MEP calls for a raft of rules to protect EU users’ data in the cloud

An MEP has called on the European Commission to outline a number of new rules that will help safeguard the data of EU cloud users

A Member of the European Parliament (MEP) has called on the European Commission (EC) to outline a number of new rules that will help safeguard the data of EU customers of cloud computing.

Judith Sargentini, a Dutch MEP said in a document that despite the potential and benefits of using cloud services, mainly in terms of cost reduction, the cloud entails significant risks and challenges for fundamental rights and increases specific risks for privacy and data protection.

These risks require scrutiny and appropriate safeguards, she warned.

Judith Sargentini insisted that as a general rule, “the level of data protection in a cloud computing environment must not be inferior to that required in any other data-processing context”.

She urged the EC to propose guidelines to protect non-personal sensitive data in a cloud context, particularly in the case of government data and of data from organisations such as banks, insurance companies, pension funds, schools and hospitals.

More on cloud computing services

She also insisted that use of cloud services by public sector organisations must require special consideration. 

“Data integrity and security must be guaranteed and unauthorised access, including by foreign governments, prevented," she said. "This also applies to specific processing activities by some non-governmental services, such as banks, insurance companies, schools and hospitals.”

According to her, the EC must outline rules for these organisations to follow when using cloud services to process, transmit or store their data, including the adoption of open standards to prevent supplier lock-in and a preference for open source software.

The MEP’s call for clearer cloud guidelines come at a time when a CIF research shows that the number of first-time users of cloud computing services in the UK increased by 27% in 2012 from last year. Another recent study showed that cloud adoption has continued to rise in 2013. But it also warned that in order to yield the true benefits of cloud computing its complexity must be reduced and cloud interoperability increased.

“It is good that the issue is being recognised at the highest levels of the EU,” said Peter Groucutt, managing director at Databarracks, a UK IaaS (infrastructure as a service) provider.

In one of the amendments (Amendment 14) to the draft opinion, Sargentini called for rules around cloud contracts. She urged the European Commission to “come forward with proposals to restore the balance between cloud service providers (CSPs) and their customers as regards the terms and conditions.”

She included three elements, including user protection against arbitrary cancellation of services and deletion of data; guarantee for cloud service users of a “reasonable chance for the customer to recover stored data in case of cancellation of service and/or removal or data”; and guidelines for cloud providers to facilitate the easy migration.

Earlier this year, when datacentre service provider 2e2 went into administration, it held customers’ data to £1m ransom.

According to Databarracks, the key issues surrounding cloud computing are not about the technology, but about trust and customer service.

“The recent example of 2e2 has really worried a lot of cloud computing customers,” Groucutt said.

“When administrators asked customers for payment to keep the business running, or services would be stopped – those customers understandably felt as if they were being held to ransom.”

Enterprise users need to be assured that their data will be safe in the hands of a third party. This has been, and continues to be, one of the major obstacles for organisations adopting cloud computing.

“Without regulation coming from the highest levels of European government, we as an industry will struggle to persuade potential customers that cloud computing is a safe and effective alternative to traditional computing,” he warned.

Read more on Datacentre disaster recovery and security