This paper examines B2G cloud computing services, where an awarding authority or awarding entity (in the meaning of the European Procurement Directives) procures cloud computing services from a private sector provider. We do not discuss the G2G model, where a public sector entity offers cloudtype services to other entities from the public sector.
Cloud for Europe
Cloud computing is one of the key directional strategies of the European Union. In September 2012, the European Commission adopted a strategy for Unleashing the Potential of Cloud Computing in Europe. The document presents the advantages for the European economy of using the cloud computing data processing business model, as well as the main associated challenges. These advantages exist regardless whether a single awarding entity orders cloud computing services for the whole or part of the public administration, or an awarding entity orders cloud computing services for its own purposes.
According to the European Commission and numerous studies, the public sector could benefit immensely from cloud computing, by way of, inter alia, savings in taxpayer spending and promoting good standards in back-office processing and e-government services among public authorities, which are not able to develop ergonomic solutions by themselves. Moreover, standardisation – in relation to graphical user interfaces, application programming interfaces, and file formats etc. – saves users and providers valuable time, effort and energy. And, of course, cloud computing provides and fosters standardisation.
The public sector in Central Europe and cloud computing
The transformation of public administration in Central Europe has taken a rocky road. Transformational IT projects in Central Europe have been by no means success stories. Many see cloud computing as a chance to resolve at least some of the issues preventing the public sector in Central Europe from accelerating towards an e-government and information society. However, in order for cloud computing to address these problems, a number obstacles in implementing cloud in the public sector need to be overcome.
Governments in Central Europe are interested in cloud computing. The Polish Authority for Implementation of European Programmes (WWPE) and the Polish Ministry of Administration and Digitalisation (MAiC) have ordered feasibility studies of cloud computing in the public sector. A prestudy of deploying cloud computing model for local authorities was followed by a detailed study of transforming the public sector from local silo IT to cloud computing based processing Study on the possibilities of using cloud services computing (cloud computing) in the public sector (including local government units) in Poland, prepared by KPMG, Bird & Bird Maciej Gawroński Sp.k. and Wojciech Cellary.1
What then are the legal or quasi-legal constraints hindering the progress of cloud computing in the public sector? And what are the Central European specifics in this respect?
The following issues require particular attention in the context of the public sector procuring cloud services:
- procurement – the impact of public procurement procedures especially in relation to what in the private sector is called "time to market" and the financial value of an award
- data protection law – primarily processing data in the EU, but also the data processing principles
- budgeting – to what extent are you obliged to predict and budget the costs of cloud computing services especially when you are procuring for a group of public sector entitles
- terms & conditions – the conditions upon which the public sector could procure cloud services are yet to be developed, separately for different types of services and the data processed
- information security – ensuring accessibility, integrity and protecting stored and processed information against unauthorised access
- intelligence and law enforcement – understanding the rights that foreign law enforcement agencies may have to disclose information stored in a foreign cloud; assessing the strategic
- risks of infiltration by foreign intelligence
- EU funding competition – the EU subsidising traditional IT software and hardware purchases which discourages public entities from switching to more efficient cloud computing services
Procurement – time of proceedings and value of an award
Cloud computing offers a dynamic, scalable, pay per use service. However, if you are obliged to pass the whole public procurement process in order to increase or decrease your use of a particular cloud service, you obviously are not able to profit from those advantages. To deal with this issue we propose to rely on a redefined right of option.
Right of option is an existing instrument of public procurement law, however, it was initially considered as an instrument for supplementing/reducing a major procurement. Now, for the purpose of procuring cloud services, right of option should cover most of the potential scope of services. As long as an awarding authority moves within the limits of an option (e.g. adding or reducing virtual servers), no new procedures are required.
All regulated sectors, and in particular the public sector, are sensitive to the requirements of data protection law. On top of this there is a general concern as to whether cloud computing complies with EU data protection requirements. These concerns, as far as related to data processing in the European Economic Area, arise mainly from a limited understanding of data protection principles and the patchwork of EU data protection laws. The issues surrounding data protection compliance can be simply overcome by relying on expert legal advice – cloud computing can be data protection compliant.
One of the challenges the public sector faces in adopting cloud is the nature of the budgeting process, where you are required to predict the total demand or expenditures you are going to make for a fiscal year. In certain cases of joint procurement this may narrow the margin for profiting from dynamic allocation and the pay per use benefits of cloud.
Terms & conditions
There is general uncertainty as to under what terms and conditions you should order cloud, especially when you are a public entity. Different Central European data protection authorities have developed certain guidelines, such as the Polish Inspector General for Personal Data Protection's (GIODO) Dekalog Chmuroluba (The Ten Commandments of a Cloudophil) published in 2013 (see here, in Polish), or the guidelines issued by the Czech Data Protection Office in August 2013 (see here, in Czech). The European Commission is also working on defining fair contractual terms.
Guidelines and use cases
The public sector is usually concerned not only about the final outcome, but equally about responsibility, liability and, therefore, procedures. Understandably, decision makers look for simple, measurable criteria, which could justify their decisions. This is even more relevant for the public sector in Central European post-communist countries where reluctance in taking decisions is due to historical reasons.
At present the public sector is crying out for any of such guidelines and use cases.
Security – general issues
There are general concerns regarding data protection read as information security. Questions are being raised as to how to make cloud computing services secure and compliant with data protection law requirements.
ISO recently developed a cloud specific standard for information security – ISO 2018. We hope that the ISO 27018 standard will fully address the concerns regarding data protection compliance by cloud computing offerings.
The standard itself still needs to be reviewed and tested in practice. Nevertheless, a number of cloud providers have already started promoting it. When thinking about information security a public entity should compare its own capability of providing information security against that of a potential cloud provider. Often, if not in most cases, the cloud provider can ensure better information security than the awarding entity itself.
Security – intelligence
Apart from general information security aspects, there are concerns relating to potential enforced access to information stored in a cloud by a public entity. As long as the enforcement agency comes from the same country as the public entity using the cloud, there should not be any particular concern. The situation differs when a foreign agency may enforce access to information stored in a cloud by a public sector entity of another country. A case in point, Snowden's revelations weakened much trust in US controlled trust providers.
There are expectations that a public entity intending to entrust a "foreign" cloud with data processing/storage should be aware of the risks associated with specific foreign governmental agencies accessing stored information. However, in our opinion, this falls under the domain of counterintelligence and issues related to processing state secrecy, and in the case of processing certain information has national security aspects. The public entity responsible for such information will know about such constraints in advance.
EU funding is hindering the development of cloud computing
The European Union generously provides financing for purchasing IT hardware and software. At the same time purchasing services is, by default, not eligible for EU funding. This is a real obstacle in building demand for B2G cloud computing offerings.
Currently the European Commission is endeavouring to work around this issue by encouraging crossborder partnerships between awarding authorities and entities for pre-commercial procurement, and then procurement of cloud computing services under a research and development umbrella. We should be able to see the results of these efforts probably by the end of 2015.
Nevertheless, subsidising traditional IT services will always play against unleashing the potential of cloud computing. When public authorities can obtain financing for their own IT purchases (based on which they can, by the way, create a G2G cloud offering), they will be not that willing to search for a private offering matching which they can create internally. Again this is particularly true in Central European countries which currently benefit mostly from EU funding.
The advantages which could be achieved by purchasing cloud computing services by awarding entities far outweigh the disadvantages. Although there is a risk that ordering the cloud computing services could be a difficult process, currently the legal provisions do not exclude the possibility of purchasing then. Tackling the ignorance and unwillingness of the awarding entities is extremely important, as well as conducting a public dialogue between awarding entities, authorities and legal/technical specialists. Much still remains to be done, however at the end there is a real chance for seeing public administration in the cloud, especially that could computing could be compliant with data protection rules and security principles.