With concerns over the potential fragmentation of the digital single market and the proliferation of different data protection standards for personal data across the EU, the European Commission (Commission) has published new guidance on the use of cloud computing. The Commission has identified the steps it wishes to introduce in 2013 to ensure publicly available cloud offerings adhere to European standards, not only in regulatory terms, but also in terms of being competitive, open and secure. The Commission suggests that cloud computing, being born global, requires a reinforced international dialogue on safe and seamless cross-border use in order to create a digital single market.
The Commission believes that cloud computing has the potential to slash users’ IT expenditure, boost productivity and growth, and create 3.8 million new jobs by 2020. Even the smallest firms will be able to use the cloud to reach out to ever-larger markets, while governments can make their services more attractive and efficient. The lack of standardisation and harmonisation across the EU is a concern for cloud computing adoption, and implementing policies to achieve this is therefore the crux of the Commission’s strategy. A preparatory study undertaken for the Commission estimates that a public cloud would generate €250 billion in GDP in 2020, with cloud-friendly single market policies in place against €88 billion in a ‘no intervention’ scenario.
To deliver on its goals, the Commission states that it will launch three cloud-specific actions: (1) cutting through the jungle of standards; (2) implementing safe and fair contract terms and conditions; and (3) establishing a European Cloud Partnership (ECP) to drive innovation and growth.
On 25 January 2012, the Commission proposed a uniform legal framework for providing legal certainty on data protection which would address the issues raised by the cloud, and apply directly and uniformly across all 27 Member States. The new legal framework will provide for the necessary conditions for the adoption of codes of conduct and standards for the cloud, where stakeholders see a need for certification schemes that verify that the provider has implemented the appropriate IT security standards and safeguards for data transfers, including the adoption of cloud-friendly binding corporate rules where necessary.
The European Telecommunications Standards Institute (ETSI) has set up a Cloud Group to consider cloud standardisation needs and conformity with interoperability standards. The Commission will work with the support of ETSI, the European Network and Information Security Agency (ENISA), and other relevant bodies to assist the development of EU-wide voluntary certification schemes in the area of cloud computing.
The Commission states that standardisation in licensing and security is essential to the development of a digital single market. Standardisation in licensing would allow customers to access their personal account from multiple devices, irrespective of the territory. The territory from which the account is accessed should be introduced. Moreover, a rapid adoption of the Commission’s proposal for a Directive on Collective Rights Management will address many of the cross-border licensing needs for cloud content. In terms of security standards, the Commission suggests secure eAuthentication methods and the adoption of common standards for Internet transactions, which could be achieved through the adoption of their proposals on e-identification and authentication.
The Commission also proposed the adoption of model contract terms to address issues such as data retention, data disclosure, and integrity and liability.