18 October 2012

Unleashing the EU Cloud

The European Commission has released its Communication [PDF] on Unleashing the Potential of Cloud Computing in Europe.

The Communication comments that
‘Cloud computing’ in simplified terms can be understood as the storing, processing and use of data on remotely located computers accessed over the internet. This means that users can command almost unlimited computing power on demand, that they do not have to make major capital investments to fulfil their needs and that they can get to their data from anywhere with an internet connection. Cloud computing has the potential to slash users' IT expenditure and to enable many new services to be developed. Using the cloud, even the smallest firms can reach out to ever larger markets while governments can make their services more attractive and efficient even while reining in spending. 
Where the World Wide Web makes information available everywhere and to anyone, cloud computing makes computing power available everywhere and to anyone. Like the web, cloud computing is a technological development that has been ongoing for some time and will continue to develop. Unlike the web, cloud computing is still at a comparatively early stage, giving Europe a chance to act to ensure being at the forefront of its further development and to benefit on both demand and supply side through wide-spread cloud use and cloud provision. 
The Commission therefore aims at enabling and facilitating faster adoption of cloud computing throughout all sectors of the economy which can cut ICT costs, and when combined with new digital business practices1, can boost productivity, growth and jobs. On the basis of an analysis of the overall policy, regulatory and technology landscapes and a wide consultation of stakeholders, undertaken to identify what needs to be done to achieve that goal, this document sets out the most important and urgent additional actions. It delivers one of the main actions foreseen in the Communication on e-Commerce and online services; it represents a political commitment of the Commission and serves as a call on all stakeholders to participate in the implementation of these actions, which could mean an additional EUR 45 billion of direct spend on Cloud Computing in the EU in 2020 as well as an overall cumulative impact on GDP of EUR 957 billion, and 3.8 million jobs, by 2020. 
Several of the identified actions are designed to address the perception, by many potential adopters of cloud computing, that the use of this technology may bring additional risks. The actions do so by aiming at more clarity and knowledge about the applicable legal framework, by making it easier to signal and verify compliance with the legal framework (e.g. through standards and certification) and by developing it further (e.g. through a forthcoming legislative initiative on cyber security). 
Addressing the specific challenges of cloud computing would mean a faster and more harmonised adoption of the technology by Europe's businesses, organisations and public authorities, resulting, on the demand side, in accelerated productivity growth and increased competitiveness across the whole economy as well as, on the supply-side, in a larger market in which Europe becomes a key global player. Here, the European ICT sector stands to benefit from important new opportunities; given the right context, Europe's traditional strengths in telecommunications equipment, networks and services could be deployed very effectively for cloud infrastructures. Beyond that, European application developers large and small could benefit from rising demand.
It indicates that
preparatory work undertaken by the Commission shows the key areas where actions are needed:
• Fragmentation of the digital single market due to differing national legal frameworks and uncertainties over applicable law, digital content and data location ranked highest amongst the concerns of potential cloud computing adopters and providers. This is in particular related to the complexities of managing services and usage patterns that span multiple jurisdictions and in relation to trust and security in fields such as data protection, contracts and consumer protection or criminal law. 
• Problems with contracts were related to worries over data access and portability, change control and ownership of the data. For example there are concerns over how liability for service failures such as downtime or loss of data will be compensated, user rights in relation to system upgrades decided unilaterally by the provider, ownership of data created in cloud applications or how disputes will be resolved. 
• A jungle of standards generates confusion by, on one hand, a proliferation of standards and on the other hand a lack of certainty as to which standards provide adequate levels of interoperability of data formats to permit portability; the extent to which safeguards are in place for the protection of personal data; or the problem of the data breaches and the protection against cyberattacks.
This strategy does not foresee the building of a "European Super-Cloud", i.e. a dedicated hardware infrastructure to provide generic cloud computing services to public sector users across Europe. However, one of the aims is to have publicly available cloud offerings ("public cloud") that meet European standards not only in regulatory terms but in terms of being competitive, open and secure. This does not preclude public authorities from setting up dedicated private clouds for the treatment of sensitive data, but in general even cloud services used by the public sector should – as far as feasible – be subject to competition on the market to ensure best value for money, while conforming to regulatory obligations or wider public- policy objectives in respect of key operating criteria such as security and protection of sensitive data.
The Communication highlights privacy issues, stating -
Data protection emerged from the consultation and the studies launched by the Commission as a key area of concern that could impede the adoption of cloud computing. In particular, faced with 27 partly diverging national legislative frameworks, it is very hard to provide a cost-effective cloud solution at the level of digital single market. In addition, given the cloud’s global scope, there was a call for clarity on how international data transfers would be regulated. These concerns have been addressed, in completion of another Digital Agenda Action, by the proposal of a strong and uniform legal framework providing legal certainty on data protection by the Commission on 25 January 2012. 
The proposed regulation addresses the issues raised by the cloud. Centrally, it clarifies the important question of applicable law, by ensuring that a single set of rules would apply directly and uniformly across all 27 Member States. It will be good for business and citizens by bringing about a level playing field and reduced administrative burden and compliance costs throughout Europe for businesses, while ensuring a high level of protection for individuals and giving them more control over their data. Increased transparency of data processing will also help increase consumer trust. The proposal facilitates transfers of personal data to countries outside the EU and EEA while ensuring the continuity of protection of the concerned individuals. The new legal framework will provide for the necessary conditions for the adoption of codes of conduct and standards for the cloud, where stakeholders see a need for certification schemes that verify that the provider has implemented the appropriate IT security standards and safeguards for data transfers. 
Given that data protection concerns were identified as one of the most serious barriers to cloud computing take-up, it is all the more important that Council and Parliament work swiftly towards the adoption of the proposed regulation as soon as possible in 2013. 
Meanwhile, as cloud computing involves chains of providers and other actors such as infrastructure or communications providers, guidance is required on how to apply the existing EU Data Protection Directive, notably to identify and distinguish the data protection rights and obligations of data controllers and processors for cloud service providers, or actors in the cloud computing value chain. Moreover, due to the specific nature of the cloud, questions have been raised about applicable law in case where the relevant place of establishment of a cloud provider may be hard to determine, e.g. for a non-EU user of a non-EU provider operating equipment in the EU. In this context, the Commission welcomes the guidance on how to apply the existing EU Data Protection Directive given in the Opinion of the data protection working party, the so called "Article 29 Working Party" on cloud computing of 1 July 2012. The Commission considers that the Article 29 Working Party Opinion provides a good basis for the transition from the current EU Data Protection Directive to the new EU Data Protection Regulation and that it should guide the work of national authorities and of businesses, thereby offering maximum clarity and legal certainty on the basis of the existing legal framework. Moreover, once the proposed regulation is adopted, the Commission will make use of the new mechanisms set out therein to provide, in close cooperation with national data protection authorities, any necessary additional guidance on the application of European data protection law in respect of cloud services.