1 Comment

Summary:

Optimists hope that the EU’s expected cloud computing recommendations will resolve concerns around diverse data protection laws that slow cloud adoption. Realists hope for the best, but prepare for less. The reality is Europe remains a collection of countries, not a unified whole.

When the European Commission unveils its new cloud computing plan of action this week, the hope is it will reduce fear, uncertainty and doubt around Europe’s confusing welter of data protection laws that are impeding the broad adoption of cloud — especially public cloud — technologies. The European Cloud Computing Strategy is expected to push an array of standards for cloud computing and to help alleviate some of the legal hurdles to adoption.

Industry players who talked to GigaOM, clearly hope for the best but are prepping for less.  Of the EU’s effort to rationalize all these conflicting dictates, a top executive of one of Europe’s leading cloud providers quipped:  “They say they’re moving but glaciers move too.”

The problem is that while the EU has set policy around data protection, the regulations are not uniform across its 27 countries,with Germany often cited for its tough data privacy laws that mandate that personally identifiable information (PII) of consumers remain on German soil. Switzerland, a non EU country has similarly strict laws. Clearly, that geographic requirement flies in the face of the notion that cloud computing is a borderless, frictionless world where consumers transact with merchants not necessarily knowing where that transaction takes place.

Cloud confusion reigns in Europe

Cloud computing players on both sides of the pond bemoan this lack of clarity.

“The reality is although the EC addressed data privacy issues it was a directive not a law and the net result is that EU member states have adopted a patchwork quilt of data protection laws that vary in penalties and enforcement,” said David Canellos, CEO of Perspecsys, a cloud security company.

No kidding.  “We’ve managed to confuse the hell out of customers,” said  Jim Darragh, the newly installed CEO of Abiquo, a provider of cloud technologies.  “There are 160 different elements of European legislation pertaining to cloud.”

But pragmatists have to forge ahead. Verizon’s Terremark unit is proceeding with the assumption that it will need to have presence in all the relevant countries, said Chris Drumgoole, SVP of global operations for the big enterprise cloud provider.

Having said that, Drumgoole said much of the concern over European regs is overblown.  “EU data privacy laws are the new trendy reason not to like the cloud.  Basically, the rule is you must have command and control over data and know where it lies, you must be able to delete it, and provide audit records of what happens with it. These are fundamental things you should do whether you’re in the cloud or your own data center. You can’t put your data to bed in Germany and have it wake up in France.”

Ditlev Bredahl, CEO of OnApp, a UK-based company that facilitates the federation of clouds, agreed that paranoia is counterproductive. “People have this notion that because things are in the cloud, that stuff is just flying around. That’s not true,” he said. At least not if cloud is set up right.

Still, the issue remains that given these laws, businesses are loath to put a ton of loads in public clouds — especially those with a limited number of  data centers. Amazon, the 800-lb gorilla, hosts its European cloud operations in Dublin. It has no presence in Germany, the region’s biggest economy.

Public cloud loss is private cloud gain

Smart cloud implementors are proceeding but cautiously. Private and hybrid cloud adoption is often preached as a solution to the data protection issue. The right implementations keep PII data under the control of the business and within the required geography. As IDC analyst Mette Ohorlu put it recently,  Europeans are “mad about private cloud.” Her most recent data showed nearly three quarters (73 percent) of European companies surveyed are considering a move to the cloud and of those, 55 percent want to go the private cloud route, up from 36 percent last year.

The net takeaway from all my conversations is one of cautious fortitude. The feeling seems to be Europe — despite its economic woes — is a huge opportunity for cloud computing. And the upside of all this is that confusion is so bad now, it’s bound to get better with this week’s EU report and beyond. There will be more — much more — discussion of the European cloud computing picture at GigaOM’s Structure Europe conference in Amsterdam next month.

Feature photo courtesy of  Flickr user compujeramey

  1. To understand this, you need to understand how EU operates with the 2 primary types of “law”. Regulations are directly binding to member states but directives are “guidelines” which are then implemented by each member state. The directive sets out the basic minimum requirements but member states are responsible for implementing them. There are other types and nuances to these 2 but that’s not relevant here.

    The relevant directive is Directive 95/46/EC, specifically articles 25 and 26 – http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:NOT – this essentially states that data cannot be transferred to third party states which do not have an equivalent level of protection (article 25) unless the subject gives permission (article 26). In the UK, implemented by the Data Protection Act 1998, all you need to do in your T&C is include a term where the user gives permission to transfer their data outside of the EEA. There are many other situations where you can transfer data even without consent (although consent is the easiest way), and there is detailed guidance at http://www.ico.gov.uk/for_organisations/data_protection/the_guide/principle_8.aspx

    The problem comes with other countries. The directive states that consent is an option for transferring data outside the EEA but how that actually works will depend on the country. I don’t know how German law operates but for UK companies I don’t think this is an issue.

    Share

Comments have been disabled for this post