrated a decline of eight and seven percentage points respectively. These stats highlight the growth of the OTT’s is likely to continue, as well as the plight of the operators.

While it has not been confirmed whether the regulations will be changed in the near future, a problem which could be faced by the European Commission may focus around investments in network infrastructure. Over recent months there have been a number of mergers which have been rejected by the European Commission, most notably O2 and Three in the UK, with the reasoning relating to competition.

Should the level of competition drop in any markets, the need for telcos to continue investment in their own infrastructures to remain competitive would also drop. This is a concern of the European Commission, though the growth of OTT’s could inadvertently have the same impact. OTT’s are certainly providing cheaper services to the consumer, though the result is a decrease in revenues for the telcos which could impact the investments which are made elsewhere within an operators business.

The report from the FT remains officially unconfirmed for the moment, though it should not be seen as a surprise should it be true. The issue over OTT regulation has been bubbling away for some time, and considering the telecommunications industry is one of the heavier hitters in terms of lobbying, pressure would have likely been exerting on the commission for some time.

Although the European Commission would not confirm the rumours, it did offer us a statement:

“The Commission is indeed working on an update of EU telecoms rules under its Digital Single Market strategy. The upcoming reform of the EU telecoms framework should incentivise and leverage more private investment in next generation networks, provide regulatory predictability and the right conditions for all operators to invest,” said Nathalie Vandystadt, Spokesperson for the Digital Single Market at the European Commission.

“The Commission has been looking into the growing importance of online players that provide similar or equivalent services to traditional communication services. The Commission is looking into to what extent people can consider OTT services like WhatsApp and Skype to be functional substitutes for services provided by traditional telecoms operators, and is considering whether scope of the current EU rules needs to be adapted, to ensure adequate levels of consumer protection and ensure that regulation does not distort competition. This does not necessarily mean treating all communications services the same for all purposes. We will present our reform of the EU telecoms framework in September.”

data protection, European Commission, News & Analysis, Policy and Regulation, Privacy Shield

Privacy Shield rubber stamped amid dissent

dataThe European Commission has formally adopted the controversial ‘Privacy Shield’ framework intended to replace the previous Safe Harbour agreement, reports Telecoms.com.

Both schemes covered the transfer of data between the EU and the US, with the balance between free movement of data and the protection of individuals a tricky one to strike. Privacy Shield has many critics who fear it does little to address the issues faced by Safe Harbour. In spite of that the EC has decided to plough forward as anticipated.

“We have approved the new EU-US Privacy Shield today,” said Andrus Ansip, Commission VP for the Digital Single Market. “It will protect the personal data of our people and provide clarity for businesses. We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions.”

“The EU-U.S. Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses,” said Věra Jourová, Commissioner for Justice, Consumers and Gender Equality. “It brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints. The new framework will restore the trust of consumers when their data is transferred across the Atlantic. We have worked together with the European data protection authorities, the European Parliament, the Member States and our U.S. counterparts to put in place an arrangement with the highest standards to protect Europeans’ personal data”.

Not everyone in Brussels was convinced, however. “The Commission has today signed a blank cheque for the transfer of personal data of EU citizens to the US, without delivering equivalent data protection rights,” said the Green Party MEP Jan Philipp Albrecht. “The ‘Privacy Shield’ framework does not seem to address the concerns outlined by the European Court of Justice in ruling the Safe Harbour decision illegal. In particular the individual rights of consumers are still too weak and blanket surveillance measures are still in place. In this context, the Commission should not be simply accepting reassurances from the US authorities but should be insisting on improvements in the data protection guaranteed to European consumers.

“The European Parliament already underlined concerns about the lack of general data protection provisions in the US when the initial Safe Harbour decision was concluded in 2000. Independent data protection authorities are still lacking in the US. EU justice commissioner Jourova must now make clear that, once the EU’s new General Data Protection Regulation enter into force in 2018, there will also be a need to revise the Privacy Shield decision.”

Elodie Dowling, VP, EMEA General Counsel at BMC Software reckons there’s still plenty of work to do. “Following negotiations between EU and US officials, the formal adoption of Privacy Shield has officially started today in the EU’s 28 member states,” said Dowling. “Starting August 1, it will then be for businesses across the US and the EU to innovate and comply around this in order to create a culture of trust amongst their customers.

 

“However, with the ongoing discussions generated throughout the negotiation period, it’s unlikely that the official adoption of the Privacy Shield closes the loophole completely. For example, it remains unclear the type of ‘assurances’ the US has provided to the EU to ensure mass surveillance does not apply or, if it does, that it happens in a transparent and framed manner for EU citizens. Surely this particular item is going to be carefully considered by data privacy activists.”

data protection, European Commission, News & Analysis, Policy and Regulation, Privacy Shield, Safe Harbour

EU moves forward with Privacy Shield despite EDPS warning

Europe US court of justiceThe European Commission has announced it will continue ahead with the EU-US Privacy Shield despite the European Data Protection Supervisor claiming the pact is not robust enough, reports Telecoms.com.

Since Safe Harbour was struck down by the European Court of Justice last year, the industry has been in limbo as politicians were unable to draft an agreement between the US and EU, which met the criteria for data protection in the European market. In May, European Data Protection Supervisor, Giovanni Buttarelli, outlined his concerns on whether the proposed agreement will provide adequate protection against indiscriminate surveillance, believing the pact would not be strong enough to stand up.

“Today Member States have given their strong support to the EU-U.S. Privacy Shield, the renewed safe framework for transatlantic data flows,” said Vice-President Andrus Ansip and Commissioner Věra Jourová in a joint statement. “This paves the way for the formal adoption of the legal texts and for getting the EU-U.S. Privacy Shield up and running. The EU-U.S. Privacy Shield will ensure a high level of protection for individuals and legal certainty for business.”

Despite the European Commission pushing forward with the draft, there have been a number of individuals and parties within the EU who have criticised the agreement. For some, the EU-US Privacy Shield is simply a reheated Safe Harbour, with very little to address the concerns of the original agreement.

Article 29 Working Group is another influential group has highlighted to the industry the pact has made progress, though it did identify a number of shortcomings when looking at mass surveillance and oversight. The new agreement does encourage organizations to be more considered and conservative when sharing data with US, however critics of the new agreement have claimed there are still too many exceptions where the US and its intelligence agencies can move around the agreement. Despite the concerns, the European Commission has ploughed ahead.

On the other side of the argument, Microsoft has somewhat unsurprisingly confirmed its support of the pact, though it has stated it should go further. In any case, a large vendor expressing its support for an agreement which would enable the organization to do more business in Europe should not be met with astonishment.

“It is fundamentally different from the old ‘Safe Harbour’: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice,” said the announcement. “For the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data.”

“And last but not least the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms. During the formal adoption process, the Commission has consulted as broadly as possible taking on board the input of key stakeholders, notably the independent data protection authorities and the European Parliament. Both consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice. Today’s vote by the Member States is a strong sign of confidence.”

It would appear the European Commission is moving forward to demonstrate to the industry progress is being made, though could be seen as a flimsy approach. With the concerns expressed by influential and respected bodies within the industry, it should not be seen as a surprise if the agreement is struck down once again by the European Court of Justice.

data protection, Data Regulation, data residency, European Commission, News & Analysis, Policy and Regulation

Let the countdown to GDPR begin

Location Germany. Red pin on the map.The road to data protection has been a long and confusing one. Despite being one of the biggest concerns of consumers and corporates throughout the world, progress has hardly been moving at breakneck speed, but as of today (May 25th), companies now have exactly two years to ensure they are compliant with the EU’s General Data Protection Regulation.

The general objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Data protection is a complicated business throughout the EU mainly due slight differences from country to country, and then again, with overarching EU regulations, or directives which haven’t even made it to regulation.

Conversations surrounding the new regulations have been ongoing since 2012, though companies now have until 25th May 2018 to ensure they are fully compliant. For this would seem an adequate amount of time, however a recent YouGov and Netskope survey highlighted only one in five are confident they will be compliant in this time period. For Eduard Meelhuysen, VP at Netskope, decision makers need to take a step back to get a better understanding of the current state of their data, before concentrating on any company app.

“If they are to comply, IT teams will need to make the most of the two-year grace period which means that both cloud-consuming organisations and cloud vendors will need to take active measures now,” said Meelhuysen. “As a starting point, organisations should take a hard look at how their data are shared and stored, focusing in particular on any cloud apps in use across the organisation.

“The GDPR makes specific provisions for unstructured data of the type created by many cloud apps, data which are typically harder to manage and control. That means organisations need to manage employees’ interactions with the cloud carefully as a key tenet of GDPR compliance.”

a safe place to work“As cloud app use continues to increase within businesses, data will become harder to track and control. But with the GDPR instigating a maximum possible fine of €20 million or 4% of global turnover (whichever is higher) in certain cases, there is now more incentive than ever for companies to focus on data protection. Getting a handle on cloud app use will be a crucial part of ensuring compliance for any organisation, and IT teams will need to start work now to meet the May 2018 compliance deadline.”

One area which has been given attention within the GDPR is that of data residency. New regulations will require organizations do not store in or transfer data through countries outside the European Economic Area that do not have equivalently strong data protection standards. The list of countries that meet these standards is short, 11, with a notable absentee, the United States of America, which could pose problems for numerous organizations.

While this may be considered one of the headline areas for the GDPR and one which will likely be heavily scrutinized, for Dave Allen, General Counsel at Dyn, concentrating too much on this area could lull companies into a false sense of security.

“As the EU GDPR comes into effect, businesses will need to take a hard look at their current methods of sharing and storing data,” said Allen. “While some Internet companies have begun to address new challenges at the fixed locations where data is stored – this alone will not necessarily be enough to ensure compliance.

“Those companies focusing solely on data residency may well fall victim to a false sense of confidence that sufficient steps have been taken to address these myriad regulations outlined in the GDPR. As the GDPR will hold businesses accountable for their data practices, businesses must recognise that the actual paths data travels are also a key factor to consider. In many ways, the constraints which come with the cross-border routing of data across several sovereign states mean these paths pose a more complex problem to solve.

“Although no silver bullet exists for compliance with the emerging regulations which govern data flows, businesses which rely on the global Internet to serve their customers should be seriously considering visibility into routing paths along both the open Internet and private networks. As we enter an era of emerging geographic restrictions, businesses with access to traffic patterns in real time, in addition to geo-location information, will find themselves in a much stronger position to tackle the challenges posed by the GDPR.”

Anonymous unrecognizable man with digital tablet computerOverall, the GDPR will ensure companies take a greater level of responsibility to safeguard the personal data they hold from attacks. Recent months have seen a number of highly publicised attacks significantly impact the reputation of well-known and respected brands, making consumers nervous about which of their personal information is being held. Previously, attacks on such organizations would not have been thought possible; surely they have the budgets to ensure these breaches wouldn’t happen?

Another headline proposition from the GDPR is the consumer’s right to access data which is stored on them, and also the right to have this data ‘forgotten’. For Jon Geater, CTO at Thales e-Security, this will create numerous challenges and changes to the way in which data is stored and accessed.

“The new rules also make clear another important factor that we should already have known: that you can outsource your risk, but you can’t outsource your responsibility,” said Geater. “If organisations use a third party provider to store and manage data – such as a cloud provider, for example – they are still responsible its protection and must demonstrate exactly how the data is protected in the remote system. Therefore, formal privacy-by-design techniques need to make their way down the supply chain if companies are to avoid penalties or nightmarish discovery and analysis tasks.

“In addition, organisations will now have to provide citizens with online access to any their own personal data they store. While the Data Protection Act traditionally allowed anyone to request access to this data, with GDPR in effect organisations must make this available for download ‘where possible’ and ‘without undue delay’.

“This is a very significant change and securing this access will represent a significant challenge to many organisations – especially while still complying with the new tighter rules – and will require robust cybersecurity technology across the board.”

What is clear is there will be complications. This shouldn’t be considered a massive surprise as any new regulations are fraught with complications on how to remain or become compliant, but the European Commission isn’t messing around this time. With fines of €20 million or 4% of global turnover (whichever is greater), the stick is a hefty one, and the carrot is yet to be seen.

Data Regulation, European Commission, News & Analysis, Policy and Regulation

New EU data regulations receives warm reception from industry

EuropeThe European Union finally rubber-stamped a refresh of the General Data Protection Regulations (GDPR) that offers greater protection for individuals but at cost of a greater burden on businesses, reports Telecoms.com.

In customary EU fashion this is the culmination of four years of to-ing and fro-ing since the refresh was first proposed. Even the final sign-off took four months to complete, with the text having been agreed last December. Furthermore the new regulations won’t come into law until May 2018, giving all businesses who keep data on European citizens, which must include pretty much every multinational, two years to comply.

“The new rules will give users back the right to decide on their own private data,” said Green MEP Jan Philipp Albrecht, who led the drafting process. “Businesses that have accessed users’ data for a specific purpose would generally not be allowed to collect the data without the user being asked. Users will have to give clear consent for their data to be used. Crucially, firms contravening these rules will face fines of up to 4% of worldwide annual turnover, which could imply € billions for the major global online corporations.

“The new rules will give businesses legal certainty by creating one unified data protection standard across Europe. This implies less bureaucracy and creates a level playing field for all business on the European market. Under the new rules, businesses would also have to appoint a data protection officer if they are handling significant amounts of sensitive data or monitoring the behaviour of many consumers.”

Industry reaction has been broadly positive, but with caveats mainly concerning how easy it will be to comply and some concern about the high ceiling for potential fines. Compounding this is a requirement for companies to disclose data breaches within 72 hours of them happening, which is a pretty small window.

“This will be a technical challenge for those businesses unaccustomed to such stringent measures,” said David Mount of MicroFocus. “They will need to identify the breach itself and the information assets likely to have been affected so they can give an accurate assessment of the risks to the authorities and consumers.

“While this may seem like a positive step towards improved data protection, the US example shows that in reality there can be an unintended consequence of ‘data breach fatigue’. Consumers become accustomed to receiving frequent data breach notifications for even very minor breaches, and as a result it can be hard for them to distinguish serious breaches requiring action from minor events which can be safely ignored. The effect is that sometimes consumers can’t see the wood for the trees, and may start to ignore all warnings – which somewhat negates the point of the measure.

“It is now up to European data privacy regulators to work together to ensure that the GDPR rules are implemented in a way that supports economic growth and improved competitiveness,” said John Giusti, Chief Regulatory Officer of the GSMA. “Regulators will need to exercise particular care in interpreting GDPR requirements – around consent, profiling, pseudonymous data, privacy impact assessments and transfers of data to third countries – to avoid stifling innovation in the digital and mobile sectors.

“All eyes are now on the review of the e-Privacy Directive. The right balance needs to be struck between protecting confidentiality of communications and fostering a market where innovation and investment will flourish. To this end, the GSMA calls on legislators to address the inconsistencies between the existing e-Privacy Directive 2002/58/EC and the GDPR.”

The e-Privacy Directive covers things like tracking and cookies and seems to focus specifically on telecoms companies in the way they process personal data. So for the telecoms sector specifically this refresh could be even more important than the GDPR. The European Commission initiated a consultation on ePrivacy earlier this week and will conclude it on 5 July this year.

William Long, a partner at Sidley Austin, warned that individual countries may view the new GDPR differently. “There are still a number of issues where some member states have fought successfully to implement their own national law requirements, for instance in the area of health data, and this will no doubt lead to certain complexities and inconsistencies,” he said.

“However, organisations should be under no doubt that now is the time to start the process for ensuring privacy compliance with the Regulations. The penalties for non-compliance are significant – at up to 4% of annual worldwide turnover or 20 million euros, whichever is the greater. Importantly, companies outside of Europe, such as those in the US who offer goods and services to Europeans, will fall under the scope of this legislation and will face the same penalties for non-compliance.”

“Our own research shows that globally, 52% of the information organisations are storing and hoarding is completely unknown – even to them, we call this ‘Dark Data’,” said David Mosely of Veritas. “Furthermore, 40% of stored data hasn’t even been looked at in more than three years. How can companies know they’re compliant if they don’t even know what they’re storing? This is why GDPR represents such a potentially massive task, and businesses need to start tackling it now.”

“In order for data to remain secure, there are three core components that are now vital for EU businesses,” said Nikki Parker of Covata. “Firstly, encryption is no longer an optional extra. It provides the last line of defence against would-be snoopers and companies must encrypt all personally identifiable information (PII).

“The second component is identity. True data control involves knowing exactly who has access to it and this can be achieved through encryption key management. Enabling businesses to see who has requested and used which keys ensures a comprehensive audit trail, a requirement of the new regulation.

“Finally, businesses must set internal policies that specifically outline how data can be used, for example, whether data is allowed to leave the EU or whether it can be downloaded. Applying policies to each piece of data means access can be revoked at any moment if the company feels it is in violation of the ruling.”

All this is happening in parallel with the overhaul of the rules governing data transfer between Europe and the US, known as the Privacy Shield. By the time the GDPR comes into force pretty much all companies are going to have to tread a lot more carefully in the way they handle their customers’ data and it will be interesting to see how the first major transgression is handled.

data centre, data protection, Datacentre, European Commission, News & Analysis

US revealed to have 46% of all data centres despite EU concerns

Data protectionNew findings from Synergy Research Group show that 46% major cloud and internet data centre sites are located in the US, with second placed China only accounting for 7%.

The research is based on an analysis of the data centre footprint of 17 of the world’s major cloud and internet service firms and highlights the dominance of the US in the cloud market place. Japan is listed at third with a 6% market share and Germany was the largest European player with just 4%.

“Given that explosive growth in cloud usage is a global phenomenon, it is remarkable that the US still accounts for almost half of the world’s major data centres, but that is a reflection of the US dominance of cloud and internet technologies,” said John Dinsdale, Research Director at Synergy Research Group.

Considering the dominance of AWS, Microsoft and Google in the cloud market space, it’s unsurprising that the US is top of the rankings, though recent concerns from European countries regarding movement of its citizens’ data outside of the EU could complicate matters. Germany is one country which is sensitive to any changes in data protection policy and is considered to have some of the most stringent data protection laws worldwide.

“The other leading countries are there due to either their scale or the unique characteristics of their local markets. Perhaps the biggest surprise is that the UK does not feature more prominently, but that situation will change this year with AWS, Microsoft and Google all opening major data centres in the country,” said Dinsdale.

Back in October, the European Court of Justice decided that Safe Harbour did not give data transfers between Europe and the US adequate protection, and declared the agreement which had been in place since 2000 void. The EU-US Privacy Shield, Safe Harbour’s successor, has also come under criticism in recent weeks as concerns have been raised to how much protection the reformed regulations protect European parties.

While the new agreement has been initially accepted, privacy activist Max Schrems, who has been linked to the initial downfall of Safe Harbour, said in a statement reacting to Privacy Shield, “Basically, the US openly confirms that it violates EU fundamental rights in at least six cases. The commission claims that there is no ‘bulk surveillance’ any more, when its own documents say the exact opposite.” A letter from Robert Litt General Counsel of the Office of the Director of National Intelligence, confirmed that there were six circumstances where the NSA will be allowed to use data for undefined “counter-terrorism” purposes

While the concentration of data centres in the US should not come as a huge surprise, it puts into further context the fears of European parties who are concerned with the effectiveness of any EU-US data protection policies.

European Commission, News & Analysis, Policy and Regulation, Privacy Shield, Safe Harbour

Privacy Shield data agreement dismissed as ‘reheated Safe Harbour’

Europe US court of justiceThe new framework for transatlantic data flows proposed by legislators for the European Commission has had a mixed reaction from the cloud industry.

The EU-US Privacy Shield agreement over data transfer replaces the 15 year arrangement that was voided by the Court of Justice of the European Union in October. The new arrangement has to meet official approval from all 28 member states of the European Union. If it does both sides will finalise the details of the new pact in the next fortnight and the agreement could come into effect in April.

The foundation of the agreement is that American intelligence agencies will no longer have indiscriminate access to Europeans’ data when it is stored in the US. EC Commissioner Vera Jourová claimed that Europeans can now be sure their personal data is fully protected and that the EC will closely monitor the new arrangement to make sure it keeps delivering.

“For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms,” said Jourová, who promised that EU citizens will benefit from redress if violations occur. “The US has assured that it does not conduct mass or indiscriminate surveillance of Europeans,” said Jourová.

Whether the decision really will build a Digital Single Market in the EU, a trusted environment and closer partnership with the US remains a moot point among cloud industry experts.

Approval of the arrangement cannot be taken for granted, according to a speaker for The Greens and the European Free Alliance. “This new framework amounts to little more than a reheated serving of the pre-existing Safe Harbour decision. The EU Commission’s proposal is an affront to the European Court of Justice, which deemed Safe Harbour illegal, as well as to citizens across Europe, whose rights are undermined by the decision,” said Green home affairs and data protection spokesperson Jan Philipp Albrecht. The proposal creates no legally binding improvements and the authorities must make clear that this ‘legally dubious declaration’ will not stand said Albrecht.

The EU/US data sharing deal won’t stop surveillance, according to former Whitehouse security advisor French Caldwell. As a Gartner research VP, Caldwell once advised on national and cyber security and led the first ever cyber wargame, Digital Pearl Harbor. As the new chief evangelist at software vendor MetricStream, Caldwell said there were many flaws in the logic of the agreement.

“The legal definitions of personal data are so antiquated that, even if that data covered under privacy law is protected, there is still so much data around people’s movements and online activities that an entire behavioural profile can be built without accessing that which is considered legally protected,” said Caldwell.

Privacy protections have evolved significantly in the US, Caldwell said, and US authorities are much more aggressive than EU authorities in penalising companies that don’t follow privacy policies. “It is hard to discount nationalism and trade protectionism as underlying motivations [for European legislation],” said Caldwell.

It should alarm cloud customers to see how little has been done to give assurance of their privacy, said Richard Davies, CEO of UK based ElasticHosts. “This gives little assurance to EU customers trusting a US provider with hosting their websites or sensitive data.” Customers with servers with US companies in the EU are likely to move their data to non-US providers to minimize risk, Davies said.

Businesses will need to be much more involved with where their information exists and how it is stored. Until details emerge of the new privacy shield, many European companies wont want to risk putting data on US servers, warned Ian Wood, Senior Director Global Solutions.

However, this could be a business opportunity for the cloud industry to come up with a solution, according to one commentator. The need for transparency and accountability calls for new data management skills, according to Richard Shaw, senior director of field technical operations at converged data platform provider MapR.

“Meeting EU data privacy standards is challenging at the best of times, let alone when the goal posts are constantly being moved,” said Shaw. The only way to give the US authorities the information they demand, while complying with regulations, is to automate governance processes around management, control and analysis of data, Shaw said.

Would the Privacy Shield and the attendant levels of new management affect performance?

Dave Allen, General Counsel at Internet performance specialist Dyn said regional data centres are a start but that the data residence perspective is incomplete at best and give a false sense of confidence that the myriad of regulations is properly addressed.

“Businesses will now need to understand the precise paths that their data travels down, which will be a more complex problem given the amount of cross-border routing of data across several sovereign states. Having access to traffic patterns in real time, along with geo-location information, provides a much more complete solution to the challenges posed by the EU-US Privacy Shield framework,” said Allen.

data proteciton, Datacentre, European Commission, News & Analysis, Safe Harbour

EC/US have three months to find a new Safe Harbour

The European Commission (EC) and the US are under pressure to come up with a new replacement system for the recently invalidated Safe Harbour agreement.

A statement from EU advisory body The Article 29 Working Party on the Protection of Individuals, has given those affected by the ruling three months to devise a new system.

However, the US and the EC have previously worked for two years without success to reform the Safe Harbour agreement. The reforms were made necessary after US government surveillance programmes were revealed by National Security Agency (NSA) whistle blower Edward Snowden. However, despite co-operation, for two years progress stalled as the US couldn’t guarantee limits on access to personal data.

“If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions,” said the statement issued.

Following Court of Justice of the European Union (CREU) ruling on October 6th, many companies risk being prosecuted by European privacy regulators if they transfer the data of EU citizen’s to the US without a demonstrable set of privacy safeguards.

The 4,000 firms that transfer their clients’ personal data to the United States currently have no means of demonstrating compliance to EC privacy regulations. As the legal situation currently stands, EU data protection law says companies cannot transfer EU citizens’ personal data to countries outside the EU which have insufficient privacy safeguards.

EU data protection authorities, meeting in Brussels to assess the implications of the ruling, said in a statement that they would assess the impact of the judgment on other data transfer systems, such as binding corporate rules and model clauses between companies.

The regulators said in their statement the EU and the United States should negotiate an “intergovernmental agreement” providing stronger privacy guarantees to EU citizens, including oversight on government access to data and legal redress mechanisms.

Multinationals can still set up internal privacy rules for US data transfers, to be approved by regulators but these so called ‘binding corporate rules’ are only used by 70 companies. All alternative data transfer systems could now also be at risk of a legal challenge, say lawyers. “The good news is that the European data protection authorities have agreed on a kind of grace period until the end of January,” said Monika Kuschewsky, a lawyer at Covington & Burling.

Alex Hilton, APM Group, Cloud Industry Forum, cloud standards, ENISA, Enterprise IT, European Commission, News & Analysis, Public Sector, Richard Pharro

CIF cloud code of practice gains European Commission backing

The Cloud Industry Forum's COP gained the EC's seal of approval for cloud certification this week

The Cloud Industry Forum’s COP gained the EC’s seal of approval for cloud certification this week

The Cloud Industry Forum’s (CIF) code of practice for cloud service providers has been added to the European Commission’s growing list of cloud certification schemes. The move means it passes the EC’s benchmark for service security and reliability.

The Commission’s Cloud Certification Schemes List was set up as part of the European Cloud Strategy and developed by the European Union Agency for Network and Information Security (ENISA); it gives an overview of different existing certification schemes for cloud services in the region.

The scheme effectively the Commission’s way of recognising a certification’s claim to ensuring cloud contracts guarantee a certain level of security or reliability, which it hopes will assure European customers of a provider’s claims and help stimulate spending on cloud services.

“This is a major milestone for the Cloud Industry Forum and the broader cloud community.  There are no dedicated cloud standards in the market, making it difficult for small business customers to identify trusted advisors,” said Alex Hilton, chief executive officer of the Cloud Industry Forum.

“We hope this recognition will encourage more users of cloud services to actively seek providers that are CIF-certified, and likewise more CSPs to seek certification. We have taken important steps in providing a foundation in what is a fast changing and, to many, a new technology sector,” Hilton said.

Other certification schemes included in the list include the Cloud Security Alliance’s attestation, certification and self assessment, EuroCloud’s Star Audit, ISO 27001 and PCI v3.

Richard Pharro, chief executive of APM Group, the Cloud Industry Forum’s certification partner, added: “The Code of Practice was first established with the aim of driving levels of accountability, capability and transparency in the Cloud industry, which are all critical to the Cloud service contract. With the adoption of Cloud within businesses progressing at an incredibly fast rate, those key tenets of Cloud delivery are as important as ever.”

“CSPs need to ensure they operate their businesses and services in a fully open and transparent manner where it is clear to their customers – existing and new – that they are trustworthy and capable of offering the services they claim to be able to offer. The CIF CoP is one of very few schemes which offers this much needed reassurance to end users regarding the organisations they choose to work with,” he added.

Europe, European Commission, Neelie Kroes, News & Analysis, Policy and Regulation, regulation

European Commission to reform mobile cloud services regulations – report

The EC is looking to create a level playing field in how telcos and mobile cloud service providers are regulated

The EC is looking to create a level playing field in how telcos and mobile cloud service providers are regulated

The European Commission is considering plans to reform how mobile cloud service providers, also know as Over The Top (OTT) companies, are regulated, according to reports from the FT.

Draft documents unveiled by the commission indicate that initiative to create a level playing field between the telecoms industry, cable operators and mobile cloud services like Whatsapp and Skype has long since been forgotten.

According to the Commission, telcos are currently being forced to compete with OTT services “without being subject to the same regulatory regime”, and that it intends to create a “fair and future-proof regulatory environment for all services”.

One of the main directives of the digital single market proposals advocated by the commission relates to the roll-out of superfast broadband infrastructure across the continent. With traditional revenue streams for telcos, such as calls and messaging, on the decline, operators frequently point the finger at OTT services for enabling free and wide-reaching services.

As a consequence, operators claim a lack of incentive when it comes to investing in overhauling  increasingly depreciated copper network infrastructure, particularly around the last mile.

That said, telcos remain hesitant to give its competitors free access to high-speed broadband infrastructure if it isn’t able to suitably monetise the service, which is where net neutrality enters the picture. Aside from the ongoing debate raging in the US of late, net neutrality formed one of the cornerstones of Neelie Kroes’ digital single market proposals, along with the abolishment of consumer roaming fees.

Last month, Telecoms.com reported that the European Union’s Telecoms Council effectively conceded that a U-turn on its net neutrality ambitions was on the cards. There has yet to be an update on whether the open-letter signed by more than 100 MEPs has convinced the Council to steer clear of paid prioritisation of any kind.

It is believed the commission intends to unveil its new digital single market strategy on the 6th May.