European Union: Europe Offers Incentives To Cloud Computing Growth

Last Updated: November 14 2012
Article by Alistair Maughan

The European Commission has issued a Communication setting out a road map for the future growth of cloud computing in Europe. The Communication is a strange mix: in parts, an extended advert for the benefits of a digital single market in the EU, and a narrative on the benefits of cloud computing.

But the most interesting aspect of the Communication is the regulatory agenda that the Commission proposes in order to "...unleash the potential of cloud computing in Europe". Sceptical observers may question whether the proposed package of extra regulation, certification and contractual limitations is more likely to slow down – not speed up – the implementation of cloud computing across Europe.

Until now, most industry observers have viewed the European Union less as a facilitator and more as a barrier to the adoption of cloud computing, because the ubiquity of cloud computing services is threatened by the requirement for compliance with the EU data transfer regulations. In this Communication, the Commission claims that it is seeking to "unleash the potential of cloud computing in Europe". It remains to be seen whether the laudable aims espoused by the Commission are followed up in practice, and whether the fast-growing cloud-based sector of the information and communications technology (ICT) industry welcomes the Commission's proposals.

CLOUD COMPUTING – AN OVERVIEW

Cloud computing is an ICT delivery model where ICT services are provided to users from remote servers and facilities over the Internet rather than through owned or leased IT servers and platforms. Cloud-based technology offers important benefits to users, including the chance for significant cost savings and operational efficiencies; flexibility in deployment; ready access to information systems, applications and data; better back-up services; and faster and more responsive upgrade functionality. Through cloud computing services, users have the ability to outsource all or part of their ICT hardware architecture (infrastructure as a service, or IaaS), operating systems and platforms (platform as a service, or PaaS), or software applications (software as a service, or SaaS) as they choose. "Clouds" can be private, where the services are operated solely for one organisation (or a small group of organisations, which some refer to as "community" clouds), typically on a dedicated or partitioned platform; public, where the services are shared by numerous customers, and typically operated on a shared platform; or hybrid, which entails a combination of private and public cloud services.

A cloud set-up consists of layers: hardware; middleware or platform; and application software. Some element of standardisation is important in a cloud environment, especially at the middle layer, because it enables developers to address a wide range of potential customers, and gives users choice.

In general, users of cloud services trade-off customization for commoditization, and must be aware of the implications that remote services provided on standard supplier terms might have on their organisation. The financial benefits of adopting cloud-based services can be significant although it's important for organisation also to factor in the impact of extra risks that might arise as a result of a wholly or partly cloud-based ICT solution.

THE COMMUNICATION

The Commission highlights the potential benefits that cloud computing could bring to Europe. It believes that, if properly implemented across Europe, the Commission's proposals could bring an additional €45 billion of direct spend on cloud computing services in the EU by 2020, as well as the creation of an extra 3.8 million jobs.

The Commission recognises that many of its proposed actions are designed to address the perception that cloud computing brings additional risks. So for example, it proposes actions aimed at providing more clarity and knowledge about the applicable legal framework; making it easier to signal and verify compliance with the legal framework (e.g. through standards and certification); and developing the relevant legal framework further (e.g. through a forthcoming legislative initiative on cybersecurity).

The Communication goes to some lengths to describe the benefits of cloud computing on the European economy. To organisations that have already adopted cloud computing, these benefits are well rehearsed (see separate box).

The Communication is part of the Commission's overall "digital agenda" under which the Commission targets setting up a digital single market. Under this digital agenda, the Commission has set itself the objective of simplifying copyright clearance, management and cross-border licensing - and thereby enhancing Europe's capacity to exploit new digital opportunities (such as cloud computing) for both producers and consumers of digital content.

In an interesting piece of self-analysis, the Commission acknowledges that data protection barriers emerged from its consultation exercise as a key area of concern that could impede the adoption of cloud computing. Those barriers are largely of the EU's own making. In particular, the Commission recognises that the existence of 27 partly diverging national legal frameworks around data protection – and the issue of restrictions on sending personal data outside the European Economic Area – creates problems in constructing cost-effective cloud solutions in a fully integrated pan-European manner.

The Commission also acknowledges that, given the global scope of cloud computing, it is important to try to clarify how international data transfers should be regulated. The Commission believes that these concerns have been addressed by the proposal of a strong uniform legal framework providing legal certainty as well as data protection (issued by the Commission on 25 January 2012; see previous MoFo Alert). That proposed regulation addresses issues raised by the cloud and also clarifies the important question of applicable law by ensuring that a single set of rules would apply directly and uniformly across all 27 Member States. The Commission notes that the importance of data protection concerns as a main barrier to cloud computing take-up underscores how important it is that the EU works swiftly toward the adoption of the proposed regulation as soon as possible in 2013.

The Commission has also analysed the issues that cloud computing raises in the context of the European market. It stresses three issues in particular:

  • fragmentation of the market due to differing national legal frameworks and uncertainties over applicable law, digital content and data location. In particular, the Commission highlights the complexities of managing services and usage patterns that span multiple jurisdictions, and the difficulty of achieving a common position in areas such as data privacy, contracts and consumer protection;
  • problems with contracts. The Commission highlights worries over data access and portability; change control and ownership of data managed in the cloud; concerns over how liability for service failures such as downtime or loss of data would be compensated; ownership of data created in cloud applications; and the resolution of disputes; and
  • standards. The Commission highlights a "jungle" of standards that generates confusion and suggests a lack of certainty as to which standards provide adequate levels of interoperability of data formats, or permit appropriate data portability.

Although the Commission does not foresee the building of a "European supercloud" (i.e. the creation of a dedicated hardware infrastructure that would provide generic cloud computing services to public sector users across Europe), one of its aims is to ensure publicly-available cloud offerings that meet European standards in regulatory terms and which offer the benefits of being competitive, open and secure. Clearly, the Commission recognises that this does not preclude public bodies from setting up dedicated private clouds for the treatment of sensitive data. So far, a number of European countries - the UK in particular (which has launched the G-Cloud service) - are setting up their own national cloud platforms for the benefit of government departments locally.

SPECIFIC EU ACTIONS ON CLOUD COMPUTING

The Commission believes that there is a need for a series of confidence-building steps to create trust in cloud solutions. This starts with the identification of appropriate standards that can be certified in order to allow public or private buyers of cloud services to be confident that providers have met their compliance obligations and that those buyers are getting an appropriate solution to meet their needs. The Commission believes that these standards and certificates can, in turn, be referenced in contracts for cloud services so that providers and buyers feel confident that the contract is fair.

To deliver on its goals, the Commission plans to launch three cloud-specific actions.

Key Action 1: Cutting Through the Jungle of Standards

The Commission believes that a wider use of standards (and certification of cloud services to show that they meet these standards) will help to accelerate the rate of adoption of cloud solutions in Europe.

Currently, individual cloud providers have an incentive to fight for dominance by locking in their customers, inhibiting standardised industry-wide approaches. The Commission believes that cloud computing is likely to develop in a way that lacks interoperability, data portability and reversibility – which are all crucial for the avoidance of lock-in. The Commission believes that standards in the cloud will affect stakeholders beyond the ICT industry, in particular small and medium-sized enterprises (SMEs), public sector users and consumers. Such users are rarely able to evaluate competing cloud providers' claims, the interoperability of clouds and the ease with which data can be moved. It believes that independent, trusted certification is needed.

The Commission notes that, in some places, standardisation and certification of cloud solutions is already taking place. The U.S. National Institute for Standards and Technology has published a series of documents, including a widely-accepted set of definitions. It believes that the priority now should be to deploy existing standards and develop competence in cloud solutions.

As a result, the Commission has asked the European Telecommunications Standards Institute (ETSI) to produce (by the end of 2013) a road-map of the standards necessary for security, interoperability, data portability and reversibility in the cloud. It also plans to facilitate EU-wide voluntary certification schemes covering cloud-based services, and agree industry-wide metrics for key environmental measures such as energy and water consumption, and carbon emissions of cloud services.

Key Action 2: Promoting Safe and Fair Contracts

The Commission notes that, traditionally, IT outsourcing agreements have been negotiated and described in detail up-front. However, cloud computing contracts tend to be done on the basis of a framework in which the user has access to scalable and flexible IT capabilities but with much less room for negotiation of the applicable contract terms – with the result that cloud contracts tend to be imbalanced in the favour of the cloud provider.

The Commission believes that the use of "take it or leave it" standard contracts might well be beneficial in cost terms for consumers, but it is often undesirable for them. Such contracts may also impose an inappropriate choice of applicable law or inhibit data recovery. Even larger companies have little negotiation power, and contracts often don't provide coverage on key issues such as liability for data integrity, confidentiality or service continuity.

The Commission believes that the development of model terms for cloud computing and service-level agreements is one of the most important issues that arose during its consultation process.

At one level, the Commission has already launched a proposal to implement a standard EU-wide regulation on a Common European Sales Law, which could address many of the obstacles stemming from diverging national sales law rules by providing contractual parties with a uniform set of rules. The Commission plans to set up a task force to identify (before the end of 2013) safe and fair contract terms and conditions for cloud consumers and small firms.

The Commission would like to go further and develop model terms for cloud computing service-level agreements for contracts between cloud providers and larger corporate buyers.

With respect to data privacy, the Commission plans to facilitate Europe's participation in the global growth of cloud computing by reviewing standard contractual clauses applicable. to transfer of personal data to third countries and adapting them, as needed, to cloud services; and by calling upon national data protection authorities to approve binding corporate rules for cloud providers.

The Commission also wants to work with industry to agree a code of conduct for cloud computing providers to support a uniform application of data protection rules which may be submitted to the Article 29 Working Party for endorsement in order to ensure legal certainty and coherence between the code of conduct and EU law.

Key Action 3: Promoting Public Sector Leadership

The Commission believes that governments and the wider public sector across Europe have a strong role to play in shaping the cloud computing market.

The public sector is the EU's largest buyer of IT services, and can set stringent requirements for the features, performance, security and interoperability of cloud services. Currently, the public sector market is fragmented and its requirements have little impact. The Commission believes that pooling public requirements could bring greater efficiency and common requirements, which would reduce costs.

Accordingly, the Commission is setting up a European Cloud Partnership (ECP) to provide an umbrella for comparable initiatives at Member State level. These include the G-Cloud in the UK, Andromede in France and Trusted Cloud in Germany. The ECP will bring together industry expertise and public sector users to work on common procurement requirements for cloud computing in an open and transparent way.

The ECP is not targeted at creating physical cloud computing infrastructure. Rather, the aim is for the ECP to involve participating Member States in order to ensure consistency and avoid fragmentation, and ensure that public cloud usage is interoperable as well as safe, secure and in line with European rules on issues such as data protection and security.

VIEW FROM THE ICT INDUSTRY

The ICT industry's reception of the Communication has been distinctly low key.

It comes as no surprise to many that the Commission thinks that the answer to the adoption of cloud computing is more regulation and certification rather than less. Equally, few outside Brussels believe that "implementation of the [EU's] Digital Agenda proposals is the essential first step towards making Europe cloud-friendly". Sceptics point out that the best way to create trust in cloud solutions (which the Commission professes as an aim) is for the Commission to keep out of the way and let the market flourish free of regulation.

Most companies involved in the roll-out of cloud services consider that the cloud sector is growing nicely and, but for the complication caused by EU-originated data privacy laws over where personal data can be transferred and processed, the market could be growing even faster. Arguably, therefore, the best use of the Commission's time would be to clarify the application of the laws on data transfer to a cloud solution. Currently, this is being addressed by national regulators (such as the UK Information Commissioner's Office, which published an official Guidance on the Use of Cloud Computing in September 2012).

In terms of the three "Key Actions" proposed by the Commission:

  • Key Action 1: The absence of a voluntary certification scheme is not something that has appeared to impede the development of the cloud market so far. Cloud-based services have not been seen as a VHS v. Betamax situation. It is questionable how far any certification scheme can go if it is voluntary. But the alternative – a mandatory scheme – would be much worse for the cloud sector, so it's doubtful whether the industry will object to this Key Action too loudly.
  • Key Action 2: There is no doubt that the Commission could help the adoption of cloud computing in Europe to grow by addressing the issue of data privacy. Model clauses would be helpful, as would a common set of standards that would enable cloud providers to ensure that all appropriate EU-level privacy rules are addressed by their solutions. Beyond that, the creation of a model set of contract conditions for cloud usage is a distant prospect. The Commission has been working for years on the issue of harmonizing contract laws across the EU – and there is no immediate likelihood of that happening (either in the cloud or out of it) any time soon.
  • Key Action 3: The ECP ought to be cautiously welcomed by industry. The government sector has been a significant driver of activity in the ICT industry for many years, but public bodies are seen as conservative and slow adopters of new technologies or methods of ICT delivery. Anything that incentivises or legitimises the take-up of cloud computing by a large group of potential users must be good for the industry.

AN OPPORTUNITY MISSED?

One of the significant blockages to the adoption of cloud solutions is the absence of guidance by regulators in specific sectors. For the financial services sector especially, cloud solutions could have a significant impact. But regulators have generally failed to grapple with cloud computing or provide guidance to their regulated firms. The result has been a take-up of cloud solutions by regulated entities that has been more muted than it could have been, because firms are worried about entrusting core systems to a form of services delivery about which the regulatory treatment is unclear.

The Commission's Communication has not helped to point the way for European financial services regulators to open the door to more take-up of cloud services by financial institutions. Elsewhere, the EU's Markets in Financial Instruments Directive (MiFID) has focussed greater attention on the importance of regulated firms having greater control and effective access over data relating to their activities. The Communication would have been a perfect vehicle for the Commission to clarify doubt over how MiFID might apply to data stored or processed in the cloud; to discuss whether a graduated approach to the effectiveness of data access might have been appropriate; and to explain what sort of audit requirements are appropriate to data stored in the cloud by a regulated entity. The fact that it didn't do any of these things represents an opportunity missed.

The position is slightly different in the U.S. There, as we reported in our Client Alert Federal Financial Agencies Issue Cautionary Statement on Financial Institution Cloud Computing Services, various federal financial regulatory agencies have been more proactive and have issued a joint interagency statement on the use by financial institutions of outsourced cloud computing services, and the key risks associated with such services.

The statement is the first formal federal financial agency statement on the matter of cloud computing. In general, the statement reaffirms that the fundamentals of existing risk and risk management requirements that currently are applicable to financial institution outsourcing of IT services apply equally to outsourced cloud-based services, while identifying certain risks that, in the Agencies' view, are of particular concern with respect to such services.

CONCLUSION

In many ways, the Communication is characteristic of the Commission's approach to many issues. It tends to favour regulation over liberalisation; it believes that the market needs stimulus; and it proposes grand gestures and task forces over specific reforms.

But in practice, the cloud computing market is growing at a significant rate in Europe, even without the "benefit" of the Commission's extra help. The ICT industry has moved quickly to wrap cloud services into packages alongside more customized services, and make them attractive to customers as part of their ICT sourcing options.

More seriously, the Commission seems to have failed to grasp the central point that some of the features that it feels the need to reform are, in fact, central to the cloud model. The trade-off between price, flexibility and contract rights is at the heart of what makes the cloud work. If the Commission's proposals were to be adopted across-the-board, the cloud providers would have to raise their prices and drop many of the services where the cloud offers flexibility – which would defeat the whole reason why cloud seems so attractive in the first place.

Some of the supposed issues identified by the Commission (for example, the lack of certification and standards) would not feature on many industry observers' lists of top 10 risks.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Alistair Maughan
 
In association with
Related Video
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert
Email Address
Company Name
Password
Confirm Password
Mondaq Topics -- Select your Interests
Accounting and Audit
Anti-trust/Competition Law
Consumer Protection
Corporate/Commercial Law
Criminal Law
Employment and HR
Energy and Natural Resources
Environment
Family and Matrimonial
Finance and Banking
Food, Drugs, Healthcare, Life Sciences
Government, Public Sector
Immigration
Insolvency/Bankruptcy, Re-structuring
Insurance
Intellectual Property
International Law
Law Practice Management
Litigation, Mediation & Arbitration
Media, Telecoms, IT, Entertainment
Privacy
Real Estate and Construction
Strategy
Tax
Transport
Wealth Management
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.