In September 2012, the European Commission adopted a strategy for unleashing the potential of cloud computing in Europe.
The European Cloud Computing Strategy outlines actions to deliver a net gain of 2.5 million new European jobs and an annual boost of €160bn, around 1% of GDP, by 2020. It is also designed to speed up and increase the use of cloud computing across the economy.
The strategy, which was the result of consultations with stakeholders and an analysis of regulation and technology, forms a key part of the EU’s digital agenda.
It has three key actions:
- Safe and fair contract terms
The Commission has published a proposal for a Common European Sales Law to deal with divergent national sales laws by providing contractual parties with a uniform set of rules. The strategy also has an aim of developing model contract terms to cover issues not covered by the Common European Sales Law.
- Cutting through the jungle of standards
Common technical standards need to be developed to ensure interoperability, and in addition the Commission is working with various bodies to develop an EU-wide voluntary certification scheme.
- Establishing a European cloud partnership (ECP)
The ECP brings together industry experts and the public sector to work on common procurement requirements for cloud computing in an open and transparent way. This is intended to make the public sector more effective as well as stimulating the European cloud industry.
More on cloud computing in Europe
- Can Europe give the world cloud coverage?
- European government moves to private clouds
- European banking firm UniCredit to introduce cloud in its datacentres
- European Commission should keep its hands out of the cloud
- EC: Europe should become a ‘trusted cloud region’ in the post-Prism age
- Cloud still a foreign concept to many Europeans
Part of the EU Cloud Strategy’s implementation includes the establishment of a Cloud Select Industry Group, known as the C-SIG. The C-SIG was created with the intention of providing independent validation and advice on proposals of cloud computing and with a view to identifying main challenges and solutions in three main areas: certification schemes, service level agreements and codes of conduct.
This is further achieved through the members of the C-SIG and its three sub-groups. The members of C-SIG are representatives of major European and multi-national organisations which have a significant involvement in cloud computing.
The first plenary meeting of these sub-groups took place in mid-October 2013 and is an indication of the push for greater harmonisation of the EU Cloud Strategy and general cloud computing practice.
The three sub-groups of the C-SIG have been hard at work for the past few months:
- The sub-group on certification
This group has been working with a variety of players in the market, including cloud service providers, cloud customers, certification bodies and the European Network and Information Security Agency (Enisa), to provide an assessment of current cloud computing certification solutions and guiding principles and to define objectives important to the industry.
- The sub-group on service level agreements (SLAs)
This group was established to provide the necessary support to develop a model set of terms for cloud computing contracts between professionals. Recently, the SLA sub-group has been working on drafting definitions and creating a checklist to help IT directors make a sound decision when selecting cloud provider services.
- The sub-group on codes of conduct
This group intends to develop a code of conduct for cloud computing service providers to promote a harmonised approach to the application of data protection rules. The lack of current harmonisation of these rules is said to be one of the greatest barriers to the advancement of cloud computing.
Country guidance on cloud computing
In addition to the various activities of the European Cloud Computing Strategy, several European data protection authorities (DPAs) have recently published official guidance concerning data protection issues in relation to the use of cloud computing. Some points to note from the guidance from these DPAs include:
The French DPA (CNIL) issued guidelines for the use of cloud computing in 2012, providing detailed sample provisions for a written contract. These provisions covered the essential elements that CNIL considers should be covered by a cloud computing services contract.
The German Federal Office for Information Security published a whitepaper in 2012 that is geared towards the technical security standards for cloud service providers. While it includes many of the other recommendations noted in other countries’ guidance, there is a greater attention to detail with regards to best practices for internal security policies and procedures and encryption standards.
The Spanish DPA has published a cloud computing guide which comments on various considerations that companies should have prior to engaging a cloud service provider, including use of risk assessments, deletion of personal data, and international data transfers to third countries which may require prior authorisation.
In the UK, the Information Commissioner’s Office (ICO) has published detailed guidance on cloud computing, which includes recommendations as to carrying out risk assessments, ensuring that security assurances from the cloud provider are adequate, the provider can delete copies of personal data, that a record of the data categories moved to the cloud is made, and that there is a cycle of continual monitoring of performance to ensure the cloud service is running as expected and in accordance with the contract.
The opportunities with cloud computing are very significant, as are the challenges, however, significant steps have been taken by the European Commission to try to deal with those challenges.
2014 will be a key year in ensuring that the opportunities are also secured, or at least given a firm foundation, and therefore all those involved in cloud computing, whether providers or customers, should follow these developments closely.
William Long is a partner at law firm Sidley Austin.
This was first published in January 2014