The Commission would like to increase cloud providers' accountability to their users in an upcoming EU "Cloud Strategy", due out next year.
Audits and liability clauses are just two ways the EU is considering to harmonise the 27 national legal regimes hampering cloud adoption, say Commission sources.
Cloud services such as Apple's iCloud, Microsoft's Windows Live or Dropbox allow users to store digital music, photos or other documents in data centres, while business can outsource their entire operations using platforms and infrastructure in the proverbial cloud.
In Europe, companies offering cloud services have to comply with safe harbour agreements which contain seven principles including security, user access to data and accuracy. Currently some 2,500 US companies comply with these rules.
But the greater part of businesses in Europe still cite security concerns as one of the biggest obstacles to cloud adoption. And EU officials now acknowledge that safe harbour is not enough to assuage these concerns.
"Under the safe harbour agreement, US organisations self-certify their adherence to seven principles. They then enjoy safe harbour status and appear on a list. There is a question whether this is robust enough or goes far enough to cover an EU citizen's personal data moving around in a cloud," a Commission source said.
"Audits are not only for data loss but also for quality and absence of service," the source told EurActiv, foreshadowing the kinds of measures the Commission is considering to make providers more liable to their users.
But questions remains. "Does it [safe harbour] mean, for example that administrative personnel who have access to your data must have been screened? Or is that beyond the bounds of reasonable?" one EU official said.
"When you put your data somewhere actually you are putting your financial assets in a data centre. What happens to your assets if the cloud provider goes bankrupt," added Ryan Heath, a spokesperson for the European Commission.
Companies deny liability for lost data
A report by three academics studying the cloud business at the Queen Mary University of London paints a rather bleak picture of cloud providers' terms of service.
The report concludes that US companies in particular tend to write very broad disclaimers relinquishing them from as much liability as possible for data loss and other problems.
One glaring example came from the American provider GoGrid, which issues the following disclaimer to its clients: "GoGrid does not warrant that the Service will be uninterrupted, error-free, or free from viruses or other harmful components. The Service is provided with no warranties regarding security, reliability, protection from attacks, data integrity, or data availability."
"The service is provided on an 'as is' and 'as available' basis," the disclaimer quoted in the Queen Mary report says.
Adding to costs
Though the industry agrees that auditing is necessary to build trust and increase the uptake of cloud services, some warn new audits could add extra expense to a technology which relies on its relative cheapness to attract clients.
Further audit requirements would create costs that would potentially be passed on the user, an industry source said, insisting they were not against audits per se.
Auditing the cloud could be more cumbersome as the selling point of the service relies on having multiple back-ups spread around different data centres in different parts of the world, the source said.
"Cloud is dependent on creating economies of scale without human intervention."