Tougher EU data protection rules are planned for adoption late this year or early next. Yet as things stand an overwhelming majority of cloud providers would foul of one or another of the new measures. The General Data Protection Regulation, likely to be enforced from 2016 or 2017, replaces the 1995 directive and could introduce fines of up to €100m ($134m), along with rules on notifying breaches, data location and the right to be forgotten.
A new piece of research claims that cloud service providers are poorly prepared for incoming EU regulations. In fact, according to the findings of Skyhigh Networks, which took a fine-tooth comb to its CloudRegistry of some 7,000 cloud services, only one per cent of vendors meet the stipulations of the EU General Data Protection Regulation which is expected to come into play in 2015 (replacing the Data Protection Directive adopted in 1995). The new legislation lays down regulations on data residency, encryption and security, and deletion policies along with the now notorious “right to be forgotten” ruling that was applied to Google (and other search engines). In terms of data residency, only eleven counties currently comply with EU privacy requirements, and the US isn’t one of them – and the States is where two-thirds of all cloud providers have their HQ.