A lot, obviously, has changed since then. And the challenge of regulating data as those shifts have taken place - the growth of the internet, social media, cloud computing and big data, for example - has been compounded by the different ways in which the Data Protection Directive has been implemented across the 28 countries of the EU.
What is perhaps most notable about the EU's approach to data protection legislation today is that the changes it is proposing to make will not be made in the form of a new directive, but rather in the form of a "regulation", directly applicable to member states.
"A regulation is different from a directive because a directive is a set of principles that have to be translated into local laws. A regulation comes straight from Europe. Once it is passed at a European level, it is effective immediately in each country," says Andrew Dyson, a partner and specialist in data protection at law firm DLA Piper.
That approach is double-edged. On the one hand, it means that the EU will be legislating directly in terms of data protection Europe-wide - and presumably doing so more and more in this way in future - yet it will also prevent the complaint that directives, when translated into UK law, have been "gold plated" by over-zealous drafting.
The hope, adds Dyson, speaking at Computing's recent IT Leaders' Summit in London, is that it will provide organisations - particularly ones operating across the EU - with more certainty in terms of their pan-European IT infrastructures, cloud computing, and the way in which those organisations process data across the EU. "It's quite a significant change of tack and, I think, quite helpful," says Dyson.
Global ambitions
One of the positive aspects of the proposed regulations is that organisations operating across Europe will only need to deal with one regulator - not every information commissioner in every country in the EU that they operate. "The intention is that you will just go to your 'lead' regulator in your headquarters country and deal with them exclusively for the whole of Europe," says Dyson.
However, following the Edward Snowden revelations, he warns, the momentum is behind stricter controls that may impede developments in social media, given the personal information that is provided in exchange for the use of such applications, and big data.
All of this, though, is not just on a pan-European level. Taking a leaf out of US lawmakers' books, proposals currently under consideration are extra-territorial in scope. If an EU citizen orders something from a US website, for example, the personal data generated by that transaction does not currently come under the scope of EU data protection laws. But under the data protection regulations currently being considered, EU data protection laws would apply to citizens' personal data regardless of where in the world that data is being stored and/or processed, warns Dyson.
In addition, the regulations will also extend the scope of EU data protection to outsourced providers. At the moment, says Dyson, the 'contract' is between customers and supplier. In future, though, "if you are an outsourced provider, looking after customer data on behalf of a client, if you lose that data; if you don't have in place proper protections, controls and systems, it's not just a question of being in breach of contract, but the Information Commissioner's Office will become involved," says Dyson.
Finally, there's the so-called "right to be forgotten", a recent ruling in the European Court of Justice that has forced Google and other search engines to de-link people from otherwise publicly available information on request. The European Commission claims that this ruling conforms with "the spirit" of the forthcoming Data Protection Regulations.
Everything's fine...
What has attracted the highest profile headlines, though, is the enforcement regime, which will include punitive fines of up to €100m or five per cent of global turnover.
"At the moment, there's a very mixed approach to enforcement across Europe. Some regulators are active; others have no resources and take no enforcement action. That doesn't make sense: in one market you could be hit with a fine and in another they might take no action," says Dyson.
If that concerns EU-based organisations, it won't be long before they are subjected to it: the General Data Protection Regulation is expected to be adopted some time in early 2015, with the enforcement regime coming in from 2017. "They are thinking that the breach of data protection and privacy laws is on a par with a breach of anti-trust and competition laws," adds Dyson. "This is a very clear message that if you get it wrong or you don't comply, there won't just be a rap on the knuckles. It's deliberate - to try and change behaviours."
Of course, it remains to be seen how even or uneven this regime proves to be, Yet the worry is that even at this late stage few organisations are aware of these imminent and draconian changes to the data protection regime across Europe - especially in the cloud computing sector, and not just in Europe, but across the world, where these regulations may come as something of a surprise.
"The penalties for violations are quite severe," says Kamal Shah, vice president of products at cloud security and services company Skyhigh Networks, which tracks the services of some 7,000 disparate cloud service companies on behalf of clients.
It is not just the potential severity, adds Shah, but the fact that organisations are often unaware of exactly where data is being processed or that staff are even using cloud services, such as Dropbox. Yet under the new Regulation they could be opened-up to a crippling fine if a cloud service provider or other business partner suffers a Sony Pictures-style breach. Awareness, however, is growing.
Shah believes that there are four key challenges that organisations will face with the forthcoming Data Protection Regulation.
"The first one is with the so-called 'right to be forgotten' - the notion that individuals can request the deletion of data that identifies them. If you use any cloud service as an organisation, there's a clear audit trail, which you need from a data governance perspective...
"But the new 'right to be forgotten' means, first, an organisation must notify the individual if they are using a particular cloud service and that their actions are being stored; and second, if the user says 'I don't want you to do that; I want you to delete that information' that's a big task for the cloud service provider to delete that in a multi-tenant environment," says Shah.
Yet two-thirds of cloud providers' terms and conditions explicitly state that they will retain such audit data indefinitely, says Shah. In other words, there is a collision waiting to happen between the proposed new laws and the way in which cloud service providers across the world secure and run their systems. "I can't think of a single organisation that would not be affected by this," warns Shah.
Breach position
The third major challenge is the demand that regulators are notified of breaches within 24 hours of their discovery. "The challenge is that in many cases the cloud service providers are using a third-party service for their data centres. For example, Dropbox uses Amazon Web Services (AWS). So if something happens to the data centre, it has implications for a lot of service providers," says Shah.
Yet, where the responsibility of where different cloud services put security detection can differ widely - often putting the responsibility on the shoulders of the users. For example, if an organisation allows its AWS instance to be hacked and used by Bitcoin miners, AWS will understandably bill the organisation accordingly, putting the financial onus on them to make sure they are not cracked.
"That needs to change because the cloud service provider needs to notify the EU regulatory authorities of the breach," says Shah. "They will have to think through how they can detect the breach and quickly notify the EU authorities."
In other words, on the one hand, the EU's Data Protection Regulations make strong demands for privacy. Yet on the other, the security breach requirements may entail breaking the Regulations' own privacy requirements.
The fourth major issue is with encryption - especially following the Edward Snowden disclosures, which highlighted how widespread security services' abuses of personal privacy has become.
"Only 1.2 per cent of cloud service providers provide the capability to encrypt data with customer-managed keys," says Shah. While many cloud companies encrypt customer data, if they also hold the keys they could be subject to secret-court requests to turn over customers' data without the customer even knowing.
If the customer holds the decryption keys, however, they will know if GCHQ, the NSA or any other nation's security services want to peruse the data they are storing and processing in the cloud.
But providing that to customers isn't something that can just be bolted in, warns Shah, "it requires significant architectural changes". However, that 1.2 per cent does include some of the largest providers, such as Salesforce.com.
The key problem with the Regulations, therefore, is however well-intentioned they are, in many instances in the real world they will are contradictory - especially where outsourcing and, increasingly, cloud computing is concerned. This would be less of a problem if the potential penalties for infringement were not so steep - at least while they are bedding in.
---
Autor(en)/Author(s): Graeme Burton
Quelle/Source: Computing, 24.12.2014
Bitte besuchen Sie/Please visit:
