Three in four cloud services do not conform to the current EU Data Protection Directive, according to a new study.
Enterprise cloud visibility firm Skyhigh Networks found that nearly three-quarters (72 per cent) of the cloud services used by European organisations do not meet the requirements of the current privacy regulations, with data being sent to countries without adequate levels of data protection. The transfer of personally identifiable information outside Europe meant many services were operating at odds with the EU Data Protection Directive.
IT lawyer Dai Davis, a solicitor at Percy Crow Davis & Co, said that Skyhigh's estimate is possibly on the low side.
"If anything 72 per cent is an underestimate," Davis told El Reg. "If you include 'social media used by European organisations' the figure would go up to 100 per cent. As to what to do about it, the short answer is use a German or Swiss-based company, those being the countries that take data protection most seriously."
EU Data Protection Regulations are yet to be approved by EU member states in the Council, so they haven't come into force as yet, as our Brussels correspondent recently noted.
Skyhigh said that with stricter policies and harsher penalties set to come into force soon, organisations have just a short window to address privacy compliance issues. This is a particular challenge because many organisations are already struggling to enforce existing acceptable usage policies.
For example, workers often find their way around blocks set up by corporate sys admins to access supposedly blocked services. Dropbox, Instagram, Tumblr and Apple iCloud in particular are widely used within corporates despite been nominally blocked by IT teams.
Skyhigh's latest quarterly European Cloud Adoption and Risk Report, which is based on an analysis of real-life usage data from more than one million users in organisations from many industry sectors, found that just 15 services sucked up 80 per cent of cloud data. Microsoft Office 365, followed by Salesforce, are the biggest bandwidth hogs in this category. Skyhigh's report showed a slow uptake of enterprise cloud services in Europe, with more than 50 per cent of data being uploaded to consumer services.
During the same period, the number of cloud services in use by the average company in Europe increased by 23 per cent, rising from 588 in Q2 to 724 in Q3. Many of these services are not enterprise-ready. Only 9.5 percent of all services met the most stringent security requirements including strong passwords and data encryption, in a survey put together by Skyhigh in co-operation with industry group the Cloud Security Alliance.
Skyhigh Networks' technology allows organisations to monitor employee cloud use and lock down banned apps, so it obviously has a vested interest in talking up the risk from a class of threat its software is designed to manage. That's not to say that the firm is wrong in warning about insecure cloud app usage in enterprises, which it is all too easy to believe may be running out of control in many cases.
"The Regulations are now well over a year behind schedule," Davis explained. "Whether the present proposals will finally be approved remains to be seen."
He added: "Amongst other objections, my understanding is that the UK and Ireland don’t want a new Regulation, only a (weaker) Directive. Whatever happens, the new law will be at least another two-and-a-half years before it comes into force, because a two-year transition/implementation period has been promised." ®
An Irish government spokesman got in touch with the Register on 24th October to say: "We wish to advise that from the outset of the negotiations on the EU data protection reforms, Ireland has recognised the need for, and has supported, the proposal for a Regulation. Such a Regulation can ensure a more consistent application of data protection standards across the EU; a single set of standards for a single digital market."