In the first of our new cloud computing and privacy series, we consider the general legal framework that applies to cloud computing and look at existing case-law, both at EU level and in various Member States. The next articles in our series will address more specific questions, namely the data protection legal framework; the security requirements and guidance; the anonymisation and pseudonymisation of data; the breach notification requirements; and the processing of health data in a cloud environment.
This series of articles has been made possible thanks to the CoCo Cloud project (www.coco-cloud.eu) funded under the European Union’s Seventh Framework Programme, and of which Bird & Bird LLP is a partner. Said project aims to establish a platform allowing cloud users to securely and privately share their data in the cloud.
Overview of the cloud computing legal framework across the EU
Although cloud computing services constitute advancement in information and communication technologies, this phenomenon of remote services is far from novel. Nevertheless, cloud computing has undoubtedly attracted particular attention in recent years due to the development of new and innovative large-scale business models, but also due to technological evolution such as high-speed communications.
Consequently, interest in cloud computing has significantly increased in the past few years and led to numerous scientific studies regarding various aspects, including technical, commercial and legal ones. Public authorities in the EU have therefore been prompted to position themselves on the adoption of this new technological evolution. As a result, we observe that cloud computing is acknowledged by authorities at EU level and in all Member States examined (1).
Cloud computing at EU level
The European Union has shown particular interest in cloud computing in the framework of its digital agenda. In September 2012, the European Commission adopted a strategy for "Unleashing the Potential of Cloud Computing in Europe" (link)(2). The strategy - which is the result of an analysis of the overall policy, regulatory and technology landscapes - encourages the use of cloud computing across all economic sectors. It sets out the most important and urgent additional actions, and identifies three key actions:
- safe and fair contract terms and conditions;
- cutting through the jungle of standards; and
- establishing a European cloud partnership.
Following the 2012 Strategy of the EU Commission, the Parliament adopted a Resolution on 10 December 2013 (link)(3). The Resolution is based on the digital agenda and the various existing EU instruments in the field of information technology. More importantly, it puts forth the main challenges and examines various issues such as:
- the cloud as an instrument for growth and employment;
- the EU market and the cloud;
- public procurement, and procurement of innovative solutions;
- consumers and the cloud;;
- intellectual property, civil law etc.; and
- data protection, fundamental rights and law enforcement.
Finally, the EU Commission has more recently published other documents relating to cloud computing, including, in July 2014, the Staff Working Document Report on the Implementation of the Communication 'Unleashing the Potential of Cloud Computing in Europe' (link), accompanying the Communication entitled "Towards a thriving data-driven economy" (link).
Cloud computing at national level
All Member States examined in the CoCo cloud project acknowledge cloud computing one way or another through various publications, and in particular guidance.
However, it shall be noted that, putting aside any specific publication in the field of privacy and data protection – which is undoubtedly the topic of greatest concern and thus most discussed (to be dealt with by our next article) – few countries have published general guidance on the subject of cloud computing. In addition, we note that for those countries that have published such type of guidance, the issues examined relate to specific aspects and in many instances to the use of cloud computing by public administrations.
More specifically, the publication of general guidance by public authorities regarding cloud computing varies between Member States (excluding any privacy and data protection guidance). Our analysis has enabled to identify the following four different situations:
Member State(s) providing no or very little guidance on cloud computing in general.
Among such countries we find the Czech Republic, where public authorities have not published any actual guidance but have nevertheless shown interest in cloud computing such as in the strategic document issued by the Czech Government entitled "Digital Czech Republic v2.0: Road to the Digital Economy" (link). The situation in Finland is similar, where there is not much guidance concerning cloud computing specifically. The only guidance published by Finnish authorities concerns mainly questions closely related to cloud services such as outsourcing of the processing of personal data. Also, in the United Kingdom, it is interesting to note that even though there is no specific guidance on cloud computing, public authorities have nevertheless been active in this context, publishing in particular the so-called ICO Guidance, which is however limited to data protection (addressed in the next article).
Member State(s) providing guidance on specific issues only (excluding data protection).
Some countries that were examined have not published general guidance applicable to cloud computing but rather guidance on particular subjects. Firstly, in Poland, the Financial Supervision Commission (the "KNF") has adopted in January 2013 "Recommendation D" on management of information technology and ICT environment security in banks and credit institutions operating on the Polish market (link). In Germany, The German Federal Agency for Security in Information Technology (4) published in February 2012 a guidance document entitled "Security Recommendations for Cloud Computing Providers" (link).In addition, there are non-binding guidelines on cloud computing by German industry associations, namely the German internet association eco of December 2010 (link) and the German IT association BITKOM of October 2009 (link).
Member State(s) providing guidance on or acknowledgment of public-related cloud computing.
In Italy, the Agency Digital Italy (AgID), which is the Italian public authority competent for digitalization of Italian administration, issued documents relating to the adoption of cloud computing by public authorities, and in particular the document entitled "Features of electronic systems for cloud in public administration" (link). It covers (i) possible cloud services to be adopted by public administration; (ii) a framework of architectures to be adopted for eGovernment services; (iii) the role of public administration in cloud computing; (iv) a description of the "OpenStack" project as acceptable standard for public administration; (v) IaaS, PaaS and SaaS in relation to some types of public tenders; (vi) data centre for public administration cloud services; (vii) conformity, interoperability, operating and security, management, resilience requirements of cloud in public administration; and (viii) classes of services.
Member State(s) providing general guidance applicable to the public and/or private sectors.
Finally, few countries provide for general guidance that is not only destined to the public sector but also to private entities. These include for instance Belgium, where the Belgian Federal Public Service Economy published a study on cloud computing entitled "An economic opportunity for Belgium" (the "Unisys report") and which (i) offers a substantive definition of cloud computing; (ii) covers the opportunities and risks of cloud computing; and (iii) discusses the legal framework applicable to cloud computing (link). Similarly, in France, The Network and Information Security Agency ("ANSSI") published in December 2010 guidance on the outsourcing of information systems, and subsequently, on cloud computing (link).
In Denmark, the Agency for Digitisation has issued several guides and papers on cloud computing, such as in particular "Cloud computing and the legal framework - guidance on legislative requirement and the contractual environment related to cloud computing", "Cloud audit and assurance initiatives", "New digital security models – discussion paper" or "Memorandum on legislation and rules that complicates the use of cloud computing in the public sector" (link).
Finally, public authorities in Spain, published two main guides relating to cloud computing. In the first place, they issued the Spanish National Interoperability Framework (link), setting out the principles and guidelines for interoperability in the exchange and preservation of electronic information by the Public Administration. In addition, they circulated the "Guide for companies: security and privacy of cloud computing" of 2011 ("INTECO Guide")(link). The latter guide shows the different levels of clouds, the way in which the services are deployed, as well as the legal framework of reference, looking closely at the main implications regarding security and privacy, and the keys to ensuring success in the use of cloud computing services.
Our next article will address the "Data Protection Legal Framework" in the cloud computing context.