The European Commission has issued a Communication setting out a road map for the future growth of cloud computing in Europe. The Communication is a strange mix: in parts, an extended advert for the benefits of a digital single market in the EU, and a narrative on the benefits of cloud computing.
But the most interesting aspect of the Communication is the regulatory agenda that the Commission proposes in order to "...unleash the potential of cloud computing in Europe". Sceptical observers may question whether the proposed package of extra regulation, certification and contractual limitations is more likely to slow down – not speed up – the implementation of cloud computing across Europe.
Until now, most industry observers have viewed the European Union less as a facilitator and more as a barrier to the adoption of cloud computing, because the ubiquity of cloud computing services is threatened by the requirement for compliance with the EU data transfer regulations. In this Communication, the Commission claims that it is seeking to "unleash the potential of cloud computing in Europe". It remains to be seen whether the laudable aims espoused by the Commission are followed up in practice, and whether the fast-growing cloud-based sector of the information and communications technology (ICT) industry welcomes the Commission's proposals.
CLOUD COMPUTING – AN OVERVIEW
Cloud computing is an ICT delivery model where ICT services are provided to users from remote servers and facilities over the Internet rather than through owned or leased IT servers and platforms. Cloud-based technology offers important benefits to users, including the chance for significant cost savings and operational efficiencies; flexibility in deployment; ready access to information systems, applications and data; better back-up services; and faster and more responsive upgrade functionality. Through cloud computing services, users have the ability to outsource all or part of their ICT hardware architecture (infrastructure as a service, or IaaS), operating systems and platforms (platform as a service, or PaaS), or software applications (software as a service, or SaaS) as they choose. "Clouds" can be private, where the services are operated solely for one organisation (or a small group of organisations, which some refer to as "community" clouds), typically on a dedicated or partitioned platform; public, where the services are shared by numerous customers, and typically operated on a shared platform; or hybrid, which entails a combination of private and public cloud services.
A cloud set-up consists of layers: hardware; middleware or platform; and application software. Some element of standardisation is important in a cloud environment, especially at the middle layer, because it enables developers to address a wide range of potential customers, and gives users choice.
In general, users of cloud services trade-off customization for commoditization, and must be aware of the implications that remote services provided on standard supplier terms might have on their organisation. The financial benefits of adopting cloud-based services can be significant although it's important for organisation also to factor in the impact of extra risks that might arise as a result of a wholly or partly cloud-based ICT solution.
The Commission highlights the potential benefits that cloud computing could bring to Europe. It believes that, if properly implemented across Europe, the Commission's proposals could bring an additional €45 billion of direct spend on cloud computing services in the EU by 2020, as well as the creation of an extra 3.8 million jobs.
The Commission recognises that many of its proposed actions are designed to address the perception that cloud computing brings additional risks. So for example, it proposes actions aimed at providing more clarity and knowledge about the applicable legal framework; making it easier to signal and verify compliance with the legal framework (e.g. through standards and certification); and developing the relevant legal framework further (e.g. through a forthcoming legislative initiative on cybersecurity).
The Communication goes to some lengths to describe the benefits of cloud computing on the European economy. To organisations that have already adopted cloud computing, these benefits are well rehearsed (see separate box).
The Communication is part of the Commission's overall "digital agenda" under which the Commission targets setting up a digital single market. Under this digital agenda, the Commission has set itself the objective of simplifying copyright clearance, management and cross-border licensing - and thereby enhancing Europe's capacity to exploit new digital opportunities (such as cloud computing) for both producers and consumers of digital content.
In an interesting piece of self-analysis, the Commission acknowledges that data protection barriers emerged from its consultation exercise as a key area of concern that could impede the adoption of cloud computing. Those barriers are largely of the EU's own making. In particular, the Commission recognises that the existence of 27 partly diverging national legal frameworks around data protection – and the issue of restrictions on sending personal data outside the European Economic Area – creates problems in constructing cost-effective cloud solutions in a fully integrated pan-European manner.
The Commission also acknowledges that, given the global scope of cloud computing, it is important to try to clarify how international data transfers should be regulated. The Commission believes that these concerns have been addressed by the proposal of a strong uniform legal framework providing legal certainty as well as data protection (issued by the Commission on 25 January 2012; see previous MoFo Alert). That proposed regulation addresses issues raised by the cloud and also clarifies the important question of applicable law by ensuring that a single set of rules would apply directly and uniformly across all 27 Member States. The Commission notes that the importance of data protection concerns as a main barrier to cloud computing take-up underscores how important it is that the EU works swiftly toward the adoption of the proposed regulation as soon as possible in 2013.
The Commission has also analysed the issues that cloud computing raises in the context of the European market. It stresses three issues in particular:
- fragmentation of the market due to differing national legal frameworks and uncertainties over applicable law, digital content and data location. In particular, the Commission highlights the complexities of managing services and usage patterns that span multiple jurisdictions, and the difficulty of achieving a common position in areas such as data privacy, contracts and consumer protection;
- problems with contracts. The Commission highlights worries over data access and portability; change control and ownership of data managed in the cloud; concerns over how liability for service failures such as downtime or loss of data would be compensated; ownership of data created in cloud applications; and the resolution of disputes; and
- standards. The Commission highlights a "jungle" of standards that generates confusion and suggests a lack of certainty as to which standards provide adequate levels of interoperability of data formats, or permit appropriate data portability.
Although the Commission does not foresee the building of a "European supercloud" (i.e. the creation of a dedicated hardware infrastructure that would provide generic cloud computing services to public sector users across Europe), one of its aims is to ensure publicly-available cloud offerings that meet European standards in regulatory terms and which offer the benefits of being competitive, open and secure. Clearly, the Commission recognises that this does not preclude public bodies from setting up dedicated private clouds for the treatment of sensitive data. So far, a number of European countries - the UK in particular (which has launched the G-Cloud service) - are setting up their own national cloud platforms for the benefit of government departments locally.
SPECIFIC EU ACTIONS ON CLOUD COMPUTING
The Commission believes that there is a need for a series of confidence-building steps to create trust in cloud solutions. This starts with the identification of appropriate standards that can be certified in order to allow public or private buyers of cloud services to be confident that providers have met their compliance obligations and that those buyers are getting an appropriate solution to meet their needs. The Commission believes that these standards and certificates can, in turn, be referenced in contracts for cloud services so that providers and buyers feel confident that the contract is fair.
To deliver on its goals, the Commission plans to launch three cloud-specific actions.
Key Action 1: Cutting Through the Jungle of Standards
The Commission believes that a wider use of standards (and certification of cloud services to show that they meet these standards) will help to accelerate the rate of adoption of cloud solutions in Europe.
Currently, individual cloud providers have an incentive to fight for dominance by locking in their customers, inhibiting standardised industry-wide approaches. The Commission believes that cloud computing is likely to develop in a way that lacks interoperability, data portability and reversibility – which are all crucial for the avoidance of lock-in. The Commission believes that standards in the cloud will affect stakeholders beyond the ICT industry, in particular small and medium-sized enterprises (SMEs), public sector users and consumers. Such users are rarely able to evaluate competing cloud providers' claims, the interoperability of clouds and the ease with which data can be moved. It believes that independent, trusted certification is needed.
The Commission notes that, in some places, standardisation and certification of cloud solutions is already taking place. The U.S. National Institute for Standards and Technology has published a series of documents, including a widely-accepted set of definitions. It believes that the priority now should be to deploy existing standards and develop competence in cloud solutions.
As a result, the Commission has asked the European Telecommunications Standards Institute (ETSI) to produce (by the end of 2013) a road-map of the standards necessary for security, interoperability, data portability and reversibility in the cloud. It also plans to facilitate EU-wide voluntary certification schemes covering cloud-based services, and agree industry-wide metrics for key environmental measures such as energy and water consumption, and carbon emissions of cloud services.
Key Action 2: Promoting Safe and Fair Contracts
The Commission notes that, traditionally, IT outsourcing agreements have been negotiated and described in detail up-front. However, cloud computing contracts tend to be done on the basis of a framework in which the user has access to scalable and flexible IT capabilities but with much less room for negotiation of the applicable contract terms – with the result that cloud contracts tend to be imbalanced in the favour of the cloud provider.
The Commission believes that the use of "take it or leave it" standard contracts might well be beneficial in cost terms for consumers, but it is often undesirable for them. Such contracts may also impose an inappropriate choice of applicable law or inhibit data recovery. Even larger companies have little negotiation power, and contracts often don't provide coverage on key issues such as liability for data integrity, confidentiality or service continuity.
The Commission believes that the development of model terms for cloud computing and service-level agreements is one of the most important issues that arose during its consultation process.
At one level, the Commission has already launched a proposal to implement a standard EU-wide regulation on a Common European Sales Law, which could address many of the obstacles stemming from diverging national sales law rules by providing contractual parties with a uniform set of rules. The Commission plans to set up a task force to identify (before the end of 2013) safe and fair contract terms and conditions for cloud consumers and small firms.
The Commission would like to go further and develop model terms for cloud computing service-level agreements for contracts between cloud providers and larger corporate buyers.
With respect to data privacy, the Commission plans to facilitate Europe's participation in the global growth of cloud computing by reviewing standard contractual clauses applicable. to transfer of personal data to third countries and adapting them, as needed, to cloud services; and by calling upon national data protection authorities to approve binding corporate rules for cloud providers.
The Commission also wants to work with industry to agree a code of conduct for cloud computing providers to support a uniform application of data protection rules which may be submitted to the Article 29 Working Party for endorsement in order to ensure legal certainty and coherence between the code of conduct and EU law.
Key Action 3: Promoting Public Sector Leadership
The Commission believes that governments and the wider public sector across Europe have a strong role to play in shaping the cloud computing market.
The public sector is the EU's largest buyer of IT services, and can set stringent requirements for the features, performance, security and interoperability of cloud services. Currently, the public sector market is fragmented and its requirements have little impact. The Commission believes that pooling public requirements could bring greater efficiency and common requirements, which would reduce costs.
Accordingly, the Commission is setting up a European Cloud Partnership (ECP) to provide an umbrella for comparable initiatives at Member State level. These include the G-Cloud in the UK, Andromede in France and Trusted Cloud in Germany. The ECP will bring together industry expertise and public sector users to work on common procurement requirements for cloud computing in an open and transparent way.
The ECP is not targeted at creating physical cloud computing infrastructure. Rather, the aim is for the ECP to involve participating Member States in order to ensure consistency and avoid fragmentation, and ensure that public cloud usage is interoperable as well as safe, secure and in line with European rules on issues such as data protection and security.
VIEW FROM THE ICT INDUSTRY
The ICT industry's reception of the Communication has been distinctly low key.
It comes as no surprise to many that the Commission thinks that the answer to the adoption of cloud computing is more regulation and certification rather than less. Equally, few outside Brussels believe that "implementation of the [EU's] Digital Agenda proposals is the essential first step towards making Europe cloud-friendly". Sceptics point out that the best way to create trust in cloud solutions (which the Commission professes as an aim) is for the Commission to keep out of the way and let the market flourish free of regulation.
Most companies involved in the roll-out of cloud services consider that the cloud sector is growing nicely and, but for the complication caused by EU-originated data privacy laws over where personal data can be transferred and processed, the market could be growing even faster. Arguably, therefore, the best use of the Commission's time would be to clarify the application of the laws on data transfer to a cloud solution. Currently, this is being addressed by national regulators (such as the UK Information Commissioner's Office, which published an official Guidance on the Use of Cloud Computing in September 2012).
In terms of the three "Key Actions" proposed by the Commission:
- Key Action 1: The absence of a voluntary certification scheme is not something that has appeared to impede the development of the cloud market so far. Cloud-based services have not been seen as a VHS v. Betamax situation. It is questionable how far any certification scheme can go if it is voluntary. But the alternative – a mandatory scheme – would be much worse for the cloud sector, so it's doubtful whether the industry will object to this Key Action too loudly.
- Key Action 2: There is no doubt that the Commission could help the adoption of cloud computing in Europe to grow by addressing the issue of data privacy. Model clauses would be helpful, as would a common set of standards that would enable cloud providers to ensure that all appropriate EU-level privacy rules are addressed by their solutions. Beyond that, the creation of a model set of contract conditions for cloud usage is a distant prospect. The Commission has been working for years on the issue of harmonizing contract laws across the EU – and there is no immediate likelihood of that happening (either in the cloud or out of it) any time soon.
- Key Action 3: The ECP ought to be cautiously welcomed by industry. The government sector has been a significant driver of activity in the ICT industry for many years, but public bodies are seen as conservative and slow adopters of new technologies or methods of ICT delivery. Anything that incentivises or legitimises the take-up of cloud computing by a large group of potential users must be good for the industry.
AN OPPORTUNITY MISSED?
One of the significant blockages to the adoption of cloud solutions is the absence of guidance by regulators in specific sectors. For the financial services sector especially, cloud solutions could have a significant impact. But regulators have generally failed to grapple with cloud computing or provide guidance to their regulated firms. The result has been a take-up of cloud solutions by regulated entities that has been more muted than it could have been, because firms are worried about entrusting core systems to a form of services delivery about which the regulatory treatment is unclear.
The Commission's Communication has not helped to point the way for European financial services regulators to open the door to more take-up of cloud services by financial institutions. Elsewhere, the EU's Markets in Financial Instruments Directive (MiFID) has focussed greater attention on the importance of regulated firms having greater control and effective access over data relating to their activities. The Communication would have been a perfect vehicle for the Commission to clarify doubt over how MiFID might apply to data stored or processed in the cloud; to discuss whether a graduated approach to the effectiveness of data access might have been appropriate; and to explain what sort of audit requirements are appropriate to data stored in the cloud by a regulated entity. The fact that it didn't do any of these things represents an opportunity missed.
The position is slightly different in the U.S. There, as we reported in our Client Alert Federal Financial Agencies Issue Cautionary Statement on Financial Institution Cloud Computing Services, various federal financial regulatory agencies have been more proactive and have issued a joint interagency statement on the use by financial institutions of outsourced cloud computing services, and the key risks associated with such services.
The statement is the first formal federal financial agency statement on the matter of cloud computing. In general, the statement reaffirms that the fundamentals of existing risk and risk management requirements that currently are applicable to financial institution outsourcing of IT services apply equally to outsourced cloud-based services, while identifying certain risks that, in the Agencies' view, are of particular concern with respect to such services.
In many ways, the Communication is characteristic of the Commission's approach to many issues. It tends to favour regulation over liberalisation; it believes that the market needs stimulus; and it proposes grand gestures and task forces over specific reforms.
But in practice, the cloud computing market is growing at a significant rate in Europe, even without the "benefit" of the Commission's extra help. The ICT industry has moved quickly to wrap cloud services into packages alongside more customized services, and make them attractive to customers as part of their ICT sourcing options.
More seriously, the Commission seems to have failed to grasp the central point that some of the features that it feels the need to reform are, in fact, central to the cloud model. The trade-off between price, flexibility and contract rights is at the heart of what makes the cloud work. If the Commission's proposals were to be adopted across-the-board, the cloud providers would have to raise their prices and drop many of the services where the cloud offers flexibility – which would defeat the whole reason why cloud seems so attractive in the first place.
Some of the supposed issues identified by the Commission (for example, the lack of certification and standards) would not feature on many industry observers' lists of top 10 risks.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved