Over the last few years Europe has increased its focus on cloud computing, and several organizations, working groups and policies have been set up to encourage its expansion and increased usage at the EU level.
For example, the European Cloud Computing Strategy was adopted by the European Commission in September 2012, with an aim of delivering a net gain of 2.5 million new European jobs, and an annual boost of €160 billion to the EU’s GDP (around 1%) by 2020, all within the cloud arena. In April 2016, the European Commission announced its plans for the “European Cloud Initiative” which aims to provide an open environment within which 1.7 million European researchers and 70 million professionals in science and technology can store, manage, process and share data (the “European Open Science Cloud”). The estimated investment requirement of the initiative is €6.7 billion.
All of these efforts and initiatives have led to a visible increase in the business of cloud computing and data storage in the EU, including for example:
-
in 2015, Apple announced that it will be investing €1.7 billion in new data centres in Europe;
-
in 2014 IBM announced the opening of a new cloud data centre in France, and in 2015 IBM announced the openings of its first cloud data centres in Germany and in Italy; and
-
cloud storage and sharing tools company Zettabox only stores its customers’ data in data centres in Europe (including in Holland, Germany, the UK, Spain, Italy and France).
The 2015 Cloud Security Spotlight study by the Cloud Security Alliance (CSA) found that security is the biggest perceived barrier to cloud adoption, with 9 out of 10 organizations surveyed disclosing that they are concerned about public cloud security. In order to address some of the concerns around cloud computing, the International Information Systems Security Certification Consortium (ISC) and the CSA launched a new certification scheme in April 2015 targeted at cloud security professionals. The new certification scheme, known as “Certified Cloud Security Professional,” or “CCSP,” is designed as an international standard for professional-level knowledge of the design, implementation and management of cloud environments. CCSP certification will act as an indicator to employers and others that the CCSP accredited individual is competent in cloud security, and has the knowledge and skills to address security and business issues relating to cloud computing.
This year, on July 6, 2016, the European Parliament adopted the first EU-wide legislation on cybersecurity, the so-called “Network and Information Security Directive” (the NIS Directive). The NIS Directive will apply to providers of “essential services” (for example, electricity/gas suppliers, airports and railways, stock exchanges and healthcare providers) and providers of “digital services” (namely online marketplaces, online search engines and cloud computing service providers). The Directive sets out measures that such providers will need to take in order to ensure the security of their IT systems. The Directive entered into force in August 2016, and EU Member States have 21 months (i.e. by May 2018) to implement the legislation into national law. It is up to each EU Member State to decide which organizations within its jurisdiction fall within the remit of the NIS Directive, which Member States must do within a further 6 months. “Digital service providers” will be subject to the requirements of the NIS Directive if they offer services within the European Union; digital service providers that are established outside of the EU will be required to appoint a representative within an EU Member State and will be required to comply with the national implementing legislation of that Member State.
Whilst improved security is to be welcomed, there is concern that these changes will isolate the EU and form a sort of “cyber-barrier” which will restrict trade. The NIS Directive, for example, may require business to make significant investments to ensure that their security systems are up to standard and to put in place policies and processes for identifying and reporting IT breaches. Such additional costs are likely to be off-putting to larger companies such as Google and Facebook, but may be quite prohibitive to smaller “digital service providers.” The European Commission is, as noted above, working on a replacement of the Data Protection Directive with the General Data Protection Regulation (GDPR) . Whilst the GDPR does not specifically address cloud computing, there are a number of provisions which will have an impact on the provision and use of cloud services, including in the following key areas:
-
Global reach: The GDPR contains provisions which have the effect of extending the GDPR’s reach to organizations based outside the EU. Article 43(a) has been proposed by the European Parliament to address the issue raised by access requests by public authorities or courts in third countries to personal data stored and processed in the EU. The idea is that a transfer will only be granted by the data protection authority following verification that the transfer complies with the Regulation and it is worth noting that this provision was drafted with particular regard to the growth of cloud computing. The GDPR is intended to apply to data controllers with no EU establishment where they undertake processing related to the offering of goods or services to EU residents, or which monitor individuals resident in the EU, irrespective of whether the processing takes place within the EU.
-
Data processors will also be held responsible: Under the existing Directive, data controllers (i.e. those persons who determine the purposes for which and the manner in which any personal data are, or are to be, processed) – but not data processors (i.e. those persons that process the personal data on behalf of the data controller) – are responsible for the lawful collection and processing of personal data under their control.
-
Sanctions: Article 79 of the GDPR, in its current draft, allows national data protection authorities to impose fines of up to €1m or 2% of the worldwide turnover of the breaching entity for personal data breaches. This applies to "anyone who, intentionally or negligently" causes a personal data breach.Cloud computing data breaches have raised concerns about risk of leaks and breaches in cloud storage platforms, particularly when considering the type and volume of data that cloud platforms are able to hold: a single breach could affect hundreds of thousands of individuals.
Whether or not cloud providers will increase their security to give adequate protection to personal data for the moment seems to be a case of “watch this (cyber) space.” Companies should continue to monitor for additional developments in the wake of the NIS Directive and in the lead up to GDPR implementation.
