New European Guidelines to Address Cloud Computing

The European Commission’s panel on privacy is expected to endorse the concept of cloud computing as legal under the continent’s privacy law today, and is likely to recommend that large companies and organizations police themselves to assure users that personal information kept in remote locations is protected, according to an article from The New York Times.

The panel, known as the Article 29 Working Party, would present the recommendation as part of its long-awaited guidelines on cloud computing, an industry that has sparked much interest in European nations, despite a variety of concerns from the different countries.

The report will highlight the advantages of using cloud computing to encourage innovation and economic efficiency, said an anonymous source with knowledge of the recommendations, the Times reports. This would reflect a more practical approach from European officials to remote computing’s growing role in the broader economy.

According to the article, “The recommendations are expected to guide decisions on cloud computing by regulators in the 27 E.U. countries. The sellers of cloud services are hoping the new guidelines will improve their image in Europe, where concerns about privacy and fears that business secrets could be stolen in U.S.-based cloud centers have discouraged sales.”

And while cloud computing sales in Europe are trailing those in the U.S. by at least two years (according to research firm Gartner), the sales of cloud services are rising at about 24 percent each year – or about four times as fast as the rate of technology spending overall, according to International Data Corp.

According to the article, companies using cloud computing can save money because they do not have to buy or house servers to deliver services or store data.

Some governments in Europe are also beginning to use cloud services to cut costs, the Times reports. In Belgium, the national government is creating its own cloud to consolidate government services.

But while the guidelines are unlikely to harmonize the patchwork of national privacy laws that control cloud computing in Europe, E.U. nations are required to give them “utmost consideration” in drafting national policies.

But the nations all have very different approaches to cybersecurity and therefore cloud security. According to the Times article, “Britain and Scandinavian countries tend to be more permissive than other European nations about the ways personal data can be processed in clouds, whereas Spain and France impose tough requirements, like requiring cloud service sellers to know at all times where information is being kept, said Jörg-Alexander Paul, a privacy lawyer at the firm Bird & Bird in Frankfurt. Germany has strict laws on handling cloud data, Mr. Paul said, but its enforcement is relatively lax.”

There are expected to be three major recommendations:

Cloud services sellers must be able to inform clients exactly where their data is being physically stored at any time of day.
Sellers must delete all personal data in cloud computing centers when retaining it is no longer necessary.
Cloud service companies must disclose to clients the subcontractors they plan to use to process data.

While the first two might add complexity and cost to managing data, the third recommendation could undermine large sellers of cloud services by forcing them to disclose their contractor lists to potential lower-cost rivals, the article says.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.