Cloud computing: A legal maze for Europe


This article is part of our special report Cloud Computing.

The migration of computing into a cloud of massive data centres spread all over the world is giving regulators a headache as they find themselves on the back foot of an industry-driven trend.

The term 'cloud computing' describes a whole range of infrastructure, software, data or applications residing in the 'cloud' – that is to say, off your own premises and accessed via the Internet.

A study carried out by the University of Milan, published in late 2010, estimated that cloud computing has the potential to create 1.5 million new jobs in Europe over the next five years. 

The greatest commercial benefit of the cloud is that the services that use it can hone economies of scale by cutting out hardware costs and reducing their costs per unit as demand increases.

For customers, it makes tons of information potentially accessible from any device that is connected to the Internet.

While businesses and governments wax lyrical about the benefits of cloud computing, EU regulators have been more wary, as further take-up of cloud systems would mean a large swathe of public and commercial data would migrate to servers possibly located outside national borders or even on other continents.

Despite the EU's best efforts, laws to protect and store data are outdated and cannot cope with the legal problems presented by cloud computing, such as determining who owns data which is no longer handled in situ.

When a company processes data in the UK, stores it on a server in Ireland but sends it via France – as it may have a subsidiary there – it is not yet clear which country's law would prevail in a legal dispute.

Regulators who have recognised this maze of unanswered questions are busy consulting industry and data protection authorities, while industry is busy trying to make its mark on an as yet unformed legal framework.

In November 2010, EU Digital Agenda Commissioner Neelie Kroes called for cloud-computing providers to build data security into their services and products. And at the 2011 World Economic Forum in Davos, she said the EU was working post-haste to update its data protection rules.

The Commission will consult with industry and data protection authorities this year before releasing its cloud computing strategy in 2012. 

Who is accountable?

Cloud computing comes mainly in three guises:

  • Infrastructure (data centres);
  • Online platforms (operating systems), and;
  • Applications (web-based email, online office applications, file-sharing).

The industry-led trend is being touted as a utility of the future, like gas or electricity. Some applications, such as online office documents developed by Google, even threaten to derail industry giants such as Microsoft's Office.

But it is a utility that relies and will continue to rely on data stored across borders, forcing businesses and regulators to demand the same laws on data and privacy pretty much everywhere.

Aside from uncertainty over which countries' laws are applied, the Queen Mary Research Centre in London has identified two other key legal concerns that are making businesses and governments think twice:

  • Some cloud providers keep the location of the data secret, putting users off, and;
  • Users may not have a direct relationship with the provider who may outsource to one or more other storage or processing providers. This blurs the line between data controller and data handler, begging the question: who owns the data?

In a recent speech, EU Digital Agenda Commissioner Neelie Kroes explained that every European citizen or company should know two things: that their cloud supplier protects their personal data in line with EU rules and that the governments of all countries hosting servers have adequate data protection and privacy rules.

The Article 29 Working Party, a group of experts from national data protection agencies, argues that the European Union should apply the law of the country in which the service originates, i.e. the data centre's location.

The cloud provider industry, including the likes of Microsoft, Amazon and SAP, to name a few firms, would like an international agreement either under trade rules or in international fora to harmonise the legal regimes relating to data.

Where to put my data?

Some data protection authorities would prefer to have servers with EU data inside the bloc to make life easier for regulators and lawyers alike.

Within the US government, data that is classified as low risk can move to an offshore centre, while medium and high-risk data stays on American shores.

However, for commercial data that seems an unrealistic ask, as everyone knows that call centres, which process data on servers in India, for example, can't all migrate to the EU.

In the EU, this will be a decision left to member states. In Germany, for example, local authorities are asked to store data within the country's borders. These guidelines do not of course affect commercial data. 

Rewriting data protection rules

The European Commission admits that its Data Protection Directive is outdated and is currently preparing a review to the existing law, which is to be presented in late January 2012.

The current directive sets out guidelines for data controllers who process and handle the data. But the EU will need to tweak these definitions, as cloud computing allows the processing and handling of data to be carried out at a far-flung data centre if businesses so wish.

The current Data Protection Directive requires data to either be stored in the European Economic Area (EEA) or in a territory that has equivalent legal privacy laws.

As of September 2009, the Commission decided that Argentina, Australia, Canada, Switzerland, the Faroe Islands, Guernsey, the Isle of Man, Jersey and the United States had adequate protection for privacy.

Security and data privacy

Cloud computing has been described as putting all of your eggs in one basket. But if that basket gets hit, is everything lost? What if everyone's personal data, bank account details, credit history, criminal records and tax payments moved to the cloud and got lost?

Regulators will need to act quickly as new research shows that clouds are not being upfront about the services they provide.

A study by the Queen Mary experts in London concludes that cloud business contracts sometimes waive responsibility for data storage or delete data if it not used for a while. Such contracts are usually difficult to understand as they sometimes amount to 60-page documents written in dense legalese. Many users, however, want the cloud precisely because they need to store data they no longer use but may well need in the future.

While essential security aspects are addressed by most tools, the cloud is potentially geographically vast and may need more prescriptive rules on data replication and distribution.

Customers are also concerned that they will no longer "own" their data, as they are not the de facto data handler if it is hovering in a cloud somewhere. This could also create difficulties in accessing data or in moving to another supplier. 

In a recent survey, customers' top concern was the security of their data in the cloud, followed by performance, privacy and cost.

The EU's ePrivacy Directive, which was updated in 2009, created data breach notifications whereby any communications provider or Internet service provider (ISP) must inform individuals about data breaches of their personal information.

Germany, which in recent years has seen a dramatic increase in data breaches, revised its data protection rules to go beyond the EU regulation.

Uncertainty over data protection has often been cited by industry experts as a cause for slowed pick-up of cloud computing. In particular, differences between the US and the EU over privacy have discouraged European companies from using US-based cloud. Privacy watchdogs have warned that the US's PATRIOT act makes European data liable to be seized by American authorities for counter-terrorism.

To try and smooth over legal discrepancies, the industry suggests that a worldwide agreement could be found under World Trade Organisation (WTO) rules for online services and software.

Money talks

The enthusiasm for cloud computing stems mainly from the huge cost-savings businesses and governments are promised by moving their IT systems to the cloud. The global cloud computing market is estimated to be worth €40 billion by 2014.  

One of the key economic drivers for the current level of interest in cloud computing is the fact that businesses can scale down their costs as the cloud allows them to "pay as you go".

The potential for savings has been identified above all in the financial services and banking sectors, whose take-up of cloud is expected to be second only to that of the IT industry.

Gartner, a major IT research and advisory firm, found in a survey that 44% of financial services firms' Chief Information Officers in Europe expected more than half of their transactions would be supported by cloud infrastructure by 2015.

Pay per use, in tech terms, means smaller firms can concentrate on paying their operational IT costs alone and get on with getting their services to market. Add to that faster acquisition of the tools needed to get a business going, earlier market entry, higher returns on investment and a carbon clear conscience and it all sounds too good to be true.

The estimated cost savings are not lost on governments either, but the public sector is unsurprisingly more wary of moving its data to the cloud because of its sensitivity. Some countries, like Germany, even have rules against outsourcing public data.

The UK is busy building its G-Cloud, an onshore government-owned cloud infrastructure for public authorities, which is expected to bring about £3.2 billion (€3.76 billion) in savings per year.

As promising as the cloud sounds, the technology is still in an experimental phase, and in the EU, with a lack of regulation and different rules for different countries, take-up is not what it could be.

Jobs in a changing sector

Cloud computing is the latest of the many waves of innovation that have transformed the IT industry. The technology is expected to shake up existing business models and reduce the need for on-site IT staff in companies. However, cloud providers have argued this is offset by the creation of  higher-end jobs in larger IT firms.

Ben Golden, chief executive of the HyperStratus consulting firm in California, said "The reason many are wrong about cloud computing's effect on employment is that they assume this disruption is unleashed in a static environment."

"However, the field of computing has never been static, and will not be in the face of cloud computing," he added.

Ireland's tech-driven economy was told by Microsoft it should rebrand itself as a cloud computing hub to gain 20,000 jobs. Annually, that could bring €9.5 billion in sales by 2014, and provide 8,600 jobs, according to a recent study by the Good Body consultancy.

Clouds & carbon

Cloud proponents have also highlighted its potential environmental benefits, particularly in terms of improving energy efficiency and reducing carbon emissions.

In a commentary on EURACTIV, Microsoft Vice President for EU Affairs John Vassallo said "Modern cloud data centres are built with energy efficiency in mind, taking advantage of natural air cooling from the local environment and using waste heat where possible to preheat water for residential or commercial purposes."

"The immediate energy savings of migrating to the cloud are not just through less electricity being used, but rather the ability to scale up ICT resources instantly without additional hardware," he added.

A study by the Carbon Disclosure Project found that large IT companies could halve carbon emissions by 2020 if they migrate data storage operations to the cloud. It also estimates that energy savings worth €1.4 billion could be made through this in the United Kingdom alone.

A study by management consultancy firm Accenture, had even more dramatic findings, claiming that carbon emissions in small firms (less than 100 users) could be reduced by over 90% by the replacement of on-premise servers with the cloud. It also finds that reductions of 30-60% were possible for large firms (10,000 users).

EU Digital Agenda Commissioner Neelie Kroes said: "If we want our digital markets to grow, users need to feel comfortable spending online. If companies are to take advantage of all the potential benefits of 'cloud computing', they need to know their business secrets will not be intercepted."

Bulgarian MEP Ivailo Kalfin (Socialists & Democrats), who recently hosted many stakeholders in the European Parliament for a major debate on the issue, said "cloud computing could bring a considerable added value to Internet users, in terms of service, accessibility, storage and technological ease".

"It is an essential tool for increasing the Union's competitiveness, especially for small and medium-sized enterprises, and EU legislators should help it to develop, ensuring that the principles of security, data privacy and interoperability are fulfilled in the cloud," Kalfin added.  

DigitalEurope, a trade association representing the European information and communications technology industry, said: "The rules governing international transfers of personal data outside Europe are outdated and bureaucratic. They are unfit in the era of cloud computing. They make it complex and burdensome for companies to comply with applicable rules, they are inconsistent with the goal of a Digital Single Market, and they do not lead to a better end result."

"The law needs to catch up," said Brad Smith, general counsel at Microsoft. "Cloud computing is a critical part of the future and quite central to all that we're doing."

EuroCloud, the pan-European cloud computing business network, said: "Customers are sending us a signal, 'please make technology as easy as possible' – rethink the IT model in offering immediate availability, anywhere, anytime, and at a predictable cost. That's what the cloud represents […] The opportunity is incredibly huge: to imagine, create and build a new worldwide industry."

Udo Helmbrecht, executive director of the European Network and Information Security Agency (ENISA), believes cloud computing is an attractive solution for governments seeking to save money on IT systems. "Since we are in a time of belt-tightening, this new economic model for computing has found fertile ground and is seeing massive global investment."

"With the development of cloud computing solutions, EU-US collaboration on cross-border data transfer is also essential," said Luigi Gambardella, executive board chairman at ETNO (European Telecommunications Network Operators Association). 

"The evolution in technology represented by cloud computing presents European businesses, governments and individuals with tremendous potential for efficiency gains and cost savings," said Francisco Mingorance, senior director of government affairs for BSA (Business Software Alliance).

"It is time to step back and view the many ostensibly unrelated dossiers currently on the European agenda through the lens of cloud computing, in order to ensure the right policy environment is put in place to deliver on the promise of the cloud in Europe," Mingorance continued.

"Given the fluidity of relationships in the supply chain of cloud computing services, it should be clear which data controller can be held accountable by data subjects and which DPA," read a statement from the European Digital Rights Initiative, an NGO.

There exists an urgent need to clarify existing data protection concepts and definitions such as 'personal data', 'data controller', 'data processor' and 'consent', particularly in light of technological developments, such as cloud computing, which do not fit clearly into one definition or another," said Martin Whitehead, director of GSMA Europe, which represents the European mobile phone industry. 

  • 20 Nov. 2009: European Network and Information Security Agency (ENISA) issues report on security risks and benefits of cloud computing.
  • 26 Jan. 2010: European Commission outlines future directions for cloud computing research in Europe.
  • 19 May 2010: Commission's 'Digital Agenda for Europe' suggests developing EU-wide strategy on cloud computing, notably for government and science.
  • Dec. 2010: Commission 'Study on security and privacy regulatory challenges in the Cloud'.
  • Dec. 2010: Commission review of economic impact of cloud computing.
  • May 2011: Commission to consult stakeholders on regulation for cloud computing.
  • 2012: Commission expected to propose EU strategy for cloud computing.

Subscribe to our newsletters