Digital cloud providers face EU privacy audits

Germany's incoming cyber agency is based on the US Department of Defense's DARPA research agency, which has existed since the 1950s.

This article is part of our special report ICT: Fuelling the economy.

The European Commission believes it is only "logical" that companies providing cloud services over the Internet face audits on whether they are keeping their promises on personal data security. 

The Commission would like to increase cloud providers' accountability to their users in an upcoming EU "Cloud Strategy", due out next year.

Audits and liability clauses are just two ways the EU is considering to harmonise the 27 national legal regimes hampering cloud adoption, say Commission sources.

Cloud services such as Apple's iCloud, Microsoft's Windows Live or Dropbox allow users to store digital music, photos or other documents in data centres, while business can outsource their entire operations using platforms and infrastructure in the proverbial cloud.

In Europe, companies offering cloud services have to comply with safe harbour agreements which contain seven principles including security, user access to data and accuracy. Currently some 2,500 US companies comply with these rules.

But the greater part of businesses in Europe still cite security concerns as one of the biggest obstacles to cloud adoption. And EU officials now acknowledge that safe harbour is not enough to assuage these concerns.

"Under the safe harbour agreement, US organisations self-certify their adherence to seven principles. They then enjoy safe harbour status and appear on a list. There is a question whether this is robust enough or goes far enough to cover an EU citizen's personal data moving around in a cloud," a Commission source said.

"Audits are not only for data loss but also for quality and absence of service," the source told EURACTIV, foreshadowing the kinds of measures the Commission is considering to make providers more liable to their users.

But questions remains. "Does it [safe harbour] mean, for example that administrative personnel who have access to your data must have been screened? Or is that beyond the bounds of reasonable?" one EU official said.

"When you put your data somewhere actually you are putting your financial assets in a data centre. What happens to your assets if the cloud provider goes bankrupt," added Ryan Heath, a spokesperson for the European Commission.

Companies deny liability for lost data

A report by three academics studying the cloud business at the Queen Mary University of London paints a rather bleak picture of cloud providers' terms of service.

The report concludes that US companies in particular tend to write very broad disclaimers relinquishing them from as much liability as possible for data loss and other problems.

One glaring example came from the American provider GoGrid, which issues the following disclaimer to its clients: "GoGrid does not warrant that the Service will be uninterrupted, error-free, or free from viruses or other harmful components. The Service is provided with no warranties regarding security, reliability, protection from attacks, data integrity, or data availability."

"The service is provided on an 'as is' and 'as available' basis," the disclaimer quoted in the Queen Mary report says.

Adding to costs

Though the industry agrees that auditing is necessary to build trust and increase the uptake of cloud services, some warn new audits could add extra expense to a technology which relies on its relative cheapness to attract clients.  

Further audit requirements would create costs that would potentially be passed on the user, an industry source said, insisting they were not against audits per se.

Auditing the cloud could be more cumbersome as the selling point of the service relies on having multiple back-ups spread around different data centres in different parts of the world, the source said.

"Cloud is dependent on creating economies of scale without human intervention."

Cloud computing describes a whole range of infrastructure, software, data or applications residing in the cloud – that is to say, off your own premises and accessed via the Internet.

A study carried out by the University of Milan, published in 2010, estimated that cloud computing has the potential to create 1.5 million new jobs in Europe over the next five years.

While businesses and governments wax lyrical about the benefits of cloud computing, EU regulators have been more wary, as further use of cloud systems would mean a large swathe of public and commercial data would migrate to servers possibly located outside the EU.

Subscribe to our newsletters