1. A Storm Brewing? European Commission looks to unleash the potential of the Cloud

The European Commission has published a Communication to "unleash the potential of Cloud Computing within Europe". On the agenda are model contracts for cloud services and pan-European standards and certifications.

Background

Cloud Computing has been a technological "hot topic" for the last few years with its perceived benefits of flexible access, dynamic scalability, reduced environmental impact and, importantly, cost savings. The European Commission now also believes that the economic benefits of cloud adoption could be great for the EU. According to the Commission, cloud computing revenues in the EU could rise to nearly €80 billion by 2020 if policy intervention is successful (more than doubling the growth of the sector). More broadly, the Commission expects a net annual gain of €160 billion to EU GDP by 2020 (or a total gain of nearly €600 billion between 2015 and 2020) if a full EU cloud strategy is in place. However, the existing patchwork of different rules at Member State level is currently leading to uncertainty about legal obligations in the context of the cloud, and therefore delaying the adoption of cloud solutions.

Unleashing the Potential of Cloud Computing

The European Commission has published a Communication on "Unleashing the Potential of Cloud Computing in Europe". In the Communication, the Commission has identified three key areas where action is needed:

  • Differing Rules:The fragmentation of the digital single market due to differing national legal frameworks is a key area of concern and confusion for cloud customers and suppliers.
  • Contracts:Concerns over contractual terms and conditions, particularly in relation to liability for service failures and outages are also a key area requiring further action.
  • Standardisation: Finally, a lack of certainty as regards technical standards for cloud suppliers is seen as a barrier to widespread adoption of cloud solutions by customers.

The Commission believes that cloud computing could raise the digital single market in Europe to a new level. According to the Commission, "a climate of certainty and trust must be further developed so as to stimulate the active adoption of cloud computing in Europe". To achieve this aim, the Commission has therefore launched the following three cloud-specific actions:

  • Key Action 1 – Cutting through the Jungle of Standards

The Commission believes that the current proliferation of standards adopted by cloud suppliers in the market creates confusion and uncertainty for customers, who are unsure which standards offer adequate security of data and data portability etc. Many large customer organisations also require certification of their IT systems' compliance with legal and audit requirements and that applications and systems are interoperable.

The Commission has therefore committed to appoint the European Telecommunications Standards Institute ("ETSI") to coordinate with stakeholders to identify by 2013 a detailed map of the necessary standards for, amongst other things, security, interoperability and data portability. The Commission will also work with the European Network and Information Security Agency ("ENISA") to develop EU-wide voluntary certification schemes in the area of cloud computing, and establish a list of such schemes by 2014.

  • Key Action 2 – Safe and Fair Contract Terms

The Commission highlights in its Communication the difference between cloud computing solutions and traditional IT outsourcing arrangements. According to the Commission, the greater flexibility of cloud computing as compared to traditional outsourcing is often negated by reduced contractual certainty as a result of unbalanced legal terms and conditions. Even large customer organisations are finding that they have little or no negotiation power with the suppliers when it comes to negotiating their cloud contracts.

The Commission has therefore committed by the end of 2013 to develop with stakeholders model terms for cloud computing service level agreements between suppliers and professional cloud users. In the sphere of data protection, the Commission will also review the standard contractual clauses applicable to the transfer of personal data to countries located outside of the EEA and adapt them, as necessary, for cloud services. The Commission will also call upon data protection authorities to approve binding corporate rules for cloud suppliers.

  • Key Action 3 – Promoting Common Public Sector Leadership through a European Cloud Partnership

The Commission believes that the public sector, as the EU's largest buyer of IT services, has a key role to play in pushing forward the adoption of cloud computing solutions. Several Member States have already started cloud initiatives such as G-Cloud in the UK, Andromede in France, and Trusted Cloud in Germany.

The Commission is therefore setting up a European Cloud Partnership ("ECP") this year to provide an umbrella for comparable initiatives at Member State level. The Commission hopes that the ECP will be of key importance for avoiding fragmentation of the market and bringing public authorities together.

Comment

The Commission's Communication highlights the importance of cloud computing to the EU's digital agenda and strategy. Potential cloud customers will welcome the development of EU-wide cloud standards, particularly where this enables them to comply with their own regulatory requirements in relation to data security etc. However, suppliers may be concerned about the cost of any associated certifications.

The development of model contracts and/or the adaptation of existing data transfer model clauses could be a double-edged sword for customers and suppliers alike. Whilst customers will welcome any attempt to agree terms and conditions less biased in favour of suppliers, they may not welcome the effective introduction of new model clauses which they are unable to negotiate. Likewise, suppliers will be concerned to ensure that any new model terms do not significantly increase their risk and liability for cloud services.

It is also not entirely clear how the implementation of these initiatives will interact with the Commission's current proposals for reform of the Data Protection Directive. However, it seems that the Commission is keen for supplier Binding Corporate Rules perhaps to become the solution to data protection concerns in the cloud.

A copy of the Communication is available here.  

  1. Digital by Default: UK Government plans digital takeover

The Cabinet Office has published a Digital Strategy and Digital Efficiency Report, setting out how the UK Government can make up to £1.2 billion worth of savings by 2015 simply by making everyday transactions digital.

As per the commitment made in this year's Civil Service Reform Plan, the strategy sets out how the Government plans to become "digital by default". This means that digital services are so straightforward and convenient that all those who can use them will choose to do so, whilst those who can't are not excluded. By making it easier for people to do things like pay their car tax, book driving tests, complete tax returns, or apply for their state pension online, the Cabinet Office estimates that it could deliver £1.7 billion a year in savings beyond 2015.

The seven Whitehall departments that handle the majority of central government service transactions will be the first to start redesigning their services. Each of these departments will start by identifying three significant services, with over 100,000 transactions a year, for digital transformation. These will be identified and published in departmental digital strategies in December 2012. The departments will then start to redesign these services by April 2013 and implement them by March 2015. Additionally, all new or redesigned transactional services going live after April 2014 from any department will have to meet a new Digital-by-Default service standard.

The digital strategy reinforces the UK Government's commitment to utilise innovative digital technologies. According to the strategy, the Cabinet Office will lead the way in the delivery of a new suite of common technology platforms to underpin the digital by default services. IT infrastructure is clearly at the heart of the Government's plans, although it remains to be seen how such infrastructure will be procured.

A copy of the Digital Strategy is available here.   

  1. Justice Committee report sends data protection proposals back to the drawing board

The House of Commons Justice Committee has published its report into the European Commission's proposed reforms of the Data Protection Directive. According to the report, the Commission's proposals are too prescriptive and the European Commission needs to go back to the drawing board.

In January 2012, the European Commission published its proposals for reform of the Data Protection Directive. The House of Commons Justice Committee in the UK launched an inquiry in July, calling for written evidence on the proposals. It has now published its report.

The Committee's report includes the following conclusions and recommendations with regard to the draft Regulation:

  • Structure:The Committee generally supports the proposed use of a Regulation rather than a Directive to ensure less fragmentation of data protection laws at a national level. However, it believes that the rules set out in the draft Regulation are too prescriptive and do not grant sufficient flexibility both to data controllers seeking to achieve compliance with the new law and to national data protection authorities when enforcing it.
  • Cost:The Committee is concerned that cost estimates in relation to both compliance and enforcement of the new rules may be too low.
  • Data Protection Officers:The Committee criticises the proposed obligation for data controllers with more than 250 employees to appoint a data protection officer. It believes any such requirement should be based on the type of business and the sensitivity of the data handled, rather than the number of employees.
  • Sanctions: The draft Regulation introduces the power to impose fines of up to €1 million or, in the case of a company, up to 2% of its annual global turnover. The Committee believes that data protection authorities should have more discretion as to the sanctions that they can impose in order to effectively punish the worst behaviour.

The report highlights the UK's current negotiating position with respect to the progress of the data protection reform through the legislative process. Data protection issues are of relevance to all businesses within the EU and the progress of the reform will therefore be eagerly monitored by numerous and varying stakeholders throughout the EU. According to the draft legislative timetable, the deadline for tabling amendments to the proposed Regulation is December 2012. It is then anticipated that the draft Regulation should be ready for trilogue with the Council and Commission by summer 2013, and put to a vote in the plenary session of the European Parliament in early 2014.

A copy of the Committee's report is available here

  1. Mistakes can be costly: data protection fine for inaccurate data

The Information Commissioner has served Prudential Assurance Company with a monetary penalty of £50,000 for data inaccuracies which led to tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account. This is the first monetary penalty issued that doesn’t relate to a significant data loss.

The fourth data protection principle under the Data Protection Act in the UK requires personal data to be accurate and, where necessary, kept up to date.

In this case, the financial records of two customers, who share the same first name, surname and date of birth, were mistakenly merged in March 2007. The accounts then remained confused for more than three years, and the problem was only resolved in September 2010. According to the Information Commissioner's Office (the "ICO"), the company failed to investigate thoroughly following receipt of a letter in 2010 and the inaccuracy continued for a further six months.

The Information Commissioner has had the power to impose monetary penalties of up to £500,000 since April 2010 for serious contraventions of the data protection principles. However, to date, all penalties issued have related to data loss. This is the first time that a monetary penalty has been served for data inaccuracies and financial services institutions in particular should take note of the penalty. A spokesperson from the ICO stated "we hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate. Staff should also receive adequate training on how to manage and maintain them, with any concerns fully investigated in order to ensure problems are addressed at an early stage".

A copy of the Monetary Penalty Notice is available here.