Does the EC's cloud strategy go far enough?

The European Commission (EC) launched its cloud strategy last week. Legal experts put it under the spotlight to see if it goes far enough

The European Commission’s cloud computing strategy document – titled Unleashing the Potential of Cloud Computing in Europe - last week outlined the obstacles to the establishment of a vibrant market for cloud computing and the need for an appropriate European strategy. 

The main obstacles identified by the European Commission (EC) are: a lack of clarity on rights, responsibilities, and liability; insufficient data protection; and insufficient standardisation, particularly across jurisdictions.

The EC aims to develop model terms for cloud computing service level agreements (SLAs) for contracts between cloud providers and users. The action-plan recognises that even large companies have little negotiating power with cloud providers and contracts often do not provide for liability, data integrity, confidentiality or service continuity.

The EC says this lack of negotiating power is one of the main factors hindering the growth of cloud computing and emphasises that service level agreements (SLAs) could provide the basis of trust customers can have in a provider's ability to deliver services.

The take-it-or-leave-it contract terms are similarly imposed on consumers and small firms who are often unaware of their relevant rights especially including the applicable law and jurisdiction, said the EC report. Some of these issues will, the EC hopes, be addressed by the proposed regulation on a Common European Sales Law, which addresses many of the obstacles of diverging national sales law rules, by providing contractual parties with a uniform set of rules.

In addition, the EC proposes to develop an optional instrument to address areas outside the scope of the Common European Sales Law with the aim of creating transparent and fair cloud services contracts.

EC addresses cloud data protection

The EC has considered ways to address data protection issues with transfers of data to the cloud, often across jurisdictions. To this end, it will call on the data protection authorities of the member states to approve the “Binding Corporate Rules” (BCR) specifically for use by cloud providers, under which a company or group of companies providing cloud services could sign up to legally binding rules enabling international transfers between them.

The EC says that it will work with cloud computing providers in an attempt to agree a code of conduct for cloud computing that would help to support a uniform application of data protection rules across jurisdictions.

The EC calls for a wider use of standards and the certification of cloud services to show they meet these standards. The report says the endorsement of such certificates by regulatory authorities, indicating compliance with legal obligations, would help cloud take off.

Consequently, the EC has requested that the European Telecommunications Standards Institute set-up a Cloud Group to look into the needs for cloud standardisation and conformity with interoperability standards. The EC also says it will work with relevant bodies to assist the development of EU-wide voluntary certification schemes in the area of cloud computing and plans to publish a list of such schemes by 2014.

EC’s aims to enable and facilitate faster adoption of cloud computing across all sectors of the economy should be welcomed. The action plan emphasises the potential of cloud computing to boost productivity, growth and jobs.

Any development which leads to more realistic and less one-sided terms of supply for cloud services must be welcomed. It remains common for providers to offer limited service levels, wide exclusions of liability and even characterise services as being provided on an "as is" basis. This approach stalls the uptake of cloud services among sectors other than SMEs (where price may support this approach) and big business (where bespoke negotiation is more likely).

However, the report could have gone further. Simply pointing to data protection solutions such as BCR as an appropriate answer provides no silver bullet. The journey of implementing a BCR solution from the start through to the final regulatory approval required to give it life can take years to achieve.  

Similarly, pinning hopes on the Common European Sales Law whose progress is slow and vexed and the take-up of which could be minimal, may also prove to be optimistic as a way to bring down barriers to the growth of cloud computing.  More radical thinking with concrete proposals and timelines would have been welcome.

By Neil Hawley and Graham Hann

Neil Hawley (pictured above) is an associate in the technology team at international law firm, Taylor Wessing LLP, offering advisory services to clients on all aspects of IT with an emphasis on commercial transactions. Graham Hann is the lead partner in the technology team at Taylor Wessing LLP.


Read more on Cloud computing services