Category Archives: Policy and Regulation

data protection, Data Regulation, data residency, European Commission, News & Analysis, Policy and Regulation

Let the countdown to GDPR begin

Location Germany. Red pin on the map.The road to data protection has been a long and confusing one. Despite being one of the biggest concerns of consumers and corporates throughout the world, progress has hardly been moving at breakneck speed, but as of today (May 25th), companies now have exactly two years to ensure they are compliant with the EU’s General Data Protection Regulation.

The general objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Data protection is a complicated business throughout the EU mainly due slight differences from country to country, and then again, with overarching EU regulations, or directives which haven’t even made it to regulation.

Conversations surrounding the new regulations have been ongoing since 2012, though companies now have until 25th May 2018 to ensure they are fully compliant. For this would seem an adequate amount of time, however a recent YouGov and Netskope survey highlighted only one in five are confident they will be compliant in this time period. For Eduard Meelhuysen, VP at Netskope, decision makers need to take a step back to get a better understanding of the current state of their data, before concentrating on any company app.

“If they are to comply, IT teams will need to make the most of the two-year grace period which means that both cloud-consuming organisations and cloud vendors will need to take active measures now,” said Meelhuysen. “As a starting point, organisations should take a hard look at how their data are shared and stored, focusing in particular on any cloud apps in use across the organisation.

“The GDPR makes specific provisions for unstructured data of the type created by many cloud apps, data which are typically harder to manage and control. That means organisations need to manage employees’ interactions with the cloud carefully as a key tenet of GDPR compliance.”

a safe place to work“As cloud app use continues to increase within businesses, data will become harder to track and control. But with the GDPR instigating a maximum possible fine of €20 million or 4% of global turnover (whichever is higher) in certain cases, there is now more incentive than ever for companies to focus on data protection. Getting a handle on cloud app use will be a crucial part of ensuring compliance for any organisation, and IT teams will need to start work now to meet the May 2018 compliance deadline.”

One area which has been given attention within the GDPR is that of data residency. New regulations will require organizations do not store in or transfer data through countries outside the European Economic Area that do not have equivalently strong data protection standards. The list of countries that meet these standards is short, 11, with a notable absentee, the United States of America, which could pose problems for numerous organizations.

While this may be considered one of the headline areas for the GDPR and one which will likely be heavily scrutinized, for Dave Allen, General Counsel at Dyn, concentrating too much on this area could lull companies into a false sense of security.

“As the EU GDPR comes into effect, businesses will need to take a hard look at their current methods of sharing and storing data,” said Allen. “While some Internet companies have begun to address new challenges at the fixed locations where data is stored – this alone will not necessarily be enough to ensure compliance.

“Those companies focusing solely on data residency may well fall victim to a false sense of confidence that sufficient steps have been taken to address these myriad regulations outlined in the GDPR. As the GDPR will hold businesses accountable for their data practices, businesses must recognise that the actual paths data travels are also a key factor to consider. In many ways, the constraints which come with the cross-border routing of data across several sovereign states mean these paths pose a more complex problem to solve.

“Although no silver bullet exists for compliance with the emerging regulations which govern data flows, businesses which rely on the global Internet to serve their customers should be seriously considering visibility into routing paths along both the open Internet and private networks. As we enter an era of emerging geographic restrictions, businesses with access to traffic patterns in real time, in addition to geo-location information, will find themselves in a much stronger position to tackle the challenges posed by the GDPR.”

Anonymous unrecognizable man with digital tablet computerOverall, the GDPR will ensure companies take a greater level of responsibility to safeguard the personal data they hold from attacks. Recent months have seen a number of highly publicised attacks significantly impact the reputation of well-known and respected brands, making consumers nervous about which of their personal information is being held. Previously, attacks on such organizations would not have been thought possible; surely they have the budgets to ensure these breaches wouldn’t happen?

Another headline proposition from the GDPR is the consumer’s right to access data which is stored on them, and also the right to have this data ‘forgotten’. For Jon Geater, CTO at Thales e-Security, this will create numerous challenges and changes to the way in which data is stored and accessed.

“The new rules also make clear another important factor that we should already have known: that you can outsource your risk, but you can’t outsource your responsibility,” said Geater. “If organisations use a third party provider to store and manage data – such as a cloud provider, for example – they are still responsible its protection and must demonstrate exactly how the data is protected in the remote system. Therefore, formal privacy-by-design techniques need to make their way down the supply chain if companies are to avoid penalties or nightmarish discovery and analysis tasks.

“In addition, organisations will now have to provide citizens with online access to any their own personal data they store. While the Data Protection Act traditionally allowed anyone to request access to this data, with GDPR in effect organisations must make this available for download ‘where possible’ and ‘without undue delay’.

“This is a very significant change and securing this access will represent a significant challenge to many organisations – especially while still complying with the new tighter rules – and will require robust cybersecurity technology across the board.”

What is clear is there will be complications. This shouldn’t be considered a massive surprise as any new regulations are fraught with complications on how to remain or become compliant, but the European Commission isn’t messing around this time. With fines of €20 million or 4% of global turnover (whichever is greater), the stick is a hefty one, and the carrot is yet to be seen.

data protection, EU, Europe, Opinion, Policy and Regulation, regulation

What happens to EU General Data Protection Regulation if the UK votes for a Brexit?

EuropeBusinesses warned not to give up on data reforms just because UK could quit Europe

As the UK prepares to vote on whether to leave the European Union, businesses are being warned not to give up on data reforms inspired by the forthcoming EU General Data Protection Regulation (GDPR).

Businesses across the country have been studying implications of the new Regulation, due to be in force in May 2018, which aims to create a ‘one-stop shop’ for data protection across the European Union.

Some of the key aspects of the bill include huge fines for data breaches, new rules around the collection of personal data and new rights for European citizens to ask for data be deleted or edited. Many businesses will also be required to appoint a Data Protection Officer.

However, the Brexit vote opens up the possibility that the UK could be out of the EU by the time it comes into force.

John Culkin, Director of Information Management at Crown Records Management, said: “It would be tempting for businesses to think that if the UK leaves the EU this regulation would not apply. In fact, that isn’t the case. Although an independent Britain would not be a signatory of the Regulation, in reality it would still be impossible to avoid its implications.

“The Regulation governs the personal data of all European citizens, providing them with greater control and more rights over information held about them. So any company holding identifiable information of an EU citizen, no matter where it is based, needs to be aware. With millions of EU citizens living in the UK, too, it’s hard to imagine that many businesses here would be unaffected.

“The same applies to data breaches involving the personal data of European citizens. So it will still be vital to have a watertight information management system in place which allows businesses to know what information they have, where it is, how it can be edited and who is responsible for it.”

Even if the UK votes to leave the EU, data in Great Britain & Northern Ireland will continue to be regulated by the current Data Protection Act, which was passed in 1998.

A spokesperson for the Information Commissioners’ Office (ICO), an independent body set up to uphold information rights, said: “Although derived from an EU Directive, the Data Protection Act was passed by the UK Parliament and will remain in place after any exit, until Parliament decides to introduce a new law or amend it.

“The UK has a history of providing legal protection to consumers around their personal data. Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines.

“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and is also central to the sharing of data that international trade relies on. The UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.”

Culkin believes there is a real danger that UK businesses will defer crucial reforms of their information management systems – just in case the Brexit vote in June changes the agenda. But he warns it is a big risk.

He said: “Businesses should be thinking about the benefits of good information governance rather than hesitating because of what could happen in the future.

“There is no point putting in place systems that ignore privacy by design, for instance, when that is good procedure – no matter what happens in Europe in June. The same is true of measures to protect a business from data breaches, which have reputational as well as financial implications – no matter who imposes the fine.

“As for personal data, citizens, in the UK are only going to be more demanding about how their data is collected, stored and edited in future – the genie is out of the bottle and it’s not sensible to think that leaving the EU will change it. Preparing for a modern data world is not only about the GDPR.”

This a view shared by the ICO which will continue to ensure organisations meet their information rights obligations no matter how the UK votes.

A spokesperson said: “Ultimately, this is a decision for organisations based on their own particular circumstances. Revisiting and reassessing your data protection practices will serve you well whatever the outcome of the referendum. Investing in GDPR compliance will ensure an organisation has a high standard of data protection compliance that will enable the building of consumer trust.”

cloud policy, data protection, Free Trade, News & Analysis, Policy and Regulation, Privacy

BSA releases rankings of global cloud policies – UK drops and US rises on leader board

A racehorse and jockey in a horse raceThe BSA | The Software Alliance has released its global ranking of cloud computing policies, assessing the cloud readiness and policies of the world’s 24 leading ICT economies, with the UK dropping down the leader board.

The UK dropped two places in the rankings to ninth, whereas Japan maintained its position at the top of the leader board, and the US improving its position coming in second place. The 24 countries ranked in the research account for roughly 80% of global ICT revenues. Each country is ranked depending on its strengths and weaknesses in seven policy areas; data privacy, security, cybercrime, intellectual property right, support for standards, promotion of free-trade and IT readiness & broadband deployment.

“It’s worrying to see the UK starting to fall behind other faster-moving nations in creating policies which enable cloud innovation,” said Victoria Espinel, CEO of the BSA. “It’s critical for global leading nations like the UK to be on the front-foot in creating robust policy frameworks fit for the digital age to prevent protectionism, so governments, businesses and consumers can benefit from the various benefits cloud computing offers. The report is a wakeup call for all governments to work together to ensure the benefits of the cloud around the globe.”

The UK scored particularly well when it came to intellectual property rights, security and IT readiness, where it ranked fourth, second and first respectively, but badly in the cybercrime valuation, coming in at number 21 out of 24. Within the other areas it hit the middle of the road, and while overall performance was not negative, the UK fell behind due to the speed and efficiency in which other nations are developing their policies.

In the cybercrime section, where the UK was particularly poor, the report highlighted while the UK was in general compatible with the Budapest Convention on Cybercrime, it has not yet implemented laws relating to misuse of devices, as required by Article 6 of the Convention. The report also stated outdated data registration laws are acting as a barrier to some cloud services, as businesses are required to register their data sets with the regulator, which seems to be an unnecessary burden.

Leaderboard

2016 BSA Global Cloud Computing Scorecard – click to enlarge

The US performed favourably across the majority of the ranking categories, particularly on support for industry standards (first), promotion of free trade (first) and IT readiness (third). The US has been recognized by the report as a particular advocate of free trade and harmonization, as well as standardization, as it “continued to remove barriers to international information technology (IT) interoperability”.

Data privacy was the area in which it performed the worst, where it stated there are no single privacy law in the US, as well as numerous policies which have the potential to create a complicated and confusing landscape. Current key sectoral privacy laws include the Federal Trade Commission Act, the Electronic Communications Privacy Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act and the Telephone Consumer Protection Act.

The report also drew attention to the compatibility between the US with the privacy principles in the EU Data Protection Directive, of which there is little. According to the report “US organizations also have a range of voluntary options to ensure their data protection practices are compatible with the principles in the EU Directive”, though these are not backed up by government policy or legislation. This has been a point of discussion throughout the industry, following Safe Harbour being shot down, and its successor receiving criticism from certain corners of the EU.

Russsia privacy law

Russian Privacy Law – click to enlarge

While the report does outline progress in the development of IT and cloud policies throughout the world, it does also bring attention to several nations who have been demonstrating negative trends. Countries such as China and Russia have implemented policy which could be seen to inhibit the growth of cloud computing within their countries, by limiting the ability of cloud computing service providers to adequately move data across borders.

“The Scorecard shows that countries are eager to welcome cloud computing and its myriad economic benefits, and many of them are creating a favourable regulatory and legal environment,” said Espinel. “Unfortunately, the Scorecard also shows some countries are heading down a path of treating cloud computing as the next frontier of protectionism. The report is a wakeup call for all governments to work together to ensure the benefits of the cloud around the globe.”

Russia for example has implemented a legal requirement that data operators store the personal data of Russian citizens on servers based in Russia, as well as personal data information system (irrelevant of the simplicity of the database) must be certified by the Federal Service for Technical and Export Control (FSTEC). In turn this data can only be used on software and hardware which has also been approved by the FSTEC.

The BSA believes will have a negative impact on the company’s digital economy, stating “The local requirements are not compliant with generally accepted international standards, and Russia does not participate in the Common Criteria Recognition Agreement (CCRA).”

Data Regulation, European Commission, News & Analysis, Policy and Regulation

New EU data regulations receives warm reception from industry

EuropeThe European Union finally rubber-stamped a refresh of the General Data Protection Regulations (GDPR) that offers greater protection for individuals but at cost of a greater burden on businesses, reports Telecoms.com.

In customary EU fashion this is the culmination of four years of to-ing and fro-ing since the refresh was first proposed. Even the final sign-off took four months to complete, with the text having been agreed last December. Furthermore the new regulations won’t come into law until May 2018, giving all businesses who keep data on European citizens, which must include pretty much every multinational, two years to comply.

“The new rules will give users back the right to decide on their own private data,” said Green MEP Jan Philipp Albrecht, who led the drafting process. “Businesses that have accessed users’ data for a specific purpose would generally not be allowed to collect the data without the user being asked. Users will have to give clear consent for their data to be used. Crucially, firms contravening these rules will face fines of up to 4% of worldwide annual turnover, which could imply € billions for the major global online corporations.

“The new rules will give businesses legal certainty by creating one unified data protection standard across Europe. This implies less bureaucracy and creates a level playing field for all business on the European market. Under the new rules, businesses would also have to appoint a data protection officer if they are handling significant amounts of sensitive data or monitoring the behaviour of many consumers.”

Industry reaction has been broadly positive, but with caveats mainly concerning how easy it will be to comply and some concern about the high ceiling for potential fines. Compounding this is a requirement for companies to disclose data breaches within 72 hours of them happening, which is a pretty small window.

“This will be a technical challenge for those businesses unaccustomed to such stringent measures,” said David Mount of MicroFocus. “They will need to identify the breach itself and the information assets likely to have been affected so they can give an accurate assessment of the risks to the authorities and consumers.

“While this may seem like a positive step towards improved data protection, the US example shows that in reality there can be an unintended consequence of ‘data breach fatigue’. Consumers become accustomed to receiving frequent data breach notifications for even very minor breaches, and as a result it can be hard for them to distinguish serious breaches requiring action from minor events which can be safely ignored. The effect is that sometimes consumers can’t see the wood for the trees, and may start to ignore all warnings – which somewhat negates the point of the measure.

“It is now up to European data privacy regulators to work together to ensure that the GDPR rules are implemented in a way that supports economic growth and improved competitiveness,” said John Giusti, Chief Regulatory Officer of the GSMA. “Regulators will need to exercise particular care in interpreting GDPR requirements – around consent, profiling, pseudonymous data, privacy impact assessments and transfers of data to third countries – to avoid stifling innovation in the digital and mobile sectors.

“All eyes are now on the review of the e-Privacy Directive. The right balance needs to be struck between protecting confidentiality of communications and fostering a market where innovation and investment will flourish. To this end, the GSMA calls on legislators to address the inconsistencies between the existing e-Privacy Directive 2002/58/EC and the GDPR.”

The e-Privacy Directive covers things like tracking and cookies and seems to focus specifically on telecoms companies in the way they process personal data. So for the telecoms sector specifically this refresh could be even more important than the GDPR. The European Commission initiated a consultation on ePrivacy earlier this week and will conclude it on 5 July this year.

William Long, a partner at Sidley Austin, warned that individual countries may view the new GDPR differently. “There are still a number of issues where some member states have fought successfully to implement their own national law requirements, for instance in the area of health data, and this will no doubt lead to certain complexities and inconsistencies,” he said.

“However, organisations should be under no doubt that now is the time to start the process for ensuring privacy compliance with the Regulations. The penalties for non-compliance are significant – at up to 4% of annual worldwide turnover or 20 million euros, whichever is the greater. Importantly, companies outside of Europe, such as those in the US who offer goods and services to Europeans, will fall under the scope of this legislation and will face the same penalties for non-compliance.”

“Our own research shows that globally, 52% of the information organisations are storing and hoarding is completely unknown – even to them, we call this ‘Dark Data’,” said David Mosely of Veritas. “Furthermore, 40% of stored data hasn’t even been looked at in more than three years. How can companies know they’re compliant if they don’t even know what they’re storing? This is why GDPR represents such a potentially massive task, and businesses need to start tackling it now.”

“In order for data to remain secure, there are three core components that are now vital for EU businesses,” said Nikki Parker of Covata. “Firstly, encryption is no longer an optional extra. It provides the last line of defence against would-be snoopers and companies must encrypt all personally identifiable information (PII).

“The second component is identity. True data control involves knowing exactly who has access to it and this can be achieved through encryption key management. Enabling businesses to see who has requested and used which keys ensures a comprehensive audit trail, a requirement of the new regulation.

“Finally, businesses must set internal policies that specifically outline how data can be used, for example, whether data is allowed to leave the EU or whether it can be downloaded. Applying policies to each piece of data means access can be revoked at any moment if the company feels it is in violation of the ruling.”

All this is happening in parallel with the overhaul of the rules governing data transfer between Europe and the US, known as the Privacy Shield. By the time the GDPR comes into force pretty much all companies are going to have to tread a lot more carefully in the way they handle their customers’ data and it will be interesting to see how the first major transgression is handled.

data protection, Microsoft, News & Analysis, Policy and Regulation

Microsoft files lawsuit against US government and secret snooping orders

Lady Justice On The Old Bailey, LondonMicrosoft has filed a new lawsuit in federal court against the United States government arguing the right that customers should have the right to know when the state accesses their emails or records.

Under current law, the government has the right to demand access to customer information, while also issuing orders to companies such as Microsoft to keep these types of legal demands secret. Microsoft claim these orders are becoming too often common place; rather than common routine, these secrecy issues should be the exception not the rule.

“We believe that with rare exceptions consumers and businesses have a right to know when the government accesses their emails or records,” said Brad Smith, President and Chief Legal Officer at Microsoft on the company blog. “Yet it’s becoming routine for the U.S. government to issue orders that require email providers to keep these types of legal demands secret. We believe that this goes too far and we are asking the courts to address the situation.

“Cloud computing has spurred a profound change in the storage of private information. Today, individuals increasingly keep their emails and documents on remote servers in data centres – in short, in the cloud. But the transition to the cloud does not alter people’s expectations of privacy and should not alter the fundamental constitutional requirement that the government must – with few exceptions – give notice when it searches and seizes private information or communications.”

While the company recognizes there are certain circumstances where secrecy would be required, it would appear the US government is using the legal demands to keep secrecy as a default setting. Microsoft has claimed the demands violates the company’s First Amendment right to free speech, as well as the customers Fourth Amendment right, which gives people and businesses the right to know if the government searches or seizes their property.

“Over the past 18 months, the U.S. government has required that we maintain secrecy regarding 2,576 legal demands, effectively silencing Microsoft from speaking to customers about warrants or other legal process seeking their data,” said Smith. “Notably and even surprisingly, 1,752 of these secrecy orders, or 68% of the total, contained no fixed end date at all. This means that we effectively are prohibited forever from telling our customers that the government has obtained their data.”

Microsoft’s case is built on the perception the Electronic Communications Privacy Act is currently being abused by US officials, but also the fact the act is dated and no longer relevant. The act, which is seemingly unpopular with technology firms, has been in place since 1986. Microsoft argues the time period between the act being written and the widespread use of the internet is too long for the legislation to be relevant to today’s world.

“While today’s lawsuit is important, we believe there’s an opportunity for the Department of Justice to adopt a new policy that sets reasonable limitations on the use of these types of secrecy orders,” said Smith. “Congress also has a role to play in finding and passing solutions that both protect people’s rights and meet law enforcement’s needs. If the Department of Justice doesn’t act, then we hope that Congress will amend the Electronic Communications Privacy Act to implement reasonable rules.”

The company believes the act should be updated in three areas. Firstly, from a transparency perspective, the government should be held accountable when it snoops through customer data, and in the majority of cases the customer should be informed. Second, there should be a focus on digital neutrality as customers should not receive less notice of government activities simply because emails are stored in the cloud. Finally, there should be a necessity clause which would limit what the government can keep secret. In these circumstances, Microsoft wants the right to tell its customers what has been seen outside of the necessity clause.

data protection, Microsoft, News & Analysis, Policy and Regulation, Privacy Shield

Microsoft endorses EU-US Privacy Shield despite criticism from EU industry commentators

Data protectionMicrosoft has become one of the first major US tech companies to confirm its support of the EU-US Privacy Shield, the successor of the now defunct Safe Harbour Agreement.

Data transfer between the EU and the US has been on relative shaky legal grounds over recent months, as between the EU striking down the Safe Harbour Agreement and introducing the EU-US Privacy there has not been an official framework. While Microsoft has publicly stated its approval of the agreement, it does not believe that it goes far enough.

“We recognize that privacy rights need to have effective remedies. We have reviewed the Privacy Shield documentation in detail, and we believe wholeheartedly that it represents an effective framework and should be approved,” said John Frank, Vice President EU Government Affairs at Microsoft, on his blog.

“We continue to believe today that additional steps will be needed to build upon the Privacy Shield after it is adopted, ranging from additional domestic legislation to modernization of mutual legal assistance treaties and new bilateral and ultimately multilateral agreements,” said Frank. “But we believe that the Privacy Shield as negotiated provides a strong foundation on which to build.”

Twitter commentsBack in October, the European Court of Justice decided that Safe Harbour did not give data transfers between Europe and the US adequate protection, and declared the agreement which had been in place since 2000 void. The EU-US Privacy Shield, Safe Harbour’s successor, has also come under criticism in recent weeks as concerns have been raised to how much protection the reformed regulations protect European parties.

While Microsoft does appear happy with the new agreement, there have been industry commentators who have outlined their own concerns. Privacy activist Max Schrems, who has been linked to the initial downfall of Safe Harbour, said in a statement reacting to Privacy Shield, “Basically, the US openly confirms that it violates EU fundamental rights in at least six cases.” Others to react negatively are German MP Jan Philipp Albrecht who commented on twitter, “This is just a joke. @EU_Commission sells out EU fundamental rights and puts itself at risk to be lectured by CJEU again”, as well as whistle blower Edward Snowden who said, “It’s not a “Privacy Shield”, it’s an accountability shield. Never seen a policy agreement so heavily criticized.”

As part of the announcement, Microsoft has also committed to responding to any complaints about its participation in Privacy Shield within 45 days.

data protection, EU regulations, Local Government, News & Analysis, Policy and Regulation

Socitm outlines concerns for local government ahead of new data protection regulations

Compliance ConceptThe Society of Information Technology Management, Socitm, has stated that local government bodies should review all information governance arrangements in light of changes to EU-US data protection policies.

In its latest briefing, Data protection: <Control><All><Delete>?, Socitm has recommended that all IT professionals update their information, security and data protection policies, as councils could face difficulty in remaining compliant under the new legislative framework.

Data protection has been a hot topic in recent months, following the European Court of Justice striking down the Safe Harbor agreement last year, as well criticisms of its replacement, the EU-US Privacy Shield. “Legal action in the wake of the Snowden revelations challenged the degree of protection for citizens’ data provided by Safe Harbor,” Socitm said in the statement. “New measures giving foreigners’ data some legal protection have been put in place, but it is not yet known whether the European authorities will consider that US privacy protection is now adequate.”

In recent weeks, Privacy activist Max Schrems, who has been linked to the initial downfall of Safe Harbour, said in a statement reacting to Privacy Shield, “Basically, the US openly confirms that it violates EU fundamental rights in at least six cases. The commission claims that there is no ‘bulk surveillance’ any more, when its own documents say the exact opposite.”

Socitm said in the statement that new European Data Protection Regulation will also update data laws in the UK, which currently don’t account for new technologies. The UK Data Protection Law was written in 1998, several years before the launch of social media platforms Facebook and Twitter, as well as the surge in data usage from both consumers and enterprise. Socitm stated that councils could be let in a vulnerable position when the regulations are brought in officially.

The regulations, a draft of which were released in January, stated that data protection legislation would have to be updated for the digital age, consumers would have to have access to their own data to understand how and where it is utilized, as well as increasing security standards for an individual’s data.

The fear here seems to be focused around the volume of changes that would need to be enforced once the new regulations are in place. It would appear Socitm is concerned that local councils will not be able to keep pace, leaving the councils in a non-compliant and susceptible position.

“Accommodating the changes will be a matter of amending existing processes rather than inventing new ones,” said Dr Andy Hopkirk, Head of Research at Socitm. “Some of the changes could be onerous and problematic. For example, councils will need to be able to deal correctly and completely with ‘right to be forgotten’ requests – perhaps the single greatest challenge in an almost ubiquitously networked and distributed computing world.”

European Commission, News & Analysis, Policy and Regulation, Privacy Shield, Safe Harbour

Privacy Shield data agreement dismissed as ‘reheated Safe Harbour’

Europe US court of justiceThe new framework for transatlantic data flows proposed by legislators for the European Commission has had a mixed reaction from the cloud industry.

The EU-US Privacy Shield agreement over data transfer replaces the 15 year arrangement that was voided by the Court of Justice of the European Union in October. The new arrangement has to meet official approval from all 28 member states of the European Union. If it does both sides will finalise the details of the new pact in the next fortnight and the agreement could come into effect in April.

The foundation of the agreement is that American intelligence agencies will no longer have indiscriminate access to Europeans’ data when it is stored in the US. EC Commissioner Vera Jourová claimed that Europeans can now be sure their personal data is fully protected and that the EC will closely monitor the new arrangement to make sure it keeps delivering.

“For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms,” said Jourová, who promised that EU citizens will benefit from redress if violations occur. “The US has assured that it does not conduct mass or indiscriminate surveillance of Europeans,” said Jourová.

Whether the decision really will build a Digital Single Market in the EU, a trusted environment and closer partnership with the US remains a moot point among cloud industry experts.

Approval of the arrangement cannot be taken for granted, according to a speaker for The Greens and the European Free Alliance. “This new framework amounts to little more than a reheated serving of the pre-existing Safe Harbour decision. The EU Commission’s proposal is an affront to the European Court of Justice, which deemed Safe Harbour illegal, as well as to citizens across Europe, whose rights are undermined by the decision,” said Green home affairs and data protection spokesperson Jan Philipp Albrecht. The proposal creates no legally binding improvements and the authorities must make clear that this ‘legally dubious declaration’ will not stand said Albrecht.

The EU/US data sharing deal won’t stop surveillance, according to former Whitehouse security advisor French Caldwell. As a Gartner research VP, Caldwell once advised on national and cyber security and led the first ever cyber wargame, Digital Pearl Harbor. As the new chief evangelist at software vendor MetricStream, Caldwell said there were many flaws in the logic of the agreement.

“The legal definitions of personal data are so antiquated that, even if that data covered under privacy law is protected, there is still so much data around people’s movements and online activities that an entire behavioural profile can be built without accessing that which is considered legally protected,” said Caldwell.

Privacy protections have evolved significantly in the US, Caldwell said, and US authorities are much more aggressive than EU authorities in penalising companies that don’t follow privacy policies. “It is hard to discount nationalism and trade protectionism as underlying motivations [for European legislation],” said Caldwell.

It should alarm cloud customers to see how little has been done to give assurance of their privacy, said Richard Davies, CEO of UK based ElasticHosts. “This gives little assurance to EU customers trusting a US provider with hosting their websites or sensitive data.” Customers with servers with US companies in the EU are likely to move their data to non-US providers to minimize risk, Davies said.

Businesses will need to be much more involved with where their information exists and how it is stored. Until details emerge of the new privacy shield, many European companies wont want to risk putting data on US servers, warned Ian Wood, Senior Director Global Solutions.

However, this could be a business opportunity for the cloud industry to come up with a solution, according to one commentator. The need for transparency and accountability calls for new data management skills, according to Richard Shaw, senior director of field technical operations at converged data platform provider MapR.

“Meeting EU data privacy standards is challenging at the best of times, let alone when the goal posts are constantly being moved,” said Shaw. The only way to give the US authorities the information they demand, while complying with regulations, is to automate governance processes around management, control and analysis of data, Shaw said.

Would the Privacy Shield and the attendant levels of new management affect performance?

Dave Allen, General Counsel at Internet performance specialist Dyn said regional data centres are a start but that the data residence perspective is incomplete at best and give a false sense of confidence that the myriad of regulations is properly addressed.

“Businesses will now need to understand the precise paths that their data travels down, which will be a more complex problem given the amount of cross-border routing of data across several sovereign states. Having access to traffic patterns in real time, along with geo-location information, provides a much more complete solution to the challenges posed by the EU-US Privacy Shield framework,” said Allen.

Draft investigatory powers bill, News & Analysis, Policy and Regulation, UK Parliament

UK parliament warns against new Investigatory Powers Bill

security1The UK government must ‘urgently review’ the expensive obligations it is about to pass onto the cloud industry, according to a new report on the effects of the Investigatory Powers Bill.

The Investigatory Powers Bill Technology Issues report was compiled by a parliamentary select on science and technology after taking evidence from activists, academics and tech companies. The proposed legislation could prove painfully expensive for Britain’s service providers, by forcing them to incur the costs and extra work involved in storing every customer’s entire browsing history for 12 months, the report warns. It also identifies a problem over encryption, with many in the industry unclear over the legal obligations the new bill will create.

“The Government must urgently review the legislation so that the obligations on the industry are clear and proportionate,” said Nicola Blackwood MP, chair of the Science and Technology Committee.

The draft bill calls for the collection by service providers of data on each user’s internet connection records (ICRs). According to the committee, industry feedback suggests there are too many unanswered questions over the practicalities of meeting this legal requirement. The technology industry is not clear about the meaning of the definition for ICRs framed by Home Secretary Theresa May, one of the co-authors of the draft bill.

According to May, an ICR is a record of the communications service that a person has used, but not a record of every web page they have accessed. “The current draft contains very broad and ambiguous definitions of ICRs, which are confusing communications providers,” said Blackwood, in a statement.

The ambiguity is a critical problem because it leaves service provides unable to predict the time and money they need to meet their obligations, which leaves them unable to forecast and plan. It also introduces a potentially dangerous vulnerability by creating an opportunity for hackers to access that information. The report questions whether it is ‘practical to assume’ that databases of customer activity can be kept ‘secure and safe’.

The draft Bill, in its current form, appears to instruct service providers that customer information must be kept in an unencrypted state ready for inspection, according to the committee. “The Government should clarify and state clearly in the Codes of Practice that it will not be seeking unencrypted content,” said the statement, “there are still many unanswered questions about how this legislation will work.”

There are good grounds to believe that without further refinement there could be ‘many unintended consequences for commerce’ arising from the current lack of clarity of the legislation, the report concluded.

FedRAMP, Government, News & Analysis, Policy and Regulation, Public Sector, US

US FedRAMP has turned into a slow lane for government cloud says protest group

Fedramp logoA cloud industry protest group has called on the US government to fix its FedRAMP process for certifying government cloud service providers. The inefficiencies of the system are neutralising any benefits the cloud can bring to the US taxpayer, it claims.

A collective of disgruntled agents, that ranges from top tier cloud operators such as AWS, IBM and HPE to support agencies and corporate lawyers, has appealed for a review of the Federal Risk and Authorization Management Program, a certification process that has been dubbed FedRAMP.

Though FedRAMP was designed to simplify the use of cloud services by government agencies, the system has been described by a cloud industry advocate group as ‘fundamentally broken’. An aggrieved group of cloud players calling itself FedRAMP Fast Forward claims that a simple system, for helping US civil servants to select between FedRAMP-certified providers, has become too complicated and unwieldy. The pressure group has proposed a six point plan to address the system’s lack of clarity, high costs and lack of accountability.

The promised ‘certify once, use many times’ framework has not been delivered, claims the pressure group. Instead, the system has become expensive and time-consuming to use. As a result, the planned government savings from using cloud services are unlikely to materialise, says the group.

One of the reported problems is that the system does not provide the level of monitoring and management that cloud service providers would expect from any service. Potential suppliers to a government tender cannot gauge their status in the approval process or get feedback on the how to improve things or move the process to its next stage, according to a group statement. Agencies have also complained that they can’t see where the listed authorised cloud services might operate.

The Cloud Computing Caucus, a cross party group of US Congress Members, claims that the certification process is now nearly three times as lengthy as it first was. Worse, it can be 20 times more expensive. The group’s latest annual report says certification time has gone from nine months to two years, on average, while the typical cost expanded from $250,000 to up to $5 million.

The pressure group has now posted a six point reform plan calling for a single route to authorisation, more transparency over the approval process, harmonised security standards, cheaper monitoring, the option to upgrade without dropping out and a simpler road map for compliance.

FedRAMP Fast Forward members include AWS, HPE, IBM, CGI, General Dynamics and CenturyLink.