Cloud Computing, SMEs and the Public Sector
The European Commission recently published a memo stating they want to extend the use of cloud computing in Europe to allow Europe to improve its productivity levels and remain competitive globally. The European Commission believe that unclear or pro-supplier cloud computing contracts are one barrier to such extension happening. As such, an expert group has been set up by the European Commission to work on safe and fair model terms for cloud computing contracts.
It is refreshing for SMEs in the South-West that the European Commission acknowledges that:
- SMEs are the bedrock of the European economy;
- appropriately selected cloud providers can assist SME's increase productivity;
- citizens, businesses and public administrations have reservations over security and confidentiality of information in the cloud. Such concerns were aggravated by Edward Snowden's revelations about the NSA's PRISM program. The European Commission sees safe and fair model terms as one way of restoring trust in cloud computing. The memo also correctly highlights that some cloud solutions may be more secure than on-premises solutions;
- a number of current cloud contracts do not set out clearly the service, service levels and type of obligations you would expect to impose on a supplier in a balanced contract or contain equitable remedies if the cloud service does not work or loses or corrupts a customer's data. It will be interesting if the scope to negotiate a supplier's standard terms will grow whilst the model terms are being procured and / or increase as competition within the cloud industry increases. One of the reasons for model terms is to reduce the professional charges for SMEs procuring a cloud solution.
Hopefully the challenges of the European Commission's ambitious approach to establish a fully functioning internal market for cloud computing will be overcome.
If agreed and implemented, safe and fair model terms and transparent standards would be a big step forward. It would allow SMEs to build on the opportunities that will be or have been given by the recent superfast broadband projects in the UK (for example, http://www.michelmores.com/michelmores-advises-on-94m-superfast-broadban... regarding Devon and Somerset).
Over the past 15 months, the European Commission has viewed the public sector as a possible catalyst for driving the wider adoption of cloud services in the EU. The public sector is the largest IT procurer in Europe. But the public sector has not embraced cloud computing as widely as the private sector:
- for security reasons and the consequences of breaching the 7th data protection principle;
- due to the cloud computing technology superseding and conflicting with the Data Protection Act 1998 (the "DPA"). For example, the DPA relates to single tenanted services whereas cloud computing is often multi tenanted services, cloud providers may not be able to say where the data controller's personal data is processed and stored which may conflict with the 1st, 2nd and 8th data protection principles. The new data protection legislation being developed by the EU will hopefully resolve this point; and
- because, unlike the private sector under the current data protection regime, they are often obliged to report breaches of the DPA to the ICO.
Model terms and certification schemes regarding IT security standards are some of the ways the European Commission proposes to overcome such barriers.
The European Commission is supporting the Cloud-for-Europe initiative. This aims to allow the public sector to prepare for the procurement of cloud services, maximising benefits and competition, minimising pitfalls.
Nathaniel Lane is a Solicitor in Michelmores' Technology, Media and Communications Team who has an ISEB Certificate in Data Protection. For further information on this matter or data protection generally, please contact Nathaniel at firstname.lastname@example.org or on 0207 788 6313