Privacy & Information Security Law Blog

On September 27, 2012, the European Commission presented its new strategy on cloud computing, entitled “Unleashing the Potential of Cloud Computing in Europe.” The Commission’s strategy is outlined on a new webpage that includes a communication document and a more detailed staff working paper.

The newly-released strategy follows the Commission’s consultation on cloud computing and the Article 29 Working Party’s Opinion on cloud computing. The strategy focuses on three main issues:

• a simplification of cloud computing standards and certification;
• the development of new model contract terms for cloud computing services; and
• the initiative for a European Cloud Partnership.

These three elements, particularly the simplification of standards and the new model contract terms, are of interest to data protection practitioners.

Cloud Computing Standards and Certification

The Commission’s stated aim is to introduce new, pan-European certification schemes by 2014. The European Network and Information Security Agency (“ENISA”) and other relevant parties will be asked to assist in this process.

The certification schemes will address data protection, especially data portability, and focus on increased transparency of cloud service providers’ security practices. Although the Commission has provided a rather detailed list of factors to be considered by these new certification schemes, it should be noted that participation in the schemes will be voluntary.

Model Contract Terms for Cloud Computing

New model contract terms for cloud computing also will be drafted by the end of 2013 to ensure consistency and fairness in contracts for cloud computing services across Europe. The Commission places particular emphasis on how data is handled and contemplates the model contract terms covering, among other things:

• data preservation after the contract is terminated;
• data disclosure and integrity;
• data location and transfer;
• data ownership;
• data portability between services; and
• subcontracting.

The model contract terms also will incorporate new mechanisms that will be introduced by the proposed data protection regulation, such as those relating to data processor obligations.

Other Goals

The Commission’s new strategy also aims to:

• undertake a review, by the end of 2013, of the current standard contractual clauses for international data transfers to make them more cloud-friendly;
• encourage national data protection authorities to approve Binding Corporate Rules tailored for cloud services;
• draft a new industry code of conduct for the unified application of data protection provisions that would be developed in collaboration with the cloud computing industry and endorsed by the Article 29 Working Party; and
• increase coordination with the United States, India and other countries concerning (1) access to data by law enforcement agencies, (2) data and cybersecurity at the global level, and (3) liability of third-party service providers.

The Commission’s papers make frequent reference to the proposed new EU data protection regulation, the soon-to-be-published European strategy on cybersecurity and the proposed Common European Sales Law, creating the impression that the Commission intends to integrate its cloud computing strategy with other initiatives in the EU’s digital agenda.