The data center cloud computing industries face painful financial punishment under new EU data protection rules that could see firms fined up to €100m for violations over breaches, encryption, sovereignty and the recently legislated right to be forgotten.

Almost all cloud service providers will fall foul of EU Data Protection regulations which take effect in 2015, according to research.

The lack of compliance means they could face fines amounting for 5% of their annual revenue, with a maximum fine of €100m.

A study by cloud visibility specialist Skyhigh Networks found that 1 in every 100 cloud providers (out of a sample of 7,000 cloud services) can meet the new regulations.

The other 6,930 cloud service providers (99%) failed to meet at least on one of the laws’ requirements on issues such as the right to be forgotten, data infidelity and deletion policies, data residency, data breach detection and notification and the use of encryption and secure passwords

Skyhigh Networks EMEA director Charlie Howe said data center operators and cloud service providers must invest in additional resources to meet these regulations.

“It’s a snip given the proposed penalties for violating the new laws,” Howe said.

The controversial ‘right to be forgotten’ amendment to the new regulations is proving a complex problem for both cloud providers and end users, with the average organization using 738 cloud services (according to figures quoted by Skyhigh).

Complying with this requirement presents difficulties for most service providers as 63% of cloud providers maintain data indefinitely or have no provisions for data retention in their terms and conditions, claims the research.

Another 23% of cloud providers maintain the right to share data with another third party in their terms and conditions, making it more difficult to ensure all copies are deleted.

“The right to be forgotten could turn out to be a massive headache for many organisations – it’s not just an issue for Google,” Howe said.

Only 11 countries were found to satisfy EU privacy requirements with the US (in which 67% of all cloud services are hosted) the biggest absentee.

“Data residency is already a significant issue under the current EU Data Protection Directive and it will continue to be so as the new regulations come into effect,” Howe said.

Currently only 8.9% of US-based providers are exempt from these regulations through Safe Harbor Certification.