Tag: compliance

Posted on April 7, 2025 by Eternity Lab

Reassessing UK law enforcement data adequacy

The UK government says reforms to police data protection rules will help simplify law enforcement data processing, but critics argue the changes will lower protection to the point where the UK risks losing its European data adequacy.

Currently going through the committee stage of Parliamentary scrutiny, the Data Use and Access Bill (DUAB) will amend the UK’s implementation of the European Union (EU) Law Enforcement Directive (LED), which is transposed into UK law via the Data Protection Act (DPA) 2018 and represented in Part Three of the act specifically.

In combination with the current data handling practices of UK law enforcement bodies, the bill’s proposed amendments to Part Three could present a challenge for UK data adequacy.

The DUAB changes the law to allow routine transfer of data to offshore cloud providers, remove the need for police to log justifications when accessing data, and enable police and intelligence services to share data outside of the LED rules.

In June 2021, the European Commission granted “data adequacy” to the UK following its exit from the EU, allowing the free flow of personal data to and from the bloc to continue, but warned the decision may yet be revoked if future data protection laws diverge significantly from those in Europe.

While the government argues that its reforms will simplify police data processing, critics say the proposals represent enough of a divergence from EU law that it will likely undermine the UK’s LED adequacy.

They add that many of the government’s changes to police data protection rules are a response to a widespread lack of compliance with key provisions in the DPA 2018, such as the need to log justifications when accessing data or implement controls that limit the offshoring of sensitive law enforcement data to non-law enforcement bodies, including cloud providers.

Computer Weekly contacted the Home Office about every concern raised, and the threat to the UK’s LED adequacy created by the government’s proposed changes to the law enforcement data protection regime.

“Any changes to our data protection regime must not come at the expense of security, and high standards of protection will continue to be applied.”

The adequacy process

In exiting the EU, the UK became a “third country” under the bloc’s rules, which means the European Commission (EC) will have to periodically assess whether the country’s data protection framework and practices provide an essentially equivalent level of protection for EU citizens’ data.

The EC will therefore have to make two separate adequacy determinations under both the General Data Protection Regulation (GDPR) and LED by the end of June 2025.

Data protection experts previously claimed to Computer Weekly in February 2021 that any adequacy decision made under the LED would be principally political in nature if it fails to directly address how the data practices of the UK’s criminal justice sector and intelligence services undermine the data and fundamental rights of EU citizens. If this is not addressed, they said a positive adequacy decision could be open to legal challenges in the European courts.

In October 2024, the UK Parliament’s European Affairs Committee (EAC) – in a warning about the risks of the UK losing its data adequacy – highlighted many of the same issues as the experts Computer Weekly spoke to, noting these would be of “interest and potential concern” to both the EC and European Court of Justice (CJEU) as they consider the UK’s adequacy statuses.

This includes potential divergence on data protection standards that would make it harder for people to exercise their data rights; the possibility that the UK government undermines end-to-end encryption; the independence and effectiveness of the Information Commissioner’s Office (ICO); aspects of the UK’s national security regime under the Investigatory Powers Act 2016, including data collection and retention, surveillance powers and practices, and the role of the Investigatory Powers Tribunal; and any legal cases which provide grounds for concern about UK data protection standards.

The EAC also highlighted potential risks posed by onward transfers of data from the UK to other third countries, including under the UK-US Cloud Agreement.

However, the EAC’s findings were published a day before the DUAB was announced, and two days before the text was published online, meaning its inquiry focused on the previous government’s Data Protection and Digital Information (DPDI) Bill – which was dropped from the legislative agenda during the UK’s pre-general election “wash up” period.

While the EC’s adequacy decision will rest on the exact contents of DUAB – for which there is still no official Keeling Schedule – it will be looking to assess whether the framework provides an essentially equivalent level of data protection for EU citizens’ data.

While some of the more controversial measures contained in the previous DPDI Bill – including removing the need for data protection impact assessments and abolishing the dual biometrics and surveillance camera commissioner role – have been dropped in the DUAB, many aspects of it have been carried over.

There are also a number of new measures that may create fresh adequacy-related problems, particularly changes to the international data transfer regime for police.

While an amendment to the DUAB was tabled by Liberal Democrat peer Lord Clement-Jones that would have required the secretary of state to carry out a formal impact assessment of the bill concerning the UK’s data adequacy, government ministers argued against it during the Lords first committee stage on 16 December 2024.

Responding to Clement-Jones during that debate, Baroness Jones, parliamentary under-secretary of state at the Department for Science, Innovation and Technology (DSIT), said maintaining adequacy was a priority for the government, noting that the free flow of personal data with the EU is vital to research, innovation and safety.

“For that reason, the government is doing all that it can to support its swift renewal. I reassure noble Lords that the bill has been designed with EU adequacy in mind,” she said.

“The government has incorporated robust safeguards and changed proposals that did not serve our priorities and were of concern to the EU. It is, though, for the EU to undertake its review of the UK, which we are entering into now. On that basis, I suggest to noble Lords that we should respect that process and provide discretion and not interfere while it is underway.”

A similar position has been adopted by information commissioner John Edwards, who in response to the DUAB said: “Whilst ultimately a decision for others, in my view the proposed changes in the bill strike a positive balance and should not present a risk to the UK’s adequacy status.”

However, the position of the UK government and ICO differs significantly from the views of a number of specialists familiar with both the EU LED and the UK DPA Part Three. Computer Weekly contacted the Home Office about what robust safeguards have been put in place, and which DUAB proposals have been changed that were of concern to the EU, but received no response on this point.

National security or law enforcement?

Chris Pounder – director of data protection training firm Amberhawk – wrote in a blog post that the DUAB would allow the secretary of state to designate that certain police datasets can become subject to Part Four national security rules, rather than Part Three law enforcement rules, over which the ICO has limited enforcement powers.

“The proposal has the effect of taking large volumes of personal data out of the UK’s data protection regime,” he wrote.

Part Four processing is also completely separate from the LED or GDPR and has no equivalent in EU law, effectively lifting police data out of the scope of EU law in instances where the secretary of state decides police and intelligence bodies can share the data.

The [DUAB] proposal has the effect of taking large volumes of personal data out of the UK’s data protection regime Chris Pounder, Amberhawk

Computer Weekly contacted the Home Office about the removal of policing data from the data protection regime, but received no on-the-record response on this point.

Pounder further noted that while the ICO is being abolished in favour of the “Information Commission”, the problem remains in the DUAB that the secretary of state will be able to appoint the most important members of the Commission, which has the potential to give them undue influence over the new body’s decision-making processes.

“The Commission still has to have regard for: the desirability of promoting innovation and competition; the importance of the prevention, investigation, detection and prosecution of criminal offences; and the need to safeguard national security,” he wrote. “In other words, these ‘regards’ could fetter decisions to protect the privacy of data subjects.”

Pounder added the DUAB will also permit the secretary of state to apply a “data protection test” when considering whether a country, part of a country, or a controller located in a country offers an adequate level of protection.

He said the provisions will increase the risk of divergence from EU transfer standards if the EC and UK government have differing views on what “adequate” means here. “Also I don’t understand how a country is not deemed adequate, but a controller, processor, or recipient located in that country is,” Pounder added.

While the UK has already taken steps to award its own law enforcement adequacy to countries not recognised by the EU – including the Isle of Man, Jersey and Guernsey – the EU has not yet reacted to these changes.

Thomas Barrett, a partner at CyXcel who leads the organisation’s data protection and privacy practice, and has previously advised the Home Office and Ministry of Justice on compliance with the DPA 2018, said there are certain scenarios where specialist police units within forces may have to collaborate with intelligence services for particular operations – for example, in terrorism cases where intelligence services have information but no power of arrest as police do – adding while “it raises red flags … I would be surprised how many of these are made”.

He added that in cases where this power is used, it has the potential to be “more targeted, more proportionate, and safer,” because only one set of data protection requirements would apply to this processing, rather than potentially three currently.

As a result, Barrett said the changes being made to UK law via the DUAB are very unlikely to materially affect the country’s LED adequacy.

“It would be counter-productive to remove adequacy over such small changes … there’s so much [law enforcement] cooperation. … Looking at the detail, I struggle to see how you really make hay of a lot of it.”

He said the real risk to LED adequacy therefore lies at “the political level”, which will be decided between the EC and the UK government.

Law enforcement transfers

Independent privacy consultant Owen Sayers, a long-term commentator on DPA Part Three compliance issues with more than 25 years of experience in delivering secure solutions to policing and the wider criminal justice sector, said for the first time UK legislation would place individual data processors – such as cloud providers – on the same broad footing as overseas law enforcement organisations, exempting them from the list of mandatory transfer conditions outlined in Article 39 of the LED.

This includes that the transfers be strictly necessary, that no data subject rights override the public interest of the transfer, that transferring to another policing body – or “competent authority” in LED parlance – would be ineffective, and that the controller provides specific instructions of how to process the data in that particular case.

Under the UK’s current law enforcement-specific data protection rules, police data controllers are bound by the DPA 2018’s stringent transfer requirements, which fully mirror EU law.

This means that, as it stands, each individual law enforcement data controller must ensure that a contract in writing exists between itself and the data processor, which sets out details of the processing, including its duration, nature, and the type and categories of personal data involved. To be valid, the contract or terms of service must be explicit in how they meet the DPA requirements.

Police data controllers are also required to ensure the processor seeks and receives permission before transferring data to a third country, for each particular transfer made. This means each transfer must be assessed on a case-by-case basis.

Police data controllers are further required to perform a case-by-case analysis and justification for all personal data offshored to such processors, and to report this to the ICO. Although police forces have used Microsoft and Amazon Web Services services for the past six years – meaning millions of these transfers will have taken place – the ICO revealed in a Freedom of Information (FoI) response to Sayers that only 148 such notifications had been received up to June 2023.

As previously reported by Computer Weekly, the use of hyperscalers under current UK law presents a number of data protection concerns, including US government access via the country’s invasive surveillance laws, and an inability to comply with the strict transfer requirements contained within the DPA 2018.

In June 2024, Computer Weekly reported details of discussions between Microsoft and Scottish policing bodies – obtained via FoI rules – in which the tech giant admitted it could not guarantee the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure.

As a result of these FoI responses, Sayers said the law is breached far more often than it is adhered to: “The evidence to show that multiple parts of the Part Three legislation are consistently breached or simply ignored by policing and their justice partners is overwhelming. In truth, the number of organisations who do apply the law as it’s currently written is less than a handful, though those that do so do it very well.”

Mariano delli Santi, legal and policy officer at the Open Rights Group (ORG), said these issues mean it is an open question whether cloud providers can adhere to Part Three requirements in practice. “Given the issues around sovereignty, is a cloud provider able to enforce the contractual agreements entered into with the police? I think that’s an issue that would cause concern,” he said.

Since the re-election of Donald Trump, delli Santi pointed out that the US government has broken several adequacy-related commitments made to the EU around enhancing scrutiny and ensuring the proportionality of their intelligence services operations.

“The Trump Administration fired members of the Privacy and Civil Liberties Oversight Board, and then doubled down with the Federal Trade Commission. Both bodies were fundamental pieces of the EU-US Data Protection Framework [DPF] which, at this point, is quite certain to be struck down by the CJEU,” he said, adding the UK-US Data Bridge, which acts as an extension of the DPF, will also go down if the EU invalidates the framework.

“It has now become obvious that the EU-US DPF will not last for long, and it has just as obviously become unfeasible to rely on US cloud providers for storing personal data unless you are willing to compromise the security and sovereignty of the data you transfer. Indeed, European lawmakers have already started to discuss this.

“Based on all the above, it is now a fact that relying on US cloud services constitutes a threat to the sovereignty, security and autonomy of the UK. Until now, this has been treated as a risk-mitigation issue at best, or something to be swept under the carpet at worst.”

Highlighting the lack of clarity from the UK data regulator around cloud data sovereignty and the applicability of standard contractual clauses in this context, delli Santi said this has created a grey area in which transfers have been allowed to continue.

“The UK government, on their side, have tried to formalise this approach with the DUAB, which introduces a new data transfer regime specifically designed to accommodate the ICO’s ‘tolerant approach’ toward data transfers that lack effective safeguards, and allow data transfers to countries such as the United States by sidestepping human rights and data security concerns.

He added that “the UK needs an exit plan to progressively cut reliance on US digital infrastructure and services – and we need this plan fast”, which includes contingencies to move away holding companies or subsidiaries of US firms geographically based in Europe, which still fall under US jurisdiction.

Given the issues around sovereignty, is a cloud provider able to enforce the contractual agreements entered into with the police? I think that would cause concern Mariano delli Santi, Open Rights Group

“Any of these companies are under an obligation to cooperate with law enforcement and international security authorities in the United States, which can be ordered to hand over data without necessarily having to tell the contracting party,” said delli Santi.

According to the government’s explanatory notes published for the DUAB in October 2024 (paragraph 1022), Schedule 8 of the bill seeks to widen the transfer conditions “by expanding the list of intended recipients to specifically include processors acting on behalf of, and in accordance with a contract with, a controller”.

It added that while transfers to processors in third countries are currently permissible, “this amendment clarifies the existing law and provides legal certainty to UK controllers that they can transfer personal data to their processors operating outside of the UK”.

The explanatory notes also specify that the DUAB will no longer require “controllers to notify the commissioner on each occasion data is transferred; it simply requires notification of the categories of information” that will be transferred.

However, Sayers argued that even if the US government does utilise its various surveillance laws to gain access to UK data, the transfers would be unlawful anyway as UK law lays down a series of specific steps that must be followed for each and every transfer of a specific piece of personal data under Part Three.

“These steps are not being followed, and Microsoft has made clear that they cannot be followed – actually, they’ve said ‘impossible to operationalise’. Because the steps laid down in the DPA 2018 Part Three are not and cannot be followed, that is one of the main reasons why the processing being done on these clouds is in breach of UK law,” he said.

“It makes zero difference if the US government bogeyman tries to use the Cloud Act to look at the data or not, as the data was illegally transferred regardless of the Cloud Act.”

The steps laid down in the DPA 2018 Part Three are not and cannot be followed [which is] one of the main reasons why the processing being done on these clouds is in breach of UK law Owen Sayers, independent privacy consultant

He added: “The intention [of the new DUAB] is to put non-UK processors – principally hyperscalers – on the same broad legal footing as overseas law enforcement organisations.”

He pointed out that the bill would enable UK policing bodies to send data overseas to offshore processors with minimal restrictions. “The bill actually puts overseas processors above overseas law enforcement processors, in the respect that it completely removes obligations to record what data is transferred to them, inform the ICO or make any assessments as to whether a particular transfer is safe and consider the data subject’s rights in advance of sending the data.”

Sayers added that while these and other changes to Part Three would be directly contradictory to EU law, the most likely outcome would be the CJEU finding that the UK regime falls far below EU standards and thus moves to block UK data transfers.

He further added that individual member states may also deem UK laws to be too divergent from their domestic laws to continue to send data, noting the chance of this is high given there are 27 member states, each with their own implementation of the LED.

“You can 100% use cloud for law enforcement data, but it needs to be sovereign and fully conformant with the law. If you need to change the law to accommodate a specific provider, then you’ve picked the wrong supplier.”

Computer Weekly contacted the Home Office about the changes to the law enforcement data transfer regime, and UK policing’s track record of non-compliance with existing data rules via its use of hyperscalers.

A Home Office source told Computer Weekly that the use of cloud providers, in particular, has caused some confusion, and that measures contained within the bill are intended to give law enforcement the confidence to use cloud processors. However, they said the use of cloud services must not come at the expense of security, and high standards of protection will continue to be applied.

‘Systemic’ transfer issues

Clement-Jones highlighted how cloud service providers routinely process data outside the UK and are unable to provide necessary contractual guarantees to policing bodies, as required by Part Three. “As a result, their use for law enforcement data processing is, on the face of it, not lawful,” he told the House of Lords.

He added this non-compliance creates significant financial exposure for the UK, including potential compensation claims from data subjects for distress or loss, something that is exacerbated by the sheer volume of data pressed by law enforcement bodies: “If only a small percentage of cases result in claims, the compensation burden could reach hundreds of millions of pounds annually.”

Clement-Jones concluded that the government’s attempts to change the law suggest that past processing on cloud service providers has not been compliant with the relevant data protection laws.

As a result, he proposed an amendment “to bring attention to the fact that there are systemic issues with UK law enforcement’s new use of hyperscaler cloud service providers to process personal data”, which would strictly limit overseas transfers to law enforcement bodies with “a legitimate operating need” – that is, not cloud service providers.

While the Lords were not invited to take a decision on Clement-Jones’s hyperscaler amendment, government minister Baroness Jones said the DUAB’s “bespoke path for personal data transfers from UK controllers to international processors is crucial … [as] we need to ensure that law enforcement can make effective use of them to tackle crime and keep citizens safe”.

One of the biggest problems in data protection is a lack of understanding and clarity [so] anything that can make it clearer and easier to follow can only be a good fit Thomas Barrett, CyXcel

She added the aim of the DUAB’s reform around international law enforcement transfers “is to provide legal clarity in the bill to law enforcement agencies in the UK so that they can embrace the technology they need and make use of international processors with confidence”.

She added: “Such transfers are already permissible under the legislation, but we know that there is some ambiguity in how the law can be applied in practice. This reform intends to remove those obstacles. The noble Lord would like to refrain from divergence from EU law. I believe that in this bill we have drafted the provisions, including this one, with retaining adequacy in mind.”

Barrett said the DUAB will clarify the law in ways that make it easier to put in place contractual provisions and other measures that adequately protect the data: “One of the biggest problems in data protection generally, but particularly here, is a lack of understanding and a lack of clarity … anything that can make it clearer and easier to follow for individuals that have to apply this stuff can only be a good fit.”

Sayers made a similar argument, noting that while many data protection practitioners believe the EU or UK GDPR to be the gold standard of legislation, they “simply fail to recognise that GDPR has a sister piece of legislation in the LED that is sufficiently different that you cannot apply GDPR thinking to it”.

He added: “This is a problem I see day in, day out, where a GDPR hammer is used to try to fix an LED nail, and even the ICO is not immune to confusing the two different sets of laws.”

According to delli Santi, the approach to transfers under the DUAB as it stands is “formalising an approach that has already been changed”. He added that given the deep commercial, governmental and cultural ties between the UK and EU, “the impact of divergence is amplified significantly”.

Police data logging requirements

The DUAB as introduced will also seek to remove the statutory logging requirements of Part Three, which would allow police to access personal data from various police databases during investigations, without having to manually record the “justification” for the search.

The removal of police logging requirements, however, could represent a further divergence from the EU’s LED, which requires logs to be kept detailing how data is accessed and used.

“The logs of consultation and disclosure shall make it possible to establish the justification, date and time of such operations and, as far as possible, the identification of the person who consulted or disclosed personal data, and the identity of the recipients of such personal data,” says the LED.

Clement-Jones told Computer Weekly that if the law changes to allow police data transfers to, and processing in, infrastructure not owned or controlled by UK bodies, it could “absolutely” be a problem for the UK’s LED adequacy retention. He added that given these clear access and control issues, the potential removal of police logging requirements is “egregious”.

Computer Weekly contacted DSIT about the removal of the logging requirements and whether it believes this measure represents a risk to the UK being able to renew its LED adequacy decision in April 2025, but DSIT declined to comment on the record.

Speaking during the 16 December Lords debate on the bill against the removal of justification logging requirements, Clement-Jones said: “The public needs more, not less, transparency and accountability over how, why and when police staff and officers access and use records about them.”

He added that while policing systems typically capture when, how and by whom data has been accessed, they “very rarely” capture the justification. This is despite the fact that Article 63 of the LED provided a grace period from May 2018 to May 2023 for member states to implement justification recording mechanisms to bring their legacy systems into compliance with the directive – new systems procured from May 2016 onward were required to comply from the start.

To alleviate the issue, Clement-Jones tabled a further amendment to ensure the logging requirements remain, which would “prevent material divergence from the EU Law Enforcement Directive”; although this was also withdrawn.

He also highlighted that “many commodity IT solutions” procured by policing organisations do not capture justifications by default, noting that while a “transitional relief” period was put in place with the introduction of DPA 2018 to modify legacy systems installed before May 2016 – later extended to May 2023 – UK law enforcement bodies did not in general make the required changes.

“Nor, it seems, did it ensure that all IT systems procured after 6 May 2016 included a strict requirement for LED-aligned logging. By adopting and using commodity and hyperscaler cloud services, it has exacerbated this problem,” he said, noting the government now wishes to strike the justification requirements completely.

“This is a serious legislative issue on two counts: it removes important evidence that may identify whether a person was acting with malicious intent when accessing data, as well as removing any deterrent effect of them having to do so; and it directly deviates from a core part of the law enforcement directive and will clearly have an impact on UK data adequacy.”

DSIT claims that removing the logging obligation will save 1.5 million police officer hours a year and save £42.5m for the public purse, but Sayers pointed out that the published impact assessments don’t so far evidence these claims.

“The reality is that most police IT systems don’t have the means to capture the required data,” said Sayers, who was previously involved in the design and delivery of many UK national police systems.

“The factsheets identify this technology problem, which exists on cloud as well as legacy systems like the PNC [Police National Computer], but instead of addressing the issue the government simply want to strike the difficult bits out of the act.”

He added: “The real reason they don’t want to capture the information is they’ve failed to invest any money in upgrading the legacy IT, and the new systems they’ve adopted don’t capture that information by default – and can’t be made to do so.”

DSIT claims that capturing “justification is likely to be of little use in a misconduct investigation”, but Sayers poured cold water on this.

“Public trust, the safety of vulnerable people, as well as the protection of police staff from claims of improper conduct, all rest on being able to prove that access to data was legitimate,” he said.

Home Office figures show police staff misuse of data to be a significant issue, with 1,630 recorded cases investigated in the year to March 2023, the last figures available.

However, Barrett said the removal of justification logging is not a problem, adding it’s more important to have the ability to track who accessed data and when, “because if you’re a bad actor you’re not going to put down the real reason … if you’ve already got access to these kinds of systems, you’re not an idiot, and so you’re going to put something like ‘routine checks’ or some other bland, uninteresting, non-determinative thing”.

He further added that inputting justifications only increases the administrative burden on police, and that while it is very common, even in much older computer systems, to be able to log time and dates, many systems are simply not architected to record justification.

He added: “We’d be much better off making sure that all the systems are really good at recording time and access, because the reality is, in your investigation, that’s going to be the thing that you’re looking at. Not whatever fanciful thing a bad actor has decided to enter as the fake justification for the access.”

During the DUAB debate, Baroness Jones insisted the removal of logging requirements “is not a watering down of provisions. We are just making sure that the safeguards are more appropriate for the sort of abuse that we think might happen in future from police misusing their records.”

While the DUAB has since progressed to readings in the House of Commons, the police data issues were not addressed – outside of vague references to reducing the administrative burden on police officers. It is currently in the committee stage, which will be followed by the report stage and a third reading.

So far, the police data issues have not been discussed during the committee stage.

Source

Posted on April 7, 2025 by Eternity Lab

UK law enforcement data adequacy at risk

The UK government has introduced its Data Use and Access Bill (DUAB) to Parliament, but proposed reforms to police data protection rules could undermine law enforcement data adequacy with the European Union (EU).

Currently going through the committee stage of Parliamentary scrutiny, the DUAB will amend the UK’s implementation of the EU Law Enforcement Directive (LED), which is transposed into UK law via the current Data Protection Act (DPA) 2018 and represented in Part Three of the DPA, specifically.

In combination with the current data handling practices of UK law enforcement bodies, the bill’s proposed amendments to Part Three – which include allowing routine transfer of data to offshore cloud providers, removing the need for police to log justifications when accessing data, and enabling police and intelligence services to share data outside of the LED rules – could present a challenge for UK data adequacy.

While Computer Weekly’s previous reporting on police hyperscale cloud use has identified major problems with the ability of these services to comply with Part Three, the government’s DUAB changes are seeking to solve the issue by simply removing the requirements that are not being complied with.

For example, while the DPA 2018 does allow for overseas transfers to “non-law enforcement recipients” – that is, cloud providers – this is only permissibleif the data controller can show it is strictly necessary to do so. This means information can only be sent on a case-by-case basis for specific, limited purposes when there is no other, less intrusive means of achieving the same goal.

However, in June 2024, Computer Weekly confirmed that UK policing data uploaded to Microsoft services is routinely sent offshore for some forms of processing, while IT support is provided on a global “follow-the-sun” model.

To circumvent the lack of compliance with these transfer requirements, the government has simply dropped them from the DUAB, meaning policing bodies will no longer be required to assess the suitability of the transfer or report it to the data regulator.

Commenting on the transfer issue during a DUAB debate in the House of Lords, Liberal Democrat peer Tim Clement-Jones highlighted how, as it stands, cloud service providers routinely process data outside the UK, and are unable to provide necessary contractual guarantees to policing bodies as required by Part Three: “As a result, their use for law enforcement data processing is, on the face of it, not lawful.”

He added: “The government’s attempts to change the law highlight the issue and suggest that past processing on cloud service providers has not been in conformity with the UK GDPR [General Data Protection Regulation] and the DPA.”

Through the DUAB, the government has also expanded the list of lawful recipients to now include “a processor whose processing … is governed by, or authorised in accordance with, a contract with the controller that complies with section 59”, which outlines key elements that must be contained in any contract between a law enforcement controller and processor.

This includes specific details of the exact types of data, the categories of data subjects and the specific purpose of the processing, as well as explicit guarantees from the processor about how it will comply with all the requirements of Part Three.

However, given the international nature of the data sharing that takes place on commodity hyperscale architecture, cloud providers are either unable or unwilling to make contractual guarantees that satisfy all aspects of Part Three.

As Microsoft told the Scottish Police Authority (SPA), in relation to its Azure-hosted Digital Evidence Sharing Capability, the company “cannot accept specific consent [to transfer data internationally] on a case-by-case basis as this would be impossible to operationalise”.

All of this effectively means that under the DUAB, the data can be routinely offshored to jurisdictions with lower data protection standards, without adherence to LED conditions around strict necessity.

Similarly, while the LED provided a five-year grace period to ensure all legacy police systems could record justification logs for why a particular piece of information has been accessed – with systems procured after May 2016 were required to have this capability from the start – most policing systems in the UK still do not have this capability.

Instead, the UK government has simply removed the requirement to record these justifications, arguing that the change will save police time and that the data has little evidentiary value because people are unlikely to record an honest justification anyway.

According to Owen Sayers – a long-term commentator on DPA Part Three compliance issues with more than 25 years of experience in delivering secure solutions to policing and the wider criminal justice sector – changing the law in this way will permanently diverge UK law from the LED requirements.

He added that while UK police have been breaking the law in practice since the DPA came into effect in May 2018, the law they were breaking was at least aligned to those in the European Union.

“Even though in practical terms the UK hasn’t actually been protecting personal data as they’re required to under the LED, their law did at least give recourse to a data subject to take action about this processing (even if no one actually did so),” he said.

“Once DUAB comes into force, however, the landscape has totally changed. Not only will UK law enforcement bodies be sending massive amounts of personal data (including a lot of data about EU citizens) offshore to a range of countries not deemed adequate by the EU, but UK law will have change to make it legal for them to do so.

“By making these changes under DUAB, the government have thrown into sharp relief that law enforcement bodies are breaching the law today – they’ve literally confirmed it by modifying the law to give Microsoft and AWS this special status.”

Computer Weekly contacted the Home Office about the threat to the UK’s LED adequacy created by the government’s proposed changes to the law enforcement data protection regime.

“We have introduced some targeted amendments in the Data Use and Access Bill to improve public trust and to drive up law enforcement efficiency by simplifying the legislation. We are committed to data adequacy and had the UK’s adequacy decisions in mind when producing this bill,” said a spokesperson. “Any changes to our data protection regime must not come at the expense of security, and high standards of protection will continue to be applied.”

A Home Office source told Computer Weekly that that the use of cloud providers in particular has caused some confusion, and that measures contained within the bill are intended to give law enforcement the confidence to use cloud processors. However, they said the use of cloud services must not come at the expense of security and high standards of protection will continue to be applied.

Source

Posted on March 29, 2025 by Eternity Lab

Perimeter security appliances source of most ransomware hits

Compromised or vulnerable perimeter security appliances and devices – especially virtual private networks (VPNs) – formed the initial access vector in over half of observed ransomware attacks during 2024, according to data released this week by cyber security insurance provider Coalition in its latest annual threat report, covering 2024.

US-based Coalition, which began offering its so-called Active Insurance policies in the UK back in 2022, said that cyber criminals compromised such appliances in 58% of claims with which it dealt during 2024, with the second most widespread access point being remote desktop products, blamed in 18% of claims.

“While ransomware is a serious concern for all businesses, these insights demonstrate that threat actors’ ransomware playbook hasn’t evolved all that much – they’re still going after the same tried and true technologies with many of the same methods,” said Alok Ojha, head of security products at Coalition.

“This means that businesses can have a reliable playbook too, and should focus on mitigating the riskiest security issues first to reduce the likelihood of ransomware or another cyber attack. Continuous attack surface monitoring to detect these technologies and mitigate possible vulnerabilities could mean the difference between a threat and an incident.”

Unsurprisingly, the most commonly compromised products were all built by ‘household’ names in the industry, including the likes of Cisco, Fortinet, Microsoft, Palo Alto Networks and SonicWall. The most common initial access vectors (IAVs) were stolen credentials, used in 47% of such intrusions, and software exploits, seen in 29% of cases.

Coalition’s analysts warned that exposed logins were fast-emerging as an underappreciated and acute driver of ransomware risks. They claimed that the organisation detected more than five million remote management solutions and tens of thousands of login panels exposed on the public internet. It added that, according to its data, most applicants for cyber insurance (65%) had at least one internet-exposed web login panel, and securing these is a requirement for buying its products.

Out of these, the most commonly exposed admin login panels related to VPNs from Cisco and SonicWall, which between them accounted for over 19% of detected exposed panels, followed by Microsoft email services.

In 2024, Coalition also observed a significant number of exposed Citrix panels, which caused significant losses, including more than a billion dollars from the infamous Change Healthcare incident in the US, in which a ransomware gang used stolen Citrix credentials and exploited a lack of multifactor authentication to access the victim’s systems.

CVEs set to jump in 2025

As part of the set of services Coalition provides, it sends out zero-day alerts to its customers as and when new vulnerabilities are discovered, and constantly monitors for new vulnerabilities.

As such, its annual report also includes data on some of the more widespread common vulnerabilities and exposures (CVEs) it saw in 2024 – issues with Citrix, Fortinet, Ivanti and Palo Alto Networks prominent among them.

Looking ahead to 2025, Coalition’s analysts said the number of published vulnerabilities would likely increase to more than 45,000, a rate of nearly 4,000 every month, up 15% over the first 10 months of 2024.

This aligns closely with data released in February by the Forum of Incident Response and Security Teams (First), a non-profit, which suggested that CVE volumes may even top 50,000 this year.

A combination of new players in the CVE ecosystem, evolving disclosure compliance practices and a rapidly expanding attack surface are likely behind the growing number of vulnerabilities being reported on.

“This year’s report focuses on the most crucial security risks that under-resourced organisations should understand to better calibrate their defensive investments to bolster resilience,” said Daniel Woods, senior security researcher at Coalition.

“Calibration involves balancing security investment across vulnerabilities, misconfigurations and threat intelligence, while also responding to emerging threats, such as zero-day vulnerabilities exploited in the wild. That’s why Coalition issues Zero-Day Alerts to help businesses, especially SMEs with limited security resources, stay ahead of these vulnerabilities and reduce alert fatigue by prioritising those posing the greatest risk.”

Source

Posted on March 21, 2025 by Eternity Lab

IR35 reforms: HMRC’s assessment of private sector impacts called into question

The news that HM Revenue & Customs (HMRC) has collected £1bn more in tax than expected from the 2021 private sector roll-out of the IR35 reforms should not be considered a sign of the initiative’s success, IT contractor market stakeholders claim.

The government tax collection agency published figures in late February 2025 about the impact caused by extending the IR35 reforms to the private sector in April 2021, in terms of how many workers were affected by the changes and how much additional tax HMRC raised by introducing them.

The reforms, introduced as part of HMRC’s ongoing clampdown on disguised employment, were originally rolled out to the public sector from April 2017, and saw contractors cede responsibility to the end-client organisations engaging them for determining whether their work means they should be taxed like an employee (inside IR35) or in the same way as an off-payroll worker (outside IR35).

Several years later, the government announced plans to extend the reforms to medium to large private sector businesses, which – following a 12-month delay due to the Covid-19 coronavirus pandemic – occurred in April 2021.

According to HMRC’s figures, around 120,000 individuals who were providing services through their own limited companies or person service companies (PSCs) were “likely to have been affected” by extending the reforms to the private sector in April 2021.

This includes contractors who may have had their engagements classified as inside IR35 as a result of the changes, and individuals who may have opted to provide their services through an umbrella company since April 2021, confirmed HMRC.

It is worth noting that HMRC originally forecast that the reforms would affect 170,000 individuals, according to a document published on 3 April 2020 that outlined the government’s rationale for rolling out the reforms and the projected benefits the move would generate.

That same 2020 document also predicted the reforms would generate an additional £2.395bn in unpaid tax, generated over the course of three tax years spanning 2020/21 to 2022/23.

However, HMRC’s February 2025 impact assessment data shows the reforms generated £1.8bn more than projected across the three tax years spanning 2021-2023, despite 50,000 people fewer than expected finding themselves in-scope of the private sector reforms.

The discrepancies in the figures have raised eyebrows among contracting market stakeholders, including Dave Chaplin, CEO of contracting authority ContractorCalculator, who told Computer Weekly that HMRC’s calculations simply do not add up.

“It’s implausible that 50,000 fewer people could generate 75% more tax revenue. The 120,000 figure seems significantly underestimated,” he said.

“If the original projection of £2.4bn was based on 170,000 people, that equals £14,088 per person. Using this same rate, achieving the new projection of £4.2bn would require 298,121 people – not 120,000.”

It’s implausible that 50,000 fewer people could generate 75% more tax revenue. The 120,000 figure seems significantly underestimated Dave Chaplin, ContractorCalculator

Chaplin continued: “The only reasonable conclusion is that HMRC’s figure of 120,000 affected individuals is incorrect. Our calculations indicate 58% of the original PSC population (510,000) was affected – not the claimed 23%, which is more than double HMRC’s estimate.”

Speaking to Computer Weekly, Andy Chamberlain, director of policy at the Association of Independent Professionals and the Self-Employed (IPSE), said there were a couple of different ways that HMRC’s figures could be interpreted.

For one, the fact the reforms have raised £1bn more than expected suggests that in its quest to improve the private sector’s IR35 compliance, what it has actually achieved appears to be a sizeable “overcompliance” with the rules.

“[This is] where individuals were forced onto payroll even though they were genuinely in-business and in ‘outside IR35’ roles,” he said.

In the lead-up to both the public and private sector IR35 reforms being rolled out, Computer Weekly reported on numerous instances whereby organisations tried to fast-track their compliance with the reforms in several ways.

Some sought to reduce the additional administrative burden the reforms put on them by declaring all the contractors they engaged as working inside IR35.

Other organisations side-stepped the reforms by issuing blanket hiring bans on off-payroll workers. This led to many insisting the contractors they engaged could only continue to provide services to them if they did so through an umbrella company, as the IR35 rules do not apply to umbrella employees.

“Some that were forced into umbrellas were able to put their rates up, so the gross pay, and therefore the tax take, was higher,” continued Chamberlain.

Computer Weekly contacted HMRC to ask if it could give an account as to why more tax has been generated than expected from fewer than anticipated affected individuals, but the government department did not directly answer the question.

It is an issue, however, that HMRC appears to address in its February 2025 impact report with the acknowledgment that there has been a “small change” in its “initial estimates of the numbers of workers affected and the additional tax revenues generated” due to “newer data becoming available” and “improvements in [HMRC’s] methodology”.

Either way, Chaplin described the HMRC data discrepancies as “concerning” because it shows its data is “unreliable” and yet these numbers are what the department is holding up as proof the reforms have had the desired result.

“[This data] further undermines confidence in the official narrative and suggests policy decisions were based on flawed information rather than accurate assessments of the freelance market’s reality,” he said.

HMRC further revealed in its private sector IR35 impact assessment that the reforms may have partly contributed to a downturn in the number of new PSCs being created, which suggests the reforms may have put some people off becoming self-employed.

“We estimate around 45,000 fewer new PSCs formed around the time of the reform, up until the end of March 2022, compared to what we might have expected to happen based on historical trends,” said HMRC.

“These workers may have instead chosen to work in a different way, and we expect they will have remained, or started, working as employees.”

The way Chaplin sees it, HMRC’s data suggests the reforms have “stripped a quarter of legitimate freelancers of their self-employment status” and have “unnecessarily restricted the flexible workforce precisely when economic growth demands their contributions most”.

He added: “I think we can rightfully conclude that HMRC’s models and research should be taken with the annual output of a salt refinery – that is, with extreme scepticism.”

Source

Posted on February 28, 2025 by Eternity Lab

Quantum computing in cyber security: A double-edged sword

Despite investor scepticism, prominent quantum computing stocks have seen a notable rise at the beginning of 2025. Even prominent tech leaders like Jensen Huang and Mark Zuckerberg stating the field won’t be profitable hasn’t stopped investors and the wider public from being excited.

In cyber security, however, quantum computing offers both unprecedented capabilities and significant threats, making it a double-edged sword that demands careful navigation. Just as white hat hackers can use it to bolster defences, their malicious counterparts might be able to supercharge their efforts, too.

But how do we grapple with this quantum quandary? That’s exactly what we’ll tackle in this article, as we must collectively ensure they are not blindsided by the risks while leveraging its advantages.

Due to the presence of qubits, quantum systems can perform multiple calculations simultaneously, exponentially increasing computational power for specific tasks.

For cyber security, we already know this means quantum computers could break widely used encryption methods, particularly those relying on factoring large prime numbers, such as RSA and ECC.

These encryption standards form the backbone of secure online communication, financial transactions, and digital identity verification.

The versatility of quantum computing goes beyond cracking encryption. Its computational power could revolutionise cyber security applications by improving pattern recognition, anomaly detection and optimisation algorithms. Tasks that once took days or months to process could be executed within minutes, drastically reducing response times to potential threats.

Breaking encryption: A looming threat

Classical cryptography, based on mathematical problems too complex for current computers to solve within a practical timeframe, faces obsolescence in the quantum era. Shor’s algorithm, a quantum computing method, can efficiently factorise large integers, undermining RSA encryption’s security.

Just for comparison, in the context of Shor’s algorithm:

A traditional computer might need trillions of years to crack a 2,048-bit RSA key.
A quantum computer would need hours, if not days, to perform the same action.

Similarly, elliptic curve cryptography (ECC), celebrated for its efficiency, is vulnerable to the same algorithm. This vulnerability jeopardises everything from personal data protection to national security.

Hence, experts fear that hackers equipped with quantum capabilities could decrypt intercepted communications, exposing sensitive corporate or governmental information. And we all know how hard it is for politicians to adapt to modern tech.

Even data encrypted today could be at risk due to the “harvest now, decrypt later” strategy, where adversaries collect encrypted data now, anticipating quantum decryption in the future. The implications extend to industries like banking, healthcare and energy, where secure communication is paramount.

Strengthening cyber security with quantum technology

It’s not all doom and gloom, as quantum computing offers plenty of tools to counter these threats. Quantum Key Distribution (QKD), for instance, uses quantum mechanics to establish secure communication channels. As a result, any attempt to eavesdrop on quantum-transmitted keys would alter their state, immediately alerting both parties to the intrusion.

In addition to QKD, quantum random number generation (QRNG) is another promising application. Unlike classical methods, which rely on algorithms that could be predicted or replicated, QRNG leverages the inherent unpredictability of quantum processes to create genuinely random sequences. This strengthens cryptographic protocols, making them more resistant to attacks.

Last, but most certainly not least, quantum-enhanced machine learning could also aid in identifying and mitigating cyber threats. If the current applications of ML seem daunting, think of what quantum ML can do by analysing vast datasets more efficiently than classical systems. Quantum algorithms could detect subtle patterns indicative of an attack, enabling earlier intervention.

Post-quantum cryptography: The immediate response

The cyber security industry is not waiting passively for the quantum threat to materialise. Post-quantum cryptography (PQC) aims to develop encryption algorithms resistant to both classical and quantum attacks.

Standards bodies like the National Institute of Standards and Technology (NIST) are already advancing PQC algorithms, with several candidates already released or in the final stages of evaluation.

Despite the apparent defensive potential, transitioning to PQC involves significant logistical challenges. Organisations must inventory their cryptographic assets, evaluate quantum risks and implement new algorithms across their systems.

For industries like finance and healthcare, where data sensitivity is paramount, the transition timeline could stretch into years, requiring immediate action to stay ahead of quantum advancements.

The degree of difficulty gets even higher if legacy systems are being relied upon, as backwards compatibility in a quantum context isn’t something developers of old thought about.

Likewise, PQC adoption requires extensive testing to ensure compatibility with existing systems and resilience against emerging threats. This, unfortunately, means allocating additional resources to train personnel, upgrade infrastructure and maintain compliance with evolving regulatory requirements.

Mr Hyde: How cyber criminals benefit from quantum computing

We’ve spent a lot of time discussing how quantum computing can aid in defending our data, but white hat hackers and red teams aren’t the only ones interested in these advancements.

Nation states and cyber crime conglomerates with nine-figure sums to spend will certainly finance the R&D of offensive tools, which can pose problems for everyone from governments to small businesses.

In particular, sophisticated attacks, such as quantum-enhanced phishing or cracking biometric data, could exploit quantum-powered pattern recognition to unprecedented degrees. These capabilities pose a direct threat to authentication mechanisms, access controls and user trust.

Overnight, staples like QR codes and various forms of MFA will become easily corruptible due to the sheer computing power at the criminals’ disposal. Widely used for payments and authentication, they may require updates or complete overhauls to resist quantum-generated attacks.

Even the seemingly simple act of scanning a QR code could become a security risk if quantum-powered adversaries exploit flaws in code generation or scanning software.

Regulatory and strategic considerations

Despite claims that quantum computing will become feasible or profitable in several decades, we must still prepare for that inevitable moment.

Governments and regulatory bodies are beginning to address the quantum challenge. Investments in quantum research and the establishment of frameworks for quantum-safe technologies are gaining momentum.

For businesses, aligning with these initiatives is critical to ensure compliance and leverage state-of-the-art defences. Will cyber security become more expensive? Inevitably. But at the same time, there will be many more incidents than the 2,200 a day companies experienced in 2024.

Moreover, collaboration between the public and private sectors will play a pivotal role in quantum readiness. Sharing threat intelligence, standardising best practices, and incentivising quantum-safe transitions will strengthen collective security.

Most importantly, governments must invest in building a robust quantum infrastructure to ensure that technological advantages are not monopolised by adversaries.

But how will we be able to balance between protectionism and benefiting the human race as a whole? We’ll find out sooner or later, that’s for sure.

Preparing for the quantum future

Quantum computing is no longer a distant possibility, but an imminent reality. Organisations of all sizes must adopt a proactive stance, integrating quantum risk assessments into their cyber security strategies. In particular, we must collectively focus on:

Education and awareness: IT and cyber security teams must receive the right education on quantum concepts and their implications. Building in-house expertise will be critical to navigating the complexities of quantum integration.
Cryptographic inventory: This means mapping current cryptographic use to identify vulnerable assets. It allows organisations to prioritise upgrades where they are most needed.
Adopting PQC: Currently, the best option is to transition to NIST-approved post-quantum algorithms. Early adoption minimises the risk of falling behind competitors or compliance requirements.
Testing quantum services: In addition, it’s up to organisations to pilot technologies like QKD and QRNG to evaluate their practical benefits. Testing in real-world scenarios ensures smooth integration and operational efficiency.

Conclusion

Quantum computing’s dual potential in cyber security – as a tool for both defence and attack – requires a balanced approach. While its threats to traditional encryption are undeniable, its innovations also promise stronger, more resilient defences.

Organisations that act now to understand and prepare for the quantum era will not only safeguard their assets, but position themselves as leaders in a rapidly evolving technological landscape.

Otherwise, no one’s data will be safe, and we’ll have no way of keeping up with the computing power at the hackers’ disposal.

Source

Posted on February 25, 2025 by Eternity Lab

Privacy at a crossroads in the age of AI and quantum

The digital landscape is entering a critical turning point, shaped by two game-changing technologies: generative AI (GenAI) and the imminent arrival of quantum computing. These technologies hold vast promise for innovation, but they also magnify the risks to privacy, data security, and trust. Organisations that want to thrive sustainably in this new era must adapt quickly, recognising that the traditional methods used to protect personal data will no longer suffice.

The evolving privacy landscape

Privacy has long been a legal obligation for organisations. Today, it’s much more than that. In fact, privacy has become a competitive differentiator – organisations that handle customer data with integrity can build stronger relationships and earn more loyalty.

Currently, around 75% of the global population is covered by modern privacy laws, which signals that privacy is increasingly seen as a universal right. However, despite these widespread legal frameworks, there are still significant gaps in how laws are executed across different regions and industries. Data breaches continue to escalate, misinformation is increasingly rampant, and consumers are becoming more sceptical about how their personal data is handled. The rise of GenAI has only intensified these challenges as machine-generated content blurs the lines between fact and fiction.

Meanwhile, quantum computing looms on the horizon, introducing an entirely new set of challenges. By 2029, the computational power and availability of quantum systems is expected to make current encryption methods obsolete, putting sensitive data at unprecedented risk. For many organisations, the sheer cost of ensuring that this data remains secure could become unmanageable, potentially forcing them to purge vast quantities of personal data to prevent breaches.

A growing threat to data integrity

As the use of AI accelerates across industries, the quality of the data feeding these systems becomes even more crucial. However, too many organisations continue to focus primarily on protecting the confidentiality of data, while overlooking its integrity. This imbalance has led to a slew of problems, from poor decision-making to failed AI initiatives that fail to deliver meaningful outcomes.

Gartner predicts that by 2028, organisations will invest as much in ensuring data integrity as they do in confidentiality. This is a major shift, and rightly so. For AI models to be effective, they need high-quality, trustworthy data to train on. If this data is flawed or unreliable, the resulting AI systems will be just as flawed and unreliable. Beyond AI, maintaining data integrity is critical for everything from regulatory compliance to safeguarding consumer trust in the organisation’s practices.

In addition, data integrity plays a critical role in mitigating the risks posed by misinformation and AI-generated content. As GenAI continues to evolve, ensuring that data is accurate, traceable, and verifiable will become more important than ever. Without these measures, AI models risk becoming susceptible to manipulation, making them less effective – and ultimately less trustworthy – across industries.

Preparing for the quantum age

The rise of quantum computing is not just a future concern; it’s a present reality that organisations must begin preparing for today. The concept of “harvest now, decrypt later” is already a reality, with malicious actors stockpiling encrypted data in anticipation of quantum breakthroughs that would render traditional encryption methods obsolete. This poses a grave risk to organisations, as sensitive information that is currently safe from hackers could one day be compromised by quantum systems.

Governments around the world are already pushing for the development and adoption of post-quantum cryptography (PQC) encryption methods that are resistant to the computational power of quantum machines. But making the shift to PQC is no small feat. It requires a fundamental overhaul of existing cryptographic systems and infrastructure, a process that will take years to complete. For many organisations, the pressure is mounting to begin this transition as soon as possible to protect their sensitive data and remain ahead of the quantum curve.

A strategic response for organisations

To navigate these challenges, organisations need to act decisively:

Reassess Data Strategies: Move away from storing huge amounts of data to adopting data minimisation practices. Retaining only necessary information reduces risk and aligns with modern privacy regulations.
Invest in Data Integrity: Apply robust measures to ensure data accuracy, provenance, and lineage. This is critical for AI applications and for maintaining consumer trust.
Adopt Post-Quantum Cryptography: Begin developing crypto-agility and a migration to quantum-resistant encryption methods now to safeguard sensitive data before quantum computing becomes mainstream.
Enhance Privacy Practices: Integrate privacy-by-design principles into every product and service, offering consumers granular control over their data.

The broader implications

The intersection of GenAI and quantum computing represents a critical turning point for organisations. Failing to adapt to the evolving privacy and security landscape could lead to lost consumer trust, regulatory penalties, and competitive disadvantage. On the other hand, those who take proactive steps to protect data and embrace emerging technologies will not only minimise risks but also position themselves as leaders in the digital economy.

Bart Willemsen is a VP analyst at Gartner, with a focus on privacy, ethics and digital society.

Source

Posted on February 18, 2025 by Eternity Lab

Public cloud: Data sovereignty and data security in the UK

The UK government’s decision to designate datacentres as critical national infrastructure (CNI) in September 2024 signalled its ambition to build a digital economy that is secure and globally competitive.

But behind the headlines about protecting against cyber crime and IT blackouts lies a more complicated reality – a sector grappling with policy uncertainty, reliance on foreign cloud giants and a data sovereignty agenda that looks increasingly compromised.

In a blog post, Forrester principal analyst Tracy Woo wrote: “New sovereignty requirements such as SecNumCloud, Cloud de Confiance from France, and the Cloud Computing Compliance Controls Catalog (C5) from Germany, along with the push to keep data in-country, have created a broader push for private and sovereign clouds.”

But the promise of “protected infrastructure” rings hollow when hyperscalers openly admit they cannot guarantee that UK government data stored in cloud services such as Microsoft 365 and Azure will remain within national borders.

Woo points out that countries in the European Union (EU) and Asia-Pacific (APAC) have been attempting to more heavily leverage non-US-based cloud providers, create sovereign clouds, or leave workloads on-premise.

In the UK, regulatory scrutiny is exposing the fragile state of the UK’s digital independence. Looking at the UK’s approach to data sovereignty, law firm Kennedys Law describes the Data Use and Access (DUA) Bill, which was published in October 2024, as “a more flexible risk-based approach for international data transfers”.

Kennedys notes that the new test requires that the data protection standards in the destination jurisdiction must not be materially lower than those in the UK. According to Kennedys, this standard is less rigid than the EU’s “essential equivalence” requirement but raises questions about how “materially lower” will be interpreted in practice.

Understandably, with the government’s reliance on cloud-based productivity tools, concerns about compliance with UK data protection laws have intensified.

The Competition and Markets Authority (CMA) is now investigating cloud market practices that could lock customers into foreign providers. A provisional report is expected in early 2025, setting the stage for potential regulatory reforms aimed at boosting data sovereignty and curbing monopolistic practices.

Reshaping data sovereignty

This is not before time for Mark Boost, CEO of Civo, a UK-based cloud hosting specialist. “The inability to ensure data remains within UK borders underscores the risks of depending on hyperscalers,” warns Boost. “If we keep outsourcing critical data infrastructure, we risk losing more than just technical control, we lose national independence.”

The CMA’s review could reshape the country’s digital future, potentially mandating greater transparency and requiring UK data storage guarantees from global cloud providers. This is something Boost has been talking about for some time.

“Transparency isn’t just about where data is stored, it’s about how datacentres are powered, maintained and secured,” he says. His argument highlights the essential connection between data sovereignty and operational clarity, urging providers to adopt clearer accountability measures.

The inability to ensure data remains within UK borders underscores the risks of depending on hyperscalers. If we keep outsourcing critical data infrastructure, we risk losing more than just technical control, we lose national independence Mark Boost, Civo

Despite these challenges around transparency, the UK datacentre industry has seen promising signs, particularly in regional investment. The government’s recent announcement of a £250m datacentre project in Salford showcases how local government cooperation and targeted investment can drive growth. But such projects remain exceptions rather than the rule.

Luisa Cardani, head of datacentres at TechUK and author of the report Foundations for the future: How datacentres can supercharge UK economic growth, warns that without a national policy statement (NPS), the datacentre sector risks becoming fragmented. Local planning authorities lack the expertise and resources to approve projects efficiently, creating bottlenecks that could delay critical infrastructure developments for years.

“The industry wants to work with local people and authorities, but clear national planning guidance is missing,” says Cardani. “Without a coherent strategy, we’re stuck in a cycle of fragmented decisions and regulatory inertia.”

The proposed inclusion of datacentres under the nationally significant infrastructure projects (NSIP) regime could streamline the approval process, ensuring faster decision-making. However, this remains, for the moment at least, more of an aspiration. In reality, investment will remain stalled until the UK develops a coherent, national approach that balances public and private interests while streamlining the project approval process.

Data sovereignty and security requirements are fundamental to this, and to a large extent it will be market forces that determine the shape and size of the UK’s datacentre industry. On this front, Alvin Nguyen, senior analyst at Forrester, says businesses must recognise the different risk profiles posed by local and hyperscaler-operated datacentres.

“It should be expected that hyperscalers will have more bandwidth, more scalability and more redundancy than their more localised counterparts, but having datacentres classified as critical to the UK’s infrastructure may help with mitigating some, but not all, security risks,” he says.

Complexity of keeping data within national borders

Nguyen also questions whether data sovereignty debates might be over-simplified in some cases.

“With data security, it comes down to what the organisation’s requirements are to determine whether or not to go to a hyperscaler or a local datacentre,” he says. “With sovereignty, that is a bit different. If there are components to the sovereignty laws to restrict access or use of data outside of the local datacentres, hyperscalers will need to ensure that guardrails are in place.”

Nguyen’s comments underscore the complexity of managing sensitive data across hybrid environments. Rather than focusing solely on whether to choose a local or global provider, businesses should consider managing workloads across hybrid cloud environments more strategically.

“Many organisations will find a mix of cloud and datacentres makes the most sense … the risk profile of each is different and that blend of risk when combining cloud and datacentres can be made to be optimised for them,” he says.

The security risks associated with data sovereignty are multifaceted, extending far beyond simple data storage concerns. For businesses in regulated sectors, particularly financial services, the stakes are immense.

When on-premise is the only option

Jon Cosson, head of IT and chief information security officer at wealth management firm JM Finn, underscores the potential dangers when businesses assume that using a large cloud provider automatically guarantees security.

“It’s absolutely imperative you know where your data is and how to secure it,” he warns. “You would not believe how many businesses still just rely on somebody else.”

The issue is compounded by the jurisdictional complexity of global cloud services. When sensitive data crosses borders, it may fall under multiple regulatory regimes, raising questions about legal access and government overreach. This concern has been amplified by legislation such as the US Cloud Act.

In 2019, the then home secretary, Priti Patel, signed a US Cloud Act Agreement covering the UK and Northern Ireland, in which the US and UK governments agreed to provide timely access to electronic data for authorised law enforcement purposes. The Cloud Act could compel US-based hyperscalers to provide foreign-stored data to US authorities, bypassing local laws.

“I want to know exactly where my data goes, how it’s encrypted and how quickly I can get out if needed,” says Cosson, reflecting a broader industry concern that opaque data paths and limited contractual assurances can expose businesses to significant compliance risks.

“We use the cloud when we have to, but still run key systems on-premise for control,” adds Cosson. This approach is typical of companies handling sensitive financial data. There is a lack of trust with organisations not prepared to take promises of “secure cloud storage” at face value.

While Cosson acknowledges that cloud adoption is inevitable for some services, such as Microsoft 365, he underscores the enduring role of on-premise infrastructure for businesses that require absolute control over sensitive data. This, of course, raises an additional problem of how to manage hybrid data environments securely and efficiently.

According to Cosson, companies like Nutanix play a critical role here, enabling organisations to manage workloads across cloud and on-premise environments while maintaining data control. Nutanix’s infrastructure services are designed to address sovereignty concerns, he says, by ensuring businesses have clear data management policies and remain compliant with local regulations.

We need coordinated efforts between government, industry and local authorities to build a resilient datacentre ecosystem. This means shared responsibility, clearer policy frameworks, and incentives for both hyperscalers and UK-based providers Luisa Cardani, TechUK

“The next five years will be decisive,” says Civo’s Boost. “If transparency becomes a legal requirement, we’ll see businesses demanding more from providers, not just about where data resides, but also how infrastructure is managed and powered.”

TechUK’s Cardani believes public-private partnerships will play a crucial role here. “We need coordinated efforts between government, industry and local authorities to build a resilient datacentre ecosystem,” she says. “This means shared responsibility, clearer policy frameworks, and incentives for both hyperscalers and UK-based providers.”

Boost and Cardani each agree that the balance of power between hyperscalers and local operators may shift, particularly if future policies mandate data localisation or prohibit cross-border data transfers without explicit guarantees. Sovereignty-by-design, where infrastructure is built to meet local compliance from the start, could become the new standard.

Adhering to current standards

Until that point, organisations need to work out how they can meet existing standards. Cardani argues that adherence to standards must be supported by national policies that enable transparent reporting and clear accountability structures.

In practice, this means enforcing mandatory audits, data residency certifications and security benchmarks tailored to UK-specific legal frameworks. Without these measures, businesses risk falling into compliance gaps that could expose them to data breaches, fines and legal disputes.

Frameworks such as ISO 27001 for information security management, General Data Protection Regulation (GDPR) for data privacy and Payment Card Industry Data Security Standard (PCI DSS) for payment security set clear operational expectations. Yet these standards are only part of the equation, as evolving regulations increasingly emphasise data sovereignty and security-by-design.

Ensuring that datacentres comply with such frameworks while offering sovereignty guarantees has become a pressing challenge. Hyperscalers operating across multiple jurisdictions complicate audits and compliance checks due to varying legal obligations and data transfer rules.

The introduction of the CMA’s investigation is urgently needed, if only to provide some clarity around what, for most buyers, has become a confusing subject.

For IT leaders, the critical takeaway is that responsibility cannot be outsourced. Security, compliance and sovereignty must be actively managed through risk assessments, compliance audits and multi-supplier strategies.

And as the UK’s digital infrastructure evolves, only businesses that stay ahead of regulation and demand transparency from their providers will be able to navigate the uncertainties.

On that score, the UK’s datacentre industry stands at a crossroads – but with policy clarity, local investment and industry transparency, it has the potential to become a global digital leader in this space.

It’s about trust and everyone playing by the same, fair rules, but from a UK perspective it is also about protecting that most valuable national asset – data.

At JM Finn’s Cosson puts it: “Data sovereignty is not a buzzword, it’s survival.”

Source

Posted on February 2, 2025 by Eternity Lab

EU law could usher in transformative change to digital ecosystems

In October 2024, the European Commission (EC) published its Digital fairness fitness check report as part of a continued effort to evaluate the effectiveness of European Union (EU) legislation with consumer protection laws.

Specifically, it evaluated the efficacy of the Unfair Commercial Practices Directive, the Consumer Rights Directive, and the Unfair Contract Terms Directive.

The report revealed these existing laws “have only partially achieved the objectives of providing a high level of consumer protection”, with harmful commercial practices online costing EU consumers at least €7.9bn per year, and further drew attention to the power and information imbalances between businesses and consumers online. Now, its findings are being used to shape the latest development in tech policy in Europe, the Digital Fairness Act (DFA).

Following the report, president of the European Commission Ursula von der Leyen wrote to Michael McGrath, the EU’s commissioner for consumer protection, to urge his successor to develop a Digital Fairness Act.

The mission letter outlined five core problematic practices in consumer-facing apps and online platforms today; including “dark patterns”, addictive design, personalised targeting features, problematic commercial practices of social media influencers, and features that make it excessively difficult to cancel digital subscriptions.

Recent legislation such as the UK’s Online Safety Act and the EU’s Digital Services Act (DSA) have aimed to address some of the illegal and harmful online practices that persist online, but a Digital Fairness Act could potentially tackle some of the more pervasive technological tools that have been adopted by tech companies and digital platforms to persuade and engage consumers.

For example, a study conducted by the EC in 2022 found that 97% of the most popular websites and apps used by EU consumers use at least one dark pattern, which are manipulative interface designs and functionalities which undermine informed consent and mislead users.

Similarly, the European Consumer Organisation’s (BEUC) consumer survey in September 2023 revealed that the majority of consumers feel personal data analysis and monetisation is unfair (60%), and less than half (43%) do not feel fully in control of the decisions they make or the content they are shown online.

With the DFA currently in its proposal phase, civil society organisations and campaigners are putting forward their suggestions to the European Commission. Many civil society organisations across Europe are hopeful that the act will tackle some of the most exploitative techniques that have been fundamental to the tech industry’s growth, and which they believe are responsible for many of the harms that digital users face today.

Fairness by design

European Digital Rights (EDRi) is the largest European network of organisations defending rights and freedoms online, and are working on a position paper with their members on the DFA. They hope that the act will address exploitative practices often employed by Big Tech and ad tech intermediaries, which they say “exploit users’ vulnerabilities, undermine their autonomy, and disproportionately impact marginalised communities”.

One area of focus they have for the DFA is to ensure it adopts a rights-centred approach that recognises digital users not just as consumers, but as people with broader individual and collective rights.

“A core assumption underpinning this approach is that vulnerability is inherent to the digital realm as we know it today, driven by an imbalance of power and significant information asymmetries,” says Itxaso Dominguez, a policy adviser at EDRi.

To address these challenges, EDRi are advocating for embedding principles of “fairness by design” and “fairness by default” into the act. They hope this will ensure that fairness and respect for fundamental rights are integral to the development and operation of digital platforms and services, rather than optional considerations.

Superrr Lab, an organisation advocating for just digital futures, recently published a position paper titled Digital fairness – shaping consumer protection in a just and future-proof way.

They too echo the desire for fairness by design and by default to be enshrined in the act: “The DFA will be most effective in truly enhancing digital rights if it addresses the root-causes of power imbalances in the digital realm. Consumers are humans with rights beyond markets and consumer protection law, and an effective DFA, should be shaped accordingly to ensure true digital fairness – in the sense of no discriminatory practices and opportunities for participation.”

The addictive nature of social media platforms is another digital design feature that the act could address, and an area where there is increasing public scrutiny, particularly in relation to its effects on children and young people’s mental wellbeing. Challenging this feature through policy could potentially address one of the main tenets of the industry’s extractive business model.

“Commissioner for justice Michael McGrath has said it plainly: ‘They want to keep people online constantly, including our children, and this is how to get money from advertising’,” Rosie Morgan-Stuart, campaign and policy consultant for People Vs Big Tech, said. “Meanwhile, the evidence of harm is mounting. Binding rules are clearly needed, given the severity of the risks and Big Tech’s repeated refusal to prioritise safety over profit.”

Enforcement and real accountability

Better enforcement is another core ambition for the DFA. The Digital fairness fitness check report drew attention to the pervasive non-compliance popular among tech companies and social media platforms, and the need for real accountability. Earlier in 2024, the European Commission opened proceedings against Meta, Alphabet and Apple over their failure to effectively comply with their obligations under the existing Digital Markets Act (DMA).

“To make a real difference, the Digital Fairness Act needs to set out clear rules that are easy to understand, to apply and – if necessary – to enforce. Unfortunately, current EU law does not provide sufficient legal certainty in relation to unfair commercial practices online and therefore does not adequately protect consumers,” says Urs Buscke, senior legal officer at BEUC.

EDRi echo the need for more robust enforcement mechanisms and the prohibition of manipulative practices outright, rather than relying on voluntary compliance mechanisms, which have historically failed.

Aside from voluntary compliance mechanisms, gaps in enforcement have also persisted due to the fact that the existing directives covered by the fitness check do not contain any reporting obligations.

An ambitious digital future: breaking up Big Tech

Some believe the DFA could potentially break up the monopolies within the tech industry seen across some of the Very Large Online Platforms (VLOPs), which the DSA defines as platforms or search engines that have more than 45 million users per month in the EU. Instead, they advocate for a digital ecosystem that allows independent, third-party content curation and moderation services.

“Unbundling the social networks could address many of the harms connected to addictive design and predatory data surveillance by providing consumers with a marketplace of options for recommender systems and other content curation tools,” says Katarzyna Szymielewicz, co-founder of freedom and privacy NGO Panoptykon Foundation. “This would also address the problematic nature of relying on VLOPs themselves as the arbiters of quality and credibility in ranking algorithms.”

On 16 January 2025, 18 former European presidents and prime ministers wrote to Von der Leyen urging the EC to pursue a structural breaking up of Google’s services to restore competition and end Google’s monopoly.

“Forced breakups are do-able and have a long and distinguished record through modern history – from John D. Rockefeller’s Standard Oil in 1911, to Germany’s gigantic IG Farben conglomerate after the Second World War, to AT&T in 1982,” says Claire Godfrey, executive director of Balanced Economy Project.

“They’ve just fallen out of favour. The US has proposed a break up of Google to fix the search monopoly, and the EU is in a position to support the US and break the tech giant’s monopoly over digital advertising. It needs the political will and courage more than anything.”

Despite the challenges, many of those Computer Weekly spoke with said the DFA could potentially result in transformative changes to the modern digital ecosystem. “The Digital Fairness Act offers a rare opportunity to set a global precedent, ensuring that fairness, transparency and accountability are embedded into the foundations of the digital ecosystem,” says Dominguez.

But this will only happen if policymakers strive to be bold. As Kim Van Spaarentak, GroenLinks MEP, urges: “We don’t have to accept the status quo. We can still fix our online environments if we dare to be ambitious enough. Alternatives are perfectly possible.

“If ethical design becomes the standard, the online space can be a fantastic place for knowledge-sharing, community forming and creativity. But whether the EU dares to go far enough is the big question for the next few years.”

Source

Posted on January 19, 2025 by Eternity Lab

Why CISOs should build stronger bonds with the legal function in 2025

For chief information security officers (CISOs) still looking to set some professional goals for the New Year, or to expand on a list they’ve already compiled, consider strengthening the relationship with your organisation’s legal function.

You may well have already spent a great deal of time building bridges with company lawyers. After all, it’s now a significant aspect of the modern CISO role, according to the 2024 Global CISO Organisation and Compensation Survey from executive recruitment firm Heidrick & Struggles, a poll of over 400 CISOs worldwide.

When asked which functions they spend most time working and consulting with, the top two responses offered by respondents involved other IT professionals, with network, cloud and engineering groups in first place, and software development and product development/engineering in second place. In third place was legal, compliance and risk – way ahead of finance, HR or the board of directors.

In 2025, the links between cyber security and legal teams need to be closer than ever, because around the world, the IT security function – and the people who lead it – are increasingly the target of new regulations and sharp government scrutiny.

Legal challenges

Regulatory changes and uncertainty place huge stress on cyber professionals. Even where rules are clear, the volume is increasing and the burden of compliance growing heavier. Any company operating on an international basis faces a wide range of country-specific regulations that may well contradict each other, or at least include requirements that don’t clearly align.

In the EU, companies face the EU AI Act, NIS2 and the Digital Operational Resilience Act (DORA). The incoming administration in the United States could propose significant changes to current regulations, too. And every organisation already faces strict PII mandates when it comes to how the personal information of customers, suppliers and partners is stored and managed.

All this makes it a real struggle for IT security teams to figure out how to best implement regulations in their organisation. Their colleagues in the legal department will be their best allies in helping them to navigate this minefield.

Lawyers can help a CISO and their team to develop a stronger and deeper understanding of how and where rules apply to their specific organisation and where they do not, for example. The scope of coverage of a regulation can be a pretty subtle matter and legal expertise is often needed to analyse it effectively and accurately.

Another significant task – and another area of potential conflict between different regulations – is identifying communication and reporting requirements, and figuring out the different schedules and types of information that need reporting. Here, the IT security and legal functions need to work on effective procedures and ensure they are communicated clearly to the appropriate personnel.

Mutual benefits

But this is not a one-way street. The legal function may have an important role to play as an advisor to cyber security, but the CISO isn’t just a passive consumer of the information offered. While regulations typically have good intent, sometimes wording or proposed implementation is not as effective as it should be. The CISO must be able to spot the gaps and contradictions and consult with legal teams on how best to tackle them.

Working together, cyber security and legal teams can also define and implement best practices; for example, they might adopt the ‘three lines of defence’ model, most commonly seen in the financial services sector.

In this model, Level One defence is provided by the frontline employees performing the day-to-day work. Level Two is provided by managers responsible for those teams, monitoring their work to ensure it meets predefined standards. Finally, Level Three defence is provided by internal and external auditors – those responsible for ‘watching the watchers’. By marshalling resources into these three lines of defence, organisations from any industry sector can achieve new levels of visibility and accountability.

Another area in which the CISO can be a big help to their legal counterpart is in technological understanding. It’s no secret that technology evolves much faster than the time it takes to write regulations and get them agreed and implemented. As a result, it’s not uncommon to see regulations put in place that simply don’t know how to deal with new technologies. That was certainly true with cloud technology, and it’s increasingly the case with artificial intelligence (AI) approaches. There is much here that a CISO can offer in terms of advice to their organisation’s chief legal counsel.

This can be an enormously valuable relationship. The CISO and the chief legal counsel, after all, have much in common. Both perform a crucial and complex function, the goal of which is to protect their organisations from threats. Both are deeply concerned with building resilience through policies, procedures and employee education. And both need to plan ahead when it comes to mitigating new risks to their organisation. Above all, both are crucial to good corporate governance and smooth-running operations.

In 2025, my advice to CISOs is to continue building on these firm foundations.

Source

Posted on January 5, 2025 by Eternity Lab

Tag: compliance

Perimeter security appliances source of most ransomware hits

CVEs set to jump in 2025

IR35 reforms: HMRC’s assessment of private sector impacts called into question

Quantum computing in cyber security: A double-edged sword

Breaking encryption: A looming threat

Strengthening cyber security with quantum technology

Post-quantum cryptography: The immediate response

Mr Hyde: How cyber criminals benefit from quantum computing

Regulatory and strategic considerations

Preparing for the quantum future

Conclusion

Privacy at a crossroads in the age of AI and quantum

The evolving privacy landscape

A growing threat to data integrity

Preparing for the quantum age

A strategic response for organisations

The broader implications

Why CISOs should build stronger bonds with the legal function in 2025

Legal challenges

Mutual benefits

Filter by price

Latest Posts