On 27 September 2012, the European Commission (“Commission”), issued a Communication on “Unleashing the Potential of Cloud Computing in Europe” (“Communication”)1 in which it outlines the key actions the Commission will take over the next two years to lay the foundation for Europe to become a world cloud computing powerhouse.
In the Communication, the Commission recognises that cloud computing is a “game changer” for the European economy and reveals its strategy for enabling and facilitating faster adoption of cloud computing throughout all sectors of the European economy to cut ICT costs and boost productivity, growth and jobs (“Cloud Strategy"). The Commission has prepared the Cloud Strategy as it believes that the cloud industry is still at a comparatively early stage in its development which gives Europe a chance to act now to ensure that it is at the forefront of the industry’s development and to benefit on both the demand side and the supply side through widespread cloud use and cloud provision.
Issues to be addressed:
In preparing the Cloud Strategy, the Commission identified the following key perceived risks and issues associated with cloud computing which are restricting the level of cloud adoption by consumers, businesses (especially small and medium sized enterprises – “SMEs”) and public authorities:
- Fragmentation of the digital single market: one of the highest ranking concerns of potential cloud computing users and providers is the difference in national laws between EU Member States and the uncertainty over applicable law, digital content and data location, particularly with multi-jurisdictional cloud services;
- Problems with contracts: many concerns raised by potential cloud users surrounded the contractual terms upon which cloud services are provided including in relation to data access and portability, change control, ownership of data created in cloud applications, liability for service failures (e.g. downtime, loss of data), unilaterally imposed system upgrades and dispute resolution; and
- Jungle of standards: the current proliferation of standards generates confusion among users due, for example, to the lack of certainty as to which standards provide adequate levels of interoperability of data formats to permit portability and the extent to which safeguards are in place for the protection of personal data (e.g. against data breaches and cyber-attacks).
Key Commission actions:
To develop the climate of certainty and trust necessary to tackle these issues and stimulate the active adoption of cloud computing in Europe, the Commission has set itself the task of achieving the following three cloud-specific key actions over the next two years:
Action 1 - Cutting through the jungle of standards: the Commission will implement a number of initiatives to avoid user ‘lock-in’ by promoting interoperability, data portability and reversibility, including:
- ETSI standards: tasking the European Telecommunications Standards Institute (“ETSI”) to coordinate with stakeholders in a transparent and open way to identify by 2013 a detailed map of the necessary standards;
- Technical specifications: recognising at EU-level technical specifications in the field of information and communication technologies for the protection of personal information in accordance with the new Regulation on European Standardisation2;
- Certification schemes: working with the European Network and Information Security Agency (“ENISA”) and other relevant bodies to assist the development of EU-wide voluntary certification schemes in the area of cloud computing (including for data protection) and establish a list of such schemes by 2014; and
- Environmental metrics: addressing the environmental challenges of increased cloud use by agreeing, with industry, harmonised metrics for the energy consumption, water consumption and carbon emissions of cloud services by 2014.
Action 2 – Safe and fair contract terms and conditions: to counter the current prevalence of cloud service contracts which are provided on a ‘take it or leave it’ basis with an acutely proprovider bias, and which do not provide sufficient detail on key issues such as data recovery, data integrity, confidentiality or service continuity, by the end of 2013 the Commission will:
- Professional user model SLAs: develop with stakeholders model terms for cloud computing service level agreements (“SLAs”) for contracts between cloud providers and professional cloud users, taking into account the developing EU body of law in this field;
- SME/consumer model T&Cs: develop fair and safe contract terms and conditions for SMEs and consumers by: (i) proposing European model contract terms and conditions for those issues that fall within the Common European Sales Law proposal3, the aim being to standardise key contract terms and conditions and provide best practice contract terms for cloud services on aspects related with the supply of "digital content; and (ii) tasking a dedicated expert group to identify before the end of 2013 safe and fair contract terms and conditions, and on the basis of a similar optional instrument approach, for those cloud-related issues that lie beyond the Common European Sales Law;
- International data transfers: facilitate Europe's participation in the global growth of cloud computing by: (i) reviewing standard contractual clauses applicable to the transfer of personal data to third countries and adapting them, as needed, to cloud services; and (ii) calling upon national data protection authorities to approve Binding Corporate Rules for cloud providers; and
- Data protection code of conduct: work with industry to agree a code of conduct for cloud computing providers to support a uniform application of data protection rules which may be submitted to the Article 29 Working Party4 for endorsement in order to ensure legal certainty and coherence between the code of conduct and EU law.
Action 3 – Promoting common public sector leadership through a European Cloud Partnership: recognising the strong role which the public sector (as the EU’s largest buyer of IT services) has to play in shaping the cloud computing market, the Commission is setting up a European Cloud Partnership (“ECP") to bring together industry expertise and public sector users to work on common procurement requirements for cloud computing in an open and fully transparent way. Under the guidance of a steering board, the ECP will implement a pre-commercial procurement action to:
- Develop specifications: identify public sector cloud requirements and develop specifications for IT procurement and procure reference implementations to demonstrate conformance and performance;
- Joint procurement: advance towards joint procurement of cloud computing services by public bodies based on the emerging common user requirements; and
- Stakeholder coordination: set up and execute other actions requiring coordination with stakeholders as described in the Communication.
The Commission will also take a number of additional policy steps to support the three key actions detailed above including actions to assist the migration to cloud-based services, promote ubiquitously available cloud-based public services, implement the Commission’s own cloud plan under the eCommission 2012-2015 strategy5 and promote digital entrepreneurship with regard to cloud computing.
At an international level, the Commission will progress its on-going dialogues with the USA, India, Japan and other countries regarding key cloud-related issues including data protection, access to data by law enforcement agencies, coordination of data security at the global level, liability of intermediary service providers, standards and interoperability requirements and the application of tax law to cloud services.
A key theme running through the Communication is the Commission’s recognition of the need to act quickly not only in respect of the specific key actions detailed above but also in respect of related ongoing policy initiatives such as the reform of the EU data protection regime and the formulation of a Common European Sales Law. The Commission has therefore committed itself to delivering on the key actions identified in the Communication by the end of 2013, at which time it will report on progress on the full set of actions in the Cloud Strategy and present further policy and legislative proposals as required.
In relation to data protection, identified as a “key area of concern that could impede the adoption of cloud computing”, the Commission strongly encourages the European Council and Parliament to work swiftly towards the adoption of the proposed new data protection Regulation6 as soon as possible in 2013.
The Cloud Strategy set forth by the Commission is likely to be welcomed by users and potential users of cloud services, who stand to benefit from the initiatives to put cloud services on a more standardised, interoperable technical basis and to redress the acutely pro-provider bias of many cloud providers’ standard terms and conditions. It remains to be seen, however, whether these initiatives will be similarly welcomed by cloud providers, who to date have arguably benefited from being able to impose pro-provider terms and conditions on end users and, in the absence of interoperable standards, to ‘lock in’ users to their cloud services.
Many major providers of public cloud services currently only provide services on their standard terms and so will have to decide from 2014 onwards whether to adopt the Commission’s model terms (whether partially or wholly) into the service agreements for all of their users, not to adopt them at all, or otherwise be prepared to negotiate individual terms with users (which is likely to be impractical given the large number of users and low costs of public cloud services).
If the key actions to be implemented by the Commission do succeed in strengthening the position of cloud users (e.g. by allowing users to claim greater compensation for loss of data or service credits for service outages or obligating providers to provide more comprehensive post-termination support to migrate users’ data to alternative suppliers) then the resulting cost to providers may well be passed back to users in the form of higher service fees, thereby partially eroding one of the greatest benefits of cloud services: the provision of advanced computing services at low cost. Alternatively, providers may simply respond by offering differential pricing models whereby, for example, users which choose Commission-approved model terms and conditions and/or service level agreements have to pay a premium to reflect the additional cost and liability borne by the provider.
Meanwhile, the prospect of more favourable ‘standard’ model Commission terms being potentially offered by some cloud providers from 2014 onwards may influence the uptake of cloud services now. For example, sophisticated new users of cloud services may increasingly choose cloud providers which offer better post-termination migration support so that such users can in future more readily move to any alternative supplier which is prepared to provide equivalent services but on the basis of the Commission’s model terms.
The Commission observes in the Communication that cloud computing represents a further industrialisation of the provision of computing power in the same way that power plants previously industrialised the provision of electrical power. This raises an interesting question as to whether, in the event that cloud computing does in future result in computing being provided on a true utility basis, the Commission will seek to regulate the provision of cloud services as stringently as the provision of other utilities and whether the current proposals represent the thin end of an increasingly substantial regulatory wedge.
Given that the intrinsically global nature of cloud computing offers cloud providers great freedom to choose where to locate their cloud infrastructure, and that there is increased competition at an international level between countries to attract the business of major cloud providers, it is important that the new regime will provide advantages to cloud providers as well as users to avoid placing the EU at a competitive disadvantage.