Europe needs to act now
There seems to be a general agreement that cloud computing will have a sweeping impact across the IT sector. Cloud computing has clear economic advantages and a number of cloud computing services are already available. However, there are major, non-technical obstacles that need to be overcome, at least in Europe, before cloud computing can really take off.
There seem to be no major hurdles blocking the way of cloud computing from a technical perspective. The real issues lie elsewhere. Regulatory aspects seem to be much more critical for the market development of cloud computing, particularly if you look at aspects like openness, interoperability, and data portability. Users of cloud computing services should be able to seamlessly move from one provider to another, as their business interests dictate, or as they wish, but basic standards are missing to support this free market situation and avoid lock-in.
Another key concerns regarding cloud computing is trust. Protection and security of private data and information should be ensured, even if these data are stored somewhere in the cloud. It remains to be seen, how justified some of the privacy and security concerns are, but nevertheless, they should be addressed.
Shortcomings of the EU legal framework
Both business as well as private users have their privacy and security concerns regarding cloud computing services, but many cloud applications target the consumers. In general, the EU data protection directive and e-privacy directive provide a legal framework for cloud computing. These directives were conceived some time ago, but were kept intentionally general, thus they remain applicable to cloud computing. However, the mapping between cloud services and the relevant rules in the directives is quite ambiguous. There are some common cases in which the directives fail to provide a clear guidance, and thus leave it to the interpretation of the court, in case of a dispute. One such critical aspect is whether the cloud service provider can be considered as a so-called controller or a processor. This distinction is very important as the responsibilities of the controller and processor are different. Following the example of the SWIFT case, the court might deem the provider to be a “joint” controller.
Another critical situation arises, when the user of the cloud service is an individual, and uses the cloud service for private purposes. In such a very common case even the applicability of the directive is questionable, as individuals cannot be controllers. Thus, the responsibilities of the provider are unclear – a situation which is likely to leave the consumer to the mercy of the provider.
A third critical case is, if the cloud provider targets services to the EU but does not use equipment within the EU, and is not established within EU.
The challenges that cloud computing presents from a legal perspective are not new. Similar challenges have been present since the Internet began. However, cloud computing seems to amplify some of the risks. The good thing is that people close to policy makers are aware, or at least are becoming increasingly aware of these challenges.
There is likely no single magic solution but a combination of solutions to address all the gaps and challenges, and quite some work is needed to assemble a full array of them. In addition, solutions may be part of broader attempt to solve other, wider problems.
Solutions may come at different levels. Some issues could be dealt with by technology, for instance Privacy by Design, which takes into account data protection when designing cloud computing services. Some issues could be solved through the interpretation and guidance given by the Courts.
Finally, the regulatory gaps and issues could be addressed within the current review process of the existing Data Protection Directive, by adjusting the criteria for applicability, and potentially creating a new hybrid category of data controller/processor with clear obligations.
Whatever we do in Europe to create a favourable environment for cloud computing – we need to act now. Cloud computing is a huge business opportunity for Europe. We should not miss it due to inadequate regulation.
Please send us your comments on this article.