New E.U. Guidelines to Address Cloud ComputingJuly 1, 2012
The European Commission’s panel on privacy is expected to endorse Monday the concept of cloud computing as legal under the Continent’s privacy law and to recommend for the first time that large companies and organizations police themselves to assure that personal information kept in remote locations is protected.
The panel, known as the Article 29 Working Party, is expected to make the recommendation as part of its long-awaited guidelines on cloud computing, which have the potential, some industry experts say, to allay concerns over data privacy and pave the way for wider adoption of the remote-computing services that are more common in the United States.
The report will highlight the advantages of using cloud computing to encourage innovation and economic efficiency, said a person with knowledge of the recommendations, who spoke anonymously because he was not authorized to speak for the group. This would reflect a new, more practical approach by European officials to remote computing’s role in the broader economy….
The recommendations are expected to guide decisions on cloud computing by regulators in the 27 E.U. countries. The sellers of cloud services are hoping the new guidelines will improve their image in Europe, where concerns about privacy and fears that business secrets could be stolen in U.S.-based cloud centers have discouraged sales.
According to Gartner, the research firm, European sales of cloud computing trail those in the United States by at least two years, in part because of these concerns.
“I am hoping that the recommendations will allow people to take advantage of the technology that is out there in a controlled way,” said David Gibson, vice president in charge of strategy at Varonis Systems, a seller, based in New York, of cloud software to businesses and institutions. “Some of the regulations being discussed in Europe are actually pretty progressive and could give the business model a push forward there, as well as in the States.”
Cloud computing refers to the delivery of services over the Internet rather than through the use of software. There are various types of services and various types of cloud providers, both public and private. The sales of cloud services are rising about 24 percent each year, according to International Data Corp., or about four times as fast as the rate of technology spending over all.
Public cloud services — offered by Amazon.com, Salesforce.com and Savvis, among other companies — amounted to $28 billion worldwide in 2011, I.D.C. says.
The North American market accounting for $17.4 billion, or 62 percent, of sales, while Europe, the Middle East and Africa accounted for about $7 billion, according to I.D.C.
Companies using the cloud can save money because they do not have to buy or house servers to deliver the services or store data. Users of the cloud typically submit personal information to gain access to their services and data.
European interest in the cloud appears to be increasing, despite the euro currency crisis and economic downturn, industry executives said.
Deutsche Bank, BNP Paribas, BMW and Burberry, among other companies, are all using the cloud-based customer relations management services of Salesforce.com, which in May said it had to hire 750 employees in Europe this year to meet demand from its 20,000 clients on the Continent.
In June, Amazon Web Services, the cloud services arm of the U.S. online retailer, made a presentation to several hundred potential customers at an IMAX movie theater on Alexanderplatz in Berlin. “The room was packed, and from what I can tell, the interest in cloud computing is growing,” said Andy Jassy, the Amazon Web Services vice president in charge of the division, who made the presentation. “In difficult economic times, more companies are looking to the cloud to save money.”
Some governments in Europe are also beginning to use cloud services to cut costs. The borough of Windsor and Maidenhead in England is a customer of Salesforce.com. In Belgium, the national government is creating its own cloud to consolidate government services, said Georges Ataya, a professor of information technology management at Solvay Brussels School of Economics and Management in Brussels. European national governments — which are typically required by law to process personal data within their own borders — are either buying domestic cloud services or setting up their own private clouds to cut technology costs, Mr. Ataya said.
“I think, over time, there is no question that cloud services are going to take hold in Europe as they have in the United States,” Mr. Ataya said.
The guidelines are unlikely to harmonize in a significant way the patchwork of national privacy laws that govern cloud computing in Europe, which has tended to reduce the appeal of remote computing services on the Continent.
Britain and Scandinavian countries tend to be more permissive than other European nations about the ways personal data can be processed in clouds, whereas Spain and France impose tough requirements, like requiring cloud service sellers to know at all times where information is being kept, said Jörg-Alexander Paul, a privacy lawyer at the firm Bird & Bird in Frankfurt am Main. Germany has strict laws on handling cloud data, Mr. Paul said, but its enforcement is relatively lax.
The guidelines to be introduced Monday are nonbinding. Regulators in E.U. countries are required legally to give them “utmost consideration” in drafting national policies, but have the discretion to interpret the guidelines as they see fit.
However, the guidelines are likely to influence many E.U. nations in their treatment of cloud computing and privacy, particularly the recommendation that regulators accept third-party audits paid for by cloud service companies as proof that personal information is being handled, even in non-E.U. countries, under E.U. privacy laws. Previously, some E.U. regulators had been reluctant to accept the audits.
While the report gives greater support to cloud computing than ever before, the list of recommendations — about 30 pages long — from the panel, which is made up of the Union’s 27 national privacy regulators, also attempts to establish privacy requirements for cloud service sellers that could make remote computing more expensive in Europe.
One recommendation would require a cloud services seller to inform clients exactly where their data are being physically stored at any time of day. Another would require sellers to delete all personal data in cloud computing centers when retaining the data is no longer necessary. A third may compel cloud service companies to disclose to clients the subcontractors they plan to use to process data.
The first two requirements, while perhaps providing greater security to European cloud users, could also add complexity and cost to managing data in clouds. The third recommendation, if aggressively enforced by E.U. regulators, could undermine large sellers of cloud services by disclosing to clients a list of potential lower-cost rivals. Some sellers, like Microsoft, have already published a list of 100 subcontractors the company uses to provide cloud services under the Microsoft brand.
For transfers of European data to the United States, the report advises European cloud service customers to demand the data protection safeguards of the so-called European model contract, a legal agreement that imposes regular reporting and auditing requirements on cloud operators to prove that data are being handled according to E.U. law. The model contract would supplement the Safe Harbor Agreement, a 12-year-old pact between the United States and European Union that has set out mutual privacy standards for data storage and transfers.
Some European regulators view enforcement of Safe Harbor guarantees, which are overseen by the U.S. Federal Trade Commission, as insufficient.
Some analysts were not convinced that the recommendations will overcome lingering unease of European companies reluctant to store data in U.S.-based clouds, where sensitive information about customers or business practices can theoretically be subject to government surveillance under the Patriot Act.
“There is a fair amount of misunderstanding and downright mistrust of the Patriot Act amongst E.U. customers,” said Chenxi Wang, an analyst at Forrester Research in San Francisco. “A lot of that is emotional reaction versus sound legal judgments.”