Would you be surprised that the European Commission believes the way to promote the growth of cloud computing in Europe is to regulate it?
Until now, the EU’s main impact on cloud has been to threaten the ubiquity of cloud computing services by requiring compliance with cross-border data transfer regulations. But the Commission has recently published a communication claiming to “unleash the potential of cloud computing in Europe”. Unfortunately, the main proposed actions seem unlikely to achieve this laudable intention. At the same time, the Commission missed the opportunity to shake-off or clarify the data privacy burden.
The Commission’s communication sets out a roadmap for the future growth of cloud computing in Europe and proposes a regulatory agenda. It's difficult to avoid the conclusion that the proposed package of extra regulation, certification and contractual limitations is more likely to slow down – not speed up – the implementation of cloud in Europe.
The Commission wants more clarity about the applicable legal framework; to make it easier to verify compliance with the legal framework (for example, through standards and certification); and to develop a legislative initiative on cyber security.
The Commission puts a lot of focus on three specific issues: market fragmentation; problems with contracts; and lack of standardisation. Its proposed “key actions” are designed to address these areas.
Jungle of standards
The Commission highlights a “jungle” of standards that generate uncertainty as to interoperability of data formats, and data portability. It believes that a wider use of standards - and certification of cloud services to show they meet these standards - will accelerate the adoption of cloud solutions.
Maybe the best way to create trust in cloud solutions is for the Commission to keep out of the way
Alistair Maughan, Morrison & Foerster
In practice, the absence of a voluntary certification scheme isn’t something that’s appeared to impede the development of the cloud market so far. Cloud doesn’t seem like a VHS versus Betamax situation. It’s also questionable how far any certification scheme can go if it’s voluntary. But the alternative – a mandatory scheme – would be much worse for the cloud sector. So although the IT industry may not object, it seems the Commission’s proposal won’t get much support either.
Safe and fair contracts
Cloud contracts, of course, are typically done on the basis of a trade-off for the user having access to scalable and flexible IT capabilities meaning much less room for negotiation of the applicable contract terms.
The Commission believes “take it or leave it” standard contracts are harmful to consumers. It wants to implement model contract terms for cloud computing between cloud providers and corporate buyers. Given that the EU has struggled for years to implement harmonisation of contract laws across Europe, it seems unlikely that the IT industry will volunteer or be forced to accept model contract terms for cloud services.
The Commission believes that, as the EU’s largest buyer of IT services, the public sector across Europe should play a key role in shaping the cloud market. But the public sector market is fragmented and the Commission believes that pooling public requirements could bring greater efficiency and common requirements, which would reduce costs.
The Commission is setting up a European Cloud Partnership (ECP) to provide an umbrella for government cloud initiatives, including G-Cloud in the UK, Andromede in France and Trusted Cloud in Germany. The ECP will bring together industry expertise and public sector users to work on common procurement requirements for cloud computing.
The ECP ought to be cautiously welcomed by industry. The government sector has been a significant driver of activity in the IT industry for many years, and public bodies are seen as conservative and slow adopters of new technologies or methods of IT delivery. But the experience of G-Cloud shows that doesn’t have to be the case. Anything that incentivises the take-up of cloud by a large group of potential users must be good for the industry.
More on the European Commission's cloud proposals
In an interesting piece of self-analysis, the Commission acknowledges that data protection barriers could impede the adoption of cloud computing. Those barriers, largely of the EU’s own making, include the existence of 27 partly diverging national legal frameworks around data protection and the restrictions on sending personal data outside the European Economic Area.
With respect to data privacy, the Commission plans to review standard contractual clauses applicable to transfer of personal data to third countries and adapt them, as needed, to cloud services. It also calls upon national data protection authorities to approve binding corporate rules for cloud providers. But neither of these ideas really go far enough to alleviate the immediate barriers on cloud that data privacy rules present.
The cloud market is growing strongly in Europe, even without the benefit of the Commission’s extra help. The IT industry has moved quickly to wrap cloud services into packages alongside more customised services, and make them attractive to customers as part of their IT sourcing options. Does it really need the actions that the Commission proposes?
Maybe the best way to create trust in cloud solutions is for the Commission to keep out of the way and let the market flourish free of regulation.
Alistair Maughan is a technology law partner at Morrison & Foerster (UK) LLP.