In a comprehensive communication, Brussels is planning to address several aspects of the cloud computing regulatory framework to encourage its use by companies and public administrations.
“In particular, cloud computing is raising specific issues related to data protection and data retention, applicable law and liability and consumer protection,” reads an internal note seen by EurActiv.
“The aspects of interoperability, standardisation and portability of data and applications will also be addressed. Issues raised in the G8 summit which may include measures against piracy, identity theft and online security will also be considered by the Commission,” adds the note which notes that the document will be on the agenda of the college of commissioners meeting on 25 July.
The Commission will also try to encourage member states to embrace the potential of cloud computing.
“Member states should develop public-sector cloud use based on common approaches that raise performance and drive down costs,” the paper says.
The draft document is split into three parts – data security, copyright, and standardisation.
The first deals with data protection and copyright, which are among the top unresolved issues explaining why European businesses are lagging behind in the cloud-computing sector.
Critics have warned that cloud computing was like putting all your eggs in one basket. If the basket gets hit, is everything lost? Should cloud providers be obliged to offer a backup for the files clients store on their servers? The Commission has no clear-cut answer to these questions, yet and is still arguing over how best to protect consumers while enabling cloud service providers to flourish.
A pending issue is how to determine the applicable law when the user of a cloud service is a non-EU citizen or when the service provider operates within the EU but is based in a foreign country. These are the kinds of legal headaches that the Commission is trying to solve.
In its strategy, the EU executive commits to “provide guidance on the application of European data protection law and practice as regards definitions, jurisdiction and applicable law,” reads the draft paper.
Transfers of personal data outside the EU will only happen if there is “an adequate level of protection of privacy and fundamental rights and freedoms of individuals” in the third countries involved, the document says without further clarification.
Not surprisingly, some legal aspects concerning data and privacy protection are still under debate within the Commission and could prove difficult to overcome.
Copyright in the cloud
Copyright is another thorny issue. In principle, the cloud makes sense if a user is free to access content “from different devices and different territories”.
However, the Commission documents notes that off-site data storage opens the door to collecting and duplicating copyright material and “the possibility to access this content from the cloud regardless of the location.”
To address this issue, the Commission believes that copyright protection in the cloud should be based on direct remuneration of rights holders rather than by imposing levies on devices which could allow the duplication of copyrighted material, which is what France plans to do. Brussels is in fact considering the same approach in other sectors.
However, it will go against vested interests of many lobbies of authors and distributors. The outcome of the proposal is unclear.
Standardisation and global governance
The other two sections of the communication are dedicated to standardisation and global governance of the cloud.
At the moment, cloud service providers have an interest in setting up their own standards to prevent their services from being accessible on other platforms (the 'interoperability' issue). The result is that consumers may end up being locked into a given technology.
To foster greater interconnection between services, the Commission wants to create incentives for the industry to develop common standards over “security, interoperability, data portability and reversibility”. The EU body which sets up standards, ETSI, will be requested to coordinate actions in this direction.
As for global governance, the Commission wants to play an increasing role in international forums to “advance common objectives for cloud computing services.”
The United States and Japan are singled out as partners for developing closer relations on a number of issues, including “application of the tax law to cloud services”, “international data flows” and “coordination of data security” among other things.