Today, the European Commission announced the release of its long-awaited cloud strategy in a communication entitled “Unleashing the Potential of Cloud Computing in Europe.” The Commission clearly recognizes cloud computing’s capacity to allow people, businesses and governments to rent services and data storage for much cheaper than buying new equipment and software. Indeed, combined with the emergence of big data analytics, cloud computing represents a sea-change in the business and technical opportunities for the information technology industry and its myriad customers, business and consumer, large and small. The Commission’s strategy report is a major step forward by policymakers in coming to grips with the policy thinking needed to foster this new development and to deal with its many challenges in Europe and around the world.
SIIA particularly welcomes the Commission’s focus on the use of cloud computing in government. The Commission’s encouragement of the use of cloud computing is the counterpart of the US government’s Cloud First approach.
Unfortunately, some parts of the Commission’s communication go in a direction SIIA warned against in its report to policy makers last year. In places, the communication treats cloud computing as a discrete entity that is potentially subject to specific government regulation. In reality, cloud computing is a variety of evolving business and technical developments that share only a rough similarity. NIST has described three different service models for cloud computing (Software as a Service, Platform as a Service, and Infrastructure as a Service); and four different deployment models (private, community, public and hybrid). There is also the enormous difference between consumer uses of cloud computing and its business uses, and within the latter, still further important differences between uses by large organizations and by small and medium sized businesses. Cloud computing is used in industries ranging from financial services, to energy to telecommunications.
The European Commission’s cloud strategy document recognizes this issue, noting that cloud computing has a “range of defining features (which make a general definition elusive)…” Despite this it goes on to propose a series of government regulations that can be effectively implemented only if there is a reasonably precise legal definition of cloud computing.
Privacy rules, security rules, intellectual property, and consumer protection rules apply when cloud computing is used, but there is no need for special privacy, security, intellectual property or consumer protection rules that apply just to cloud computing. Generalized rules, indeed, globally interoperable rules, are best suited to the global, borderless nature of cloud computing.
Some of the specific suggestions in the report are good in themselves. This is the case for example in the idea that security guidelines should be developed that take into account the special characteristics of cloud computing. But again there is no need for European regulations that mandate specific security requirements just for cloud computing. Security standards should be market-driven and global, not just European, in character
Another concern is the possible development of privacy rules just for the cloud. The Commission and the Parliament are working on a new data protection regulation that would apply across the board, but the cloud strategy suggests the development of alternative or competing privacy rules just for cloud computing.
The Commission also seems to be interested in mandating specific consumer protections such as data portability, interoperability and reversibility in standardized service level agreements. But it is a leap to jump from a concern for consumer protection to the conclusion that specific European consumer protection rules need to be incorporated into standardized terms of service. Industry groups, not European-wide regulators, are best situated to fill any perceived need for optional model contracts.
SIIA welcomes the Commission’s strategy and intends to engage in the process of working with the Commission to see that the benefits of cloud computing are fully realized in the European single market and throughout the world.
Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy