Who is accountable?
Cloud computing comes mainly in three guises:
- Infrastructure (data centres);
- Online platforms (operating systems), and;
- Applications (web-based email, online office applications, file-sharing).
The industry-led trend is being touted as a utility of the future, like gas or electricity. Some applications, such as online office documents developed by Google, even threaten to derail industry giants such as Microsoft's Office.
But it is a utility that relies and will continue to rely on data stored across borders, forcing businesses and regulators to demand the same laws on data and privacy pretty much everywhere.
Aside from uncertainty over which countries' laws are applied, the Queen Mary Research Centre in London has identified two other key legal concerns that are making businesses and governments think twice:
- Some cloud providers keep the location of the data secret, putting users off, and;
- Users may not have a direct relationship with the provider who may outsource to one or more other storage or processing providers. This blurs the line between data controller and data handler, begging the question: who owns the data?
In a recent speech, EU Digital Agenda Commissioner Neelie Kroes explained that every European citizen or company should know two things: that their cloud supplier protects their personal data in line with EU rules and that the governments of all countries hosting servers have adequate data protection and privacy rules.
The Article 29 Working Party, a group of experts from national data protection agencies, argues that the European Union should apply the law of the country in which the service originates, i.e. the data centre's location.
The cloud provider industry, including the likes of Microsoft, Amazon and SAP, to name a few firms, would like an international agreement either under trade rules or in international fora to harmonise the legal regimes relating to data.
Where to put my data?
Some data protection authorities would prefer to have servers with EU data inside the bloc to make life easier for regulators and lawyers alike.
Within the US government, data that is classified as low risk can move to an offshore centre, while medium and high-risk data stays on American shores.
However, for commercial data that seems an unrealistic ask, as everyone knows that call centres, which process data on servers in India, for example, can't all migrate to the EU.
In the EU, this will be a decision left to member states. In Germany, for example, local authorities are asked to store data within the country's borders. These guidelines do not of course affect commercial data.
Rewriting data protection rules
Acknowledging that the current Data Protection Directive is outdated the Commission published proposed new rules in late January 2012, which are set to continue being debated in the Parliament and Council during 2013.
The current Data Protection Directive requires data to either be stored in the European Economic Area (EEA) or in a territory that has equivalent legal privacy laws.
As of September 2009, the Commission decided that Argentina, Australia, Canada, Switzerland, the Faroe Islands, Guernsey, the Isle of Man, Jersey and the United States had adequate protection for privacy.
Security and data privacy
Cloud computing has been described as putting all of your eggs in one basket. But if that basket gets hit, is everything lost? What if everyone's personal data, bank account details, credit history, criminal records and tax payments moved to the cloud and got lost?
A study by the Queen Mary experts in London concludes that cloud business contracts sometimes waive responsibility for data storage or delete data if it is not used for a while. Such contracts are usually difficult to understand as they sometimes amount to 60-page documents written in dense legalese. Many users, however, want the cloud precisely because they need to store data they no longer use but may well need in the future.
While essential security aspects are addressed by most tools, the cloud is potentially geographically vast and may need more prescriptive rules on data replication and distribution.
Customers are also concerned that they will no longer "own" their data, as they are not the de facto data handler if it is hovering in a cloud somewhere. This could also create difficulties in accessing data or in moving to another supplier.
In a recent survey, customers' top concern was the security of their data in the cloud, followed by performance, privacy and cost.
The EU's ePrivacy Directive, which was updated in 2009, created data breach notifications whereby any communications provider or Internet service provider (ISP) must inform individuals about data breaches of their personal information.
Germany, which in recent years has seen a dramatic increase in data breaches, revised its data protection rules to go beyond the EU regulation.
Uncertainty over data protection has often been cited by industry experts as a cause for slow pick-up of cloud computing. In particular, differences between the US and the EU over privacy have discouraged European companies from using US-based cloud. Privacy watchdogs have warned that the US's PATRIOT act makes European data liable to be seized by American authorities for counter-terrorism.
To try and smooth over legal discrepancies, the industry suggests that a worldwide agreement could be found under World Trade Organisation (WTO) rules for online services and software.
The enthusiasm for cloud computing stems mainly from the huge cost-savings businesses and governments are promised by moving their IT systems to the cloud. The global cloud computing market is expected to bring gains of some €600 billion between 2015 and 2020 overall.
Commissioner Kroes also sees cloud services as a driver for economic growth, saying they could generate 2.5 million new jobs, depending on how efficiently the strategy is taken up.
Smaller businesses stand to benefit the most, according to the Commission’s analysis, with forecasted savings of some 10-20% in ICT, due to the cheaper running costs of cloud.
One of the key economic drivers for the current level of interest in cloud computing is the fact that businesses can scale down their costs as the cloud allows them to "pay as you go".
The potential for savings has been identified above all in the financial services and banking sectors, whose take-up of cloud is expected to be second only to that of the IT industry.
Gartner, a major IT research and advisory firm, found in a survey that 44% of financial services firms' Chief Information Officers in Europe expected more than half of their transactions would be supported by cloud infrastructure by 2015.
Pay per use, in tech terms, means smaller firms can concentrate on paying their operational IT costs alone and get on with getting their services to market. Add to that faster acquisition of the tools needed to get a business going, earlier market entry, higher returns on investment and a carbon clear conscience and it all sounds too good to be true.
The estimated cost savings are not lost on governments either, but the public sector is unsurprisingly more wary of moving its data to the cloud because of its sensitivity. Some countries, like Germany, even have rules against outsourcing public data.
The UK is busy building its G-Cloud, an onshore government-owned cloud infrastructure for public authorities, which is expected to bring about £3.2 billion (€3.76 billion) in savings per year.
As promising as the cloud sounds, the technology is still in an experimental phase, and in the EU, with a lack of regulation and different rules for different countries, take-up is not what it could be.
Strategy aims to promote cloud take-up
One of the key aims of the EU executive’s communication – Unleashing the Potential of Cloud Computing in Europe – is to foster more confidence in cloud, and encourage its use within the private sector.
The paper specifically encourages public sector procurers to use cloud, so that smaller companies may be encouraged to follow suit.
Three key actions are identified to assist with the take up of cloud in the paper:
- Cutting through the jungle of standards;
- Creating safe and fair contract terms and conditions; and
- Establishing a European Cloud Partnership to drive innovation and growth from the public sector.
Jobs in a changing sector
Cloud computing is the latest of the many waves of innovation that have transformed the IT industry. The technology is expected to shake up existing business models and reduce the need for on-site IT staff in companies. However, cloud providers have argued this is offset by the creation of higher-end jobs in larger IT firms.
Ben Golden, chief executive of the HyperStratus consulting firm in California, said "The reason many are wrong about cloud computing's effect on employment is that they assume this disruption is unleashed in a static environment."
"However, the field of computing has never been static, and will not be in the face of cloud computing," he added.
Ireland's tech-driven economy was told by Microsoft it should rebrand itself as a cloud computing hub to gain 20,000 jobs. Annually, that could bring €9.5 billion in sales by 2014, and provide 8,600 jobs, according to a recent study by the Good Body consultancy.
Clouds & carbon
Cloud proponents have also highlighted its potential environmental benefits, particularly in terms of improving energy efficiency and reducing carbon emissions.
In a commentary on EurActiv, Microsoft Vice President for EU Affairs John Vassallo said "Modern cloud data centres are built with energy efficiency in mind, taking advantage of natural air cooling from the local environment and using waste heat where possible to preheat water for residential or commercial purposes."
"The immediate energy savings of migrating to the cloud are not just through less electricity being used, but rather the ability to scale up ICT resources instantly without additional hardware," he added.
A study by the Carbon Disclosure Project found that large IT companies could halve carbon emissions by 2020 if they migrate data storage operations to the cloud. It also estimates that energy savings worth €1.4 billion could be made through this in the United Kingdom alone.
A study by management consultancy firm Accenture, had even more dramatic findings, claiming that carbon emissions in small firms (less than 100 users) could be reduced by over 90% by the replacement of on-premise servers with the cloud. It also finds that reductions of 30-60% were possible for large firms (10,000 users).