Europe's Data Protection Regs: What You Need to Know
Europe's data protection rules are about to get more strict, under legislation being drafted by the European Commission. Several rules relate to cloud data.
By Harold Byun, Skyhigh Networks
If your company does business in Europe, you're likely familiar with the European Union's strict data privacy laws. The laws require you to obtain permission before sharing personal data identifying EU residents with a third party and, in some cases, prevent you from moving or storing that data outside the EU.
The current legal framework is based on a 1995 law called the EU Data Protection Directive, which was ratified by each EU member state in varying forms. However, the law is changing soon. The European Commission is drafting a stricter piece of legislation due to take effect in 2017.
Both the existing directive and new regulation are meant to protect personally identifiable information, which includes any information used to identify an individual such as their name, date of birth, email address, computer IP address and photo. If adopted in its current form, the new regulation will be more prescriptive in its requirements.
Under previously enacted laws, data "controllers" (organizations that own the data, such as a retailer that maintains customer information) have responsibilities and data "processors" (organizations that handle the data on behalf of the controller, such as a cloud provider) do not have responsibilities. The new law will impose statutory obligations on data processors for the first time.
Many organizations that process data are not yet prepared to meet these requirements. Last year, it was reported than only one in 100 cloud companies met requirements under the new law.
There are 15 primary changes coming with the new regulation, summarized below:
Right to Share Information
The current EU data protection directive prohibits sharing personal data with third parties unless one of several conditions is satisfied. Under the new law, data controllers will still need to have a "legitimate interest" to share data, but they must also inform individuals their data is being shared, remind them of their right to object, and document their interests and reminders made.
Under the new regulation, if personal data has been rendered indecipherable via tokenization, it is assumed to meet an individual's reasonable expectations of privacy. While similar conceptually to encryption, tokenization differs in one critical way: Tokenized data cannot be reversed back to its original form mathematically. For this reason, the EU Commission considers that if data has been tokenized, it can be transferred.
Under the current law, organizations must take "appropriate measures" to ensure the security of personal data, including guarding against hacking, preventing internal threats, patching vulnerabilities in IT systems and having appropriate policies in place. When data controllers share information with data processors, they must have a binding written agreement in place to ensure these safeguards. The proposed law will directly apply these requirements to data processors, including major cloud providers.
Transferring Data Outside EU
The current law prohibits transferring personal data outside the EU to countries that do not have equivalently strong data protection laws. Currently, the EU only considers 11 countries in the world to have equivalently strong data laws. Therefore, transferring this information to any other country, except in instances where the data processor follows U.S. Safe Harbor certification, is prohibited.
The new law would keep these requirements, but extend enforcement to data processors, such as cloud providers that in the normal course of offering their service transfer and store information in data centers around the world.
Safe Jurisdiction List
Today, the European Commission maintains a list of countries that are approved to store EU data. Under the new law, the commission will determine and allow information to be stored in approved countries, territories, processing sectors in a country or an international organization, based on their level of protection of personal data.
By Phil Britt
August 19, 2015
The Obama administration and some in the private sector believe sharing threat information can help thwart cyberattacks. But not everyone is convinced.