Some might say that the European Commission (“EC”) is good at generating regulations, the shape and size of bananas being one of the more memorable examples, but can even they hope to pin down something as fast moving as the cloud?  

Well, the EC has made it clear that they aspire to: last September the EC published a strategic paper on unleashing the potential of cloud computing in Europe, with the overriding aim stated as being to (as the EC sees it) assist in the development of the cloud industry in Europe by trying to impose some structure and by encouraging cloud providers in a direction which the EC considers to be conducive to the good development of the cloud.

The strategic paper

The strategic paper states that the EC is concerned with three main things:

  1. fragmentation of the digital single market – i.e. the issues caused by the differing national legal frameworks that exist and uncertainties over applicable law (particularly in respect of data protection, contracts and consumer protection);
  2. issues associated with contracts with cloud providers (for example concerns over data access, change control, portability of data, ownership of data created in the cloud and how disputes will be resolved); and
  3. a “jungle of standards” (the concern being that a multiplicity of self-proclaimed standards creates confusion as to which provides the best deal).

At present, the EC has made several proposals which it believes will assist the development of the cloud within the EC including:

  • proposals on e-identification and authentication (with an emphasis on security rather than simple sign-on procedures)
  • a strong and uniform legal framework on data protection which was proposed at the end of January 2012 by the EC in the form of a regulation (which would apply across the EEA)  and the EC would like to see in force this year;
  • proposing a common European sales law (which would have universal force throughout the EEA).

So far, so ambitious, and that is just the beginning. Intriguingly, the EC propose to cut through the jungle of standards by having their own, EU wide, voluntary certification on data protection, technical certifications for the protection of personal data and a “map” of standards on security, interoperability, data portability (amongst other things). Unless they become the well-publicised certification of choice it is hard to see how this will reduce the “jungle”.

They also have ambitions to guide cloud contracts towards what they consider to be desirable. This mainly seems to consist of trying to move cloud providers away from standard contracts that are essentially non-negotiable. The EC is concerned that companies forced to accept certain terms (for example choice of jurisdiction and provisions in the provider’s favour on data recovery, confidentiality and service continuity) will result in either a barrier to entry or in companies that accept the terms potentially losing out. To tackle this, the EC proposes to develop model terms for cloud computing service level agreements and to standardise key contract terms and conditions to “best practice” terms. They are also calling upon national data protection authorities to approve binding corporate rules for cloud providers.

The final part of their tripartite plan is to harness the public sector to work on common procurement requirements for cloud computing in the “European Cloud Partnership”, which they hope will put a substantial amount of spending power behind their first two objectives, giving their plan commercial weight.

Will the EC take too long?

Whether such direction can be given to the cloud remains open to question. The timescale of the EC response (along the lines of “we’ll get back to you in a year”) conveys one of the issues. IT is a fast moving industry and “the cloud” is constantly developing and changing. The EC only started appealing for experts to work on developing the EC’s standard terms for cloud computing contracts on 24th June, over nine months after they decided to pursue this course of action. The industry moves on whilst the EC is deliberating. R W Baird & Co published a report in April showing that the top 10 cloud providers grew 37% last year whilst the more traditional businesses grew by 2%. Both R W Baird & Co and Bernstien Research predict that Amazon Web Services (Amazon’s cloud arm) will enjoy substantial growth over the next few years, whilst the more conventional IT market loses out. If the EC does not respond swiftly, then conventions will have already been established by the market and the market will be dominated by the US.

Is regulation the answer anyway?

Unsurprisingly the drive to regulate has not been universally well received. Computer Weekly have published various articles on the subject, one entitled “European Commission should keep its hands out of the cloud” which expressed scepticism at the solutions proposed by the EC. Over-regulation and the complexity that comes with it makes any market less attractive to business, so if the EC gets it wrong and is too heavy handed then we face seeing business go elsewhere to more sympathetic jurisdictions. This is also an industry that is fast moving and therefore resistant to control and regulation. If the market is regulated too heavily then there is a risk of strangling the innovation which generates the cash which the EC wants to encourage and harness.

However, there are clearly barriers to entry at present: companies that place a higher value on security and reliability than cost are making the decision to invest in data centres rather than ship out to the cloud (for example, Menzies Aviation, who recently invested $2 million in updating its three internal datacentres). This is something that the EC hopes the right regulation would change.

Of course we do not want to lose out to other markets. This has to be balanced against giving consumers the confidence to trust their business and data to the cloud when the bad press for getting it wrong is so potentially damaging. Clearly, if the cloud isn’t regulated in the right way then it will never have universal appeal, but then maybe universal appeal isn’t what the cloud is about, it’s not a one stop fix for all business issues after all.