"The major problem for cloud is the different implementation of the Data Protection Directive in different member states," a Commission source said.
The European Commission is currently rewriting rules on data protection and data retention to try and get countries' varying laws closer together, the source said. The current directive will be morphed into a regulation which will be directly enforceable on member states.
An industry consultation earlier this year mirrored the official's concerns.
"Online service providers now routinely handle the data of citizens from multiple member states, and often process personal data in multiple markets in and outside the EU," Microsoft recently outlined in a Commission consultation on cloud computing.
"In doing so, they often find themselves subject to different, confusing, and sometimes conflicting national rules," the company stressed.
Under the most extreme examples, personal data is not even allowed to leave the territory, negating any benefits of cloud services which rely on a ubiquitous service.
Greece's implementation of the Data Protection Directive has muddled providers that are not sure whether they can or cannot transfer data outside Greek territory.
An assessment from the European Commission last year dubbed the Greek law "a restriction affecting the free flow of personal data between the EU member states."
In addition, the country's implementation of the Data Retention Directive includes a requirement that data and servers are located inside national borders.
Cow medical records
Luxembourg's law recently presented a Dutch entrepreneur with an unusual obstacle. Remi Caron was working on a project that would require the transfer of cow medical records outside the country, something which he learned was not possible under the country's broad reading of the Data Protection Directive.
The European Commission insists, however, that its laws are written for "natural persons."
Under Finnish and Swedish law on public entities, there are security restrictions preventing the provision and use of cloud services, according to law firm Bird & Bird.
The firm which routinely handles cloud cases also laments the many different definitions of data controller and data processor in different EU countries' interpretations of the directive.
France, Germany stop the cloud at borders
In France, a draft law threatens to hamper cloud services. In June, French authorities suggested that cloud computing operations located outside the EU would be barred from processing sensitive data.
In Germany, a country with a delicate history of data surveillance, some data protection authorities argue that the storage of personal data outside Germany is unlawful.
The data protection authority of Schleswig-Holstein, Germany's northernmost province, recently said that many transfers of personal data in connection with cloud computing would not satisfy requirements under national data privacy laws.
The European Commission says it plans to eliminate any doubt companies may have on data transfers to other member states and to third countries.
The review will also reform the powers of data protection regulators, some of which, like the Czech authority, are prevented from handing out fines.