Offering cloud services to European companies and users means obeying European Union (EU) legisation like GDPR (General Data Protection Regulation) and proving that data and access in the cloud is protected. If there is any doubt about this, success inside the European cloud market will prove elusive.
Only 26% of the EU enterprises use cloud computing, mostly for hosting their email systems and storing files, more than half of them use advanced cloud services relating to financial and accounting software applications, customer relationship management or computing power to run business applications.
Most of these cloud services handle personal data, so the European privacy regulation GDPR applies. This regulation is not only relevant to EU enterprises but for any company processing personal data of "data subjects" who are in the EU, if the company offers goods or services to a person in the EU, irrespective of whether a payment is required, or the company monitors the behavior of persons in the EU.
The main obstacle for cloud services in the EU is data security: Four out of ten enterprises in the European Union already using the cloud reported the risk of a security breach as the main limiting factor in the use of more cloud computing services, says a study carried out for the European Commission.
Cloud computing raises a number of issues related to the protection of privacy and personal data that need to be properly addressed in service development and rollout, explains the European Data Protection Supervisor (EDPS):
- First, in cloud environments the specific physical location of the data is usually not known by the client. However, the hosting location of data remains relevant with respect to the applicability of national law.
- Second, the contractual asymmetry between service providers and clients may make it very difficult or even impossible for cloud clients acting as data controllers to comply with the requirements for personal data processing in a cloud computing environment.
- Third, in cloud computing different players usually cooperate along the end-to-end value chain in order to deliver the service to the client. This leads to complex questions concerning the allocation of responsibilities.
- Fourth, cloud computing also leads to a considerable increase of transfers of personal data over networks, involving many different parties and crossing borders between countries, including outside the EU. Depending on the type of service offered, data can be replicated in multiple locations, in order to make it better accessible from anywhere in the world. Where personal data is processed in these services, data controllers and processors must ensure compliance of these transfers with data protection rules.
Data protection in the EU is no longer just an issue for data protection authorities, but also for other regulators, such as those working in consumer protection or competition law. Giovanni Buttarelli, the European Data Protection Supervisor (EDPS), said: “Massive scale data processing has serious consequences not only for individuals, but also for society, democracy and the environment. Data has become a geostrategic arena in which disparities in the digital dividend shared between those with power over their digital lives, freedoms and privacy, and those without, only continue to grow.”
European banks, for example, have been slower in their uptake of cloud services when compared to other industries due to the strict regulatory environment where banks operate in, says the European Banking Federation (EBF). Moreover, using, managing and storing customer information faces higher compliance risks, especially in the light of data and security guidelines like GDPR. The European Banking Authority (EBA) also published recommendations for cloud computing which credit institutions must observe.
Many banks in the EU are eager to adopt cloud services. However, the migration from on-premises solutions to a multicloud environment is a meticulous effort for banks that requires thorough assessment of risk and control levels. Only with all the risk, reporting and compliance expectations aligned can banks adopt public and hybrid cloud solutions within a competitive timeframe.
It has never been more true than today to say that without user trust, technology will not be able to advance to reach its full potential, said SCOPE Europe (Self and Co-Regulation for an Optimized Policy Environment in Europe), an association supporting the co-regulation of the information economy. The so-called "EU Cloud Code of Conduct General Assembly" published a revised Code version which has been submitted to the supervisory authorities in the EU for approval. "This Code release is a big achievement for the EU Cloud Code of Conduct, bringing the Code fully up to date with GDPR -- it is an important milestone for achieving high levels of data protection in the Cloud," said Jonathan Sage, chairman of the EU Cloud CoC General Assembly.
There is a huge demand in cloud certification for building the required trust on the customer side in the EU. But this market for cloud computing certification schemes is highly fragmented. Different initiatives have arisen at different levels, international standardization organisations and European member states have launched their own public and public-private initiatives, with varying levels of success. There is still no GDPR certification scheme at hand for cloud providers to proof the protection of cloud data and access.
Having these GDPR certification schemes, data protection will remain a big issue in the EU, but it will be an issue that can be fulfilled. Trust building among the cloud users in the EU by approved certifications and codes of conduct will definitely help to develop the European cloud market in a fast pace.
— Oliver Schonschek, News Analyst, Security Now