New EU Commission strategy on cloud computing

Dr. Jörg Hladjk| Neurope

Cloud computing will be a “hot” regulatory issue in Europe for 2013 and its impact on businesses will increase in the future. In simple terms, “cloud computing” can be understood as the storing, processing and use of data on remotely located computers or networks accessed over the internet worldwide. This means that users can request almost unlimited computing power on demand and that they can get to their data from anywhere in the world with an internet connection. Today, many services, such as web-based e-mail or social networks are based on cloud computing already.

In addition, cloud computing has the potential to reduce costs for businesses when implementing information technology systems and to enable a number of sophisticated IT services to be developed by creative companies. As with  the Internet, cloud computing is a technological development that has been in train for some time and will certainly continue to progress  from an IT perspective. Unlike the Internet however, cloud computing is at an early stage in Europe and the various players in the European markets can still influence how the legal framework will be designed so that businesses and users can benefit from both the demand and supply side through wide-spread cloud services. According to the European Commission, the economic benefits of cloud computing amount to €160 billion per year, or around €300 per person per year.

In order to help shape the legal framework for cloud computing, in September 2012, the Commission presented its new strategy on cloud computing, entitled “Unleashing the Potential of Cloud Computing in Europe.” This follows a previous Commission consultation on cloud computing and an opinion from July this year adopted by all national data protection authorities in the EU. The new strategy focuses on three main issues: (i) simplification of cloud computing standards and certification; (ii) the development of new model contract terms for cloud computing services; and the initiative for a European Cloud Partnership. These three elements, particularly the simplification of standards and the new model contract terms, are not only of interest to data protection practitioners and the legal community but will also provide for helpful tools for businesses in Europe that engage in cloud services.

Cloud Computing Standards and Certification

The Commission’s stated aim is to introduce new, pan-European certification schemes for cloud computing, including data protection, by 2014. The European Network and Information Security Agency (“ENISA”) and other relevant parties will be asked to assist in this process. These certification schemes will address data protection, especially data portability, and focus on increased transparency of cloud service providers’ security practices. Although the Commission has provided a rather detailed list of factors to be considered by these new certification schemes, it should be noted that participation in the schemes will be voluntary.

Model Contract Terms  for Cloud Computing

New model contract terms for cloud computing also will be drafted by the end of 2013 to ensure consistency and fairness in contracts for cloud computing services across Europe. The Commission places particular emphasis on how data is handled and contemplates the model contract terms covering, among other things: (i) data preservation after the contract is terminated; (ii) data disclosure and integrity; (iii) data location and transfer; (iv) data ownership; (v) data portability between services; and subcontracting. The model contract terms also will incorporate new mechanisms that will be introduced by the proposed EU data protection regulation, such as those relating to data processor obligations.

European Cloud Partnership

The European Cloud Partnership (ECP) will consist of high level procurement officers from European public bodies and key players from IT and telecom industry. The ECP will, under the guidance of a Steering Board, bring together public procurement authorities and industry consortia to implement pre-commercial procurement actions.

The ECP does not aim at creating a physical cloud computing infrastructure. Rather, via procurement requirements that will be promoted by participating Member States and public authorities for use throughout the EU, its aim is to ensure that the commercial offer of cloud computing in Europe, both of the public and of the private sector, is adapted to European needs.

Other Goals

The Commission’s new strategy also aims to undertake a review, by the end of 2013, of the current standard contractual clauses for international data transfers to make them more cloud-friendly; and to encourage national data protection authorities to approve Binding Corporate Rules tailored for cloud services; as well as draft a new industry code of conduct for the unified application of data protection provisions that would be developed in collaboration with the cloud computing industry and endorsed by all national data protection authorities in the EU. Further, it is intended to increase coordination with the United States, India and other countries concerning issues such as access to data by law enforcement agencies as well as data and cyber security at the global level.

The Commission’s papers make frequent reference to the proposed new EU data protection regulation, the soon-to-be-published European strategy on cyber security and the proposed Common European Sales Law, creating the impression that it intends to integrate its cloud computing strategy with other initiatives in the EU’s digital agenda.

In summary, it can be said that the strategy aims at facilitating Europe‘s participation in the global growth of cloud computing by setting out a clear plan on how to address the issues related to cloud computing while at the same time considering the global context of cloud services that will be offered in the European markets.

This approach should be welcomed from a business perspective, as any data processing today is globally and therefore international data protection compliance aspects of new technologies must be prioritized on the agenda of political and business players in the European market.