The Channel logo


By | John Leyden 21st October 2014 08:58

Most cloud apps flout EU data protection rules – study

Data Protection Directive not passed yet, though...

Three in four cloud services do not conform to the current EU Data Protection Directive, according to a new study.

Enterprise cloud visibility firm Skyhigh Networks found that nearly three-quarters (72 per cent) of the cloud services used by European organisations do not meet the requirements of the current privacy regulations, with data being sent to countries without adequate levels of data protection. The transfer of personally identifiable information outside Europe meant many services were operating at odds with the EU Data Protection Directive.

IT lawyer Dai Davis, a solicitor at Percy Crow Davis & Co, said that Skyhigh's estimate is possibly on the low side.

"If anything 72 per cent is an underestimate," Davis told El Reg. "If you include 'social media used by European organisations' the figure would go up to 100 per cent. As to what to do about it, the short answer is use a German or Swiss-based company, those being the countries that take data protection most seriously."

EU Data Protection Regulations are yet to be approved by EU member states in the Council, so they haven't come into force as yet, as our Brussels correspondent recently noted.

Skyhigh said that with stricter policies and harsher penalties set to come into force soon, organisations have just a short window to address privacy compliance issues. This is a particular challenge because many organisations are already struggling to enforce existing acceptable usage policies.

For example, workers often find their way around blocks set up by corporate sys admins to access supposedly blocked services. Dropbox, Instagram, Tumblr and Apple iCloud in particular are widely used within corporates despite been nominally blocked by IT teams.

Skyhigh's latest quarterly European Cloud Adoption and Risk Report, which is based on an analysis of real-life usage data from more than one million users in organisations from many industry sectors, found that just 15 services sucked up 80 per cent of cloud data. Microsoft Office 365, followed by Salesforce, are the biggest bandwidth hogs in this category. Skyhigh's report showed a slow uptake of enterprise cloud services in Europe, with more than 50 per cent of data being uploaded to consumer services.

During the same period, the number of cloud services in use by the average company in Europe increased by 23 per cent, rising from 588 in Q2 to 724 in Q3. Many of these services are not enterprise-ready. Only 9.5 percent of all services met the most stringent security requirements including strong passwords and data encryption, in a survey put together by Skyhigh in co-operation with industry group the Cloud Security Alliance.

Skyhigh Networks' technology allows organisations to monitor employee cloud use and lock down banned apps, so it obviously has a vested interest in talking up the risk from a class of threat its software is designed to manage. That's not to say that the firm is wrong in warning about insecure cloud app usage in enterprises, which it is all too easy to believe may be running out of control in many cases.

"The Regulations are now well over a year behind schedule," Davis explained. "Whether the present proposals will finally be approved remains to be seen."

He added: "Amongst other objections, my understanding is that the UK and Ireland don’t want a new Regulation, only a (weaker) Directive. Whatever happens, the new law will be at least another two-and-a-half years before it comes into force, because a two-year transition/implementation period has been promised." ®


An Irish government spokesman got in touch with the Register on 24th October to say: "We wish to advise that from the outset of the negotiations on the EU data protection reforms, Ireland has recognised the need for, and has supported, the proposal for a Regulation. Such a Regulation can ensure a more consistent application of data protection standards across the EU; a single set of standards for a single digital market."

comment icon Read 3 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe