The ASPIRE study on the future of National Research and Education Networks calls for European NRENs to work together on a common approach to cloud computing. The European Commission has just published a Cloud Strategy that also seeks a common European approach, noting that “faced with 27 partly diverging national legislative frameworks, it is very hard to provide a cost-effective cloud solution at the level of digital single market”. This is helpful progress for those who want to use clouds to provide services, but there still seem to be some differences in what national laws and regulators regard as the right approach.
Most of the differences in interpretation seem to fall in two main areas: how much monitoring of the cloud provider each customer organisation needs to do, and how to deal with the geographically dispersed nature of clouds (particularly, but not only, the fact that clouds may include components outside the EEA). Clearly the two are linked, one of the Article 29 Working Party’s concerns was that because cloud resources move around, the customer wouldn’t know which physical location(s) they needed to check and monitor.
Unfortunately those two areas are also critical to the economics that make clouds work. Cloud providers do simple, standard things on a massive scale, with very limited customisation. It seems highly unlikely that security monitoring by every customer could be compatible with that business model. Clouds also use geography as part of their service model – high-speed global networks mean that users can access their information and services no matter where on the globe they are so services use geography as a benefit rather than a constraint: putting equipment wherever power and cooling are most cost-effective, and operating their own services from wherever the necessary skills can be found. A requirement to only store information in Europe might be feasible within that model – Europe covers climate zones where computers can relatively easily be kept at the right temperature and also has regions where electricity (including from renewable sources) is reasonably cheap. However a requirement to only operate equipment from within Europe could be more of a problem: clouds are expected to run 24 hours of the day and Europe only covers three different time zones. For operations over(European)night it looks a lot more cost-effective to have support staff working on other continents during their office hours, responding to requests, monitoring services and, where necessary, accessing them remotely. At least some European case law suggests that that non-European access might trigger regulatory problems.
So what might a model, acceptable to European regulators, European customers, and international cloud providers, look like?
All the recent guidance now seems to agree that security accreditation and monitoring by a third party, against a globally recognised standard, is preferable to requiring every customer to check for themselves. How best to resolve the geographical requirements of the law seems less clear, with a number of different alternatives being mentioned. The Article 29 Working Party produced a template for Binding Corporate Rules (BCRs) for Data Processors, which the Commission now seem to favour. According to the current Data Protection Directive an approved set of BCRs will satisfy the requirement that personal data be protected according to European standards. However the Commission also seem to be encouraging the development of standard contracts for cloud services – another approach the law recognises as acceptable. Meanwhile both the Dutch and, particularly, UK regulators have recently stressed the need for customers to do a risk assessment to satisfy themselves that exporting personal data from Europe is acceptable. For this risk assessment approach, at least, a model where information is stored in Europe and only accessed from outside in clearly defined circumstances seems helpful.
Although there doesn’t yet seem to be complete agreement, there do now seem to be ways to address both the geographic and monitoring issues, and do so in a way that fits the economic model I’ve suggested above. A single BCR approval and security certification/monitoring would satisfy all customers (so scales well); individual customers need to assess the risks to personal data they process whether they use cloud services or not; support services (even if not storage) could continue to benefit from geography because, wherever in the world they were, support staff would be subject to the BCRs.
