Emergence of a European cloud combining growth and security

10.07.2017

A safer and people-friendlier cloud must be built at the European level.

A study carried out by the European Commission between December 2014 and April 2016 (1) shows that the increasing use of cloud computing has had a positive impact on the economies of the European Union countries. For the Commission, these economic benefits justify the removal of national restrictions on data flow in the EU.

Acknowledging the lack of clear regulation on the subject, the Commission calls for the development of a European cloud and the free flow of data in Europe.

The Cloud, a driver for growth

Cloud computing “allows users to access scalable, shareable, elastic pool of computing resources (such as networks, servers, storage, applications and services) hosted remotely, instead of investing capital in their own IT infrastructure or enables them to better share that IT infrastructure”(2).

A driver for growth for Member States

Not all European companies are using cloud computing, but cloud uptake is increasing and the European Commission estimates providers of cloud computing services to have “an average annual net benefit of EUR 2.8 billion, raising over time to 2020”.

For the Member States, the increasing use of cloud computing means not only major tax revenues, but also positive consequences for the environment resulting from the electronic storage of data.

According to the Commission’s study, the benefits linked to the steady increase of cloud computing are expected to rise to EUR 45 billion by 2020 in the European Union.

A source of investment savings for user companies

For businesses, the benefit will lie primarily in the reduction of IT-related operating expenses, allowing them to have more capital available for other investments.

The growing flexibility of cloud offerings is also a significant benefit for customers, as they can scale services up or down to meet their needs.

Unlike medium-size and large enterprises, small enterprises have been less attracted to cloud-based hosting; the generalization of a European cloud would be an obvious growth factor for them, as it would allow them to shift their IT costs to other operational expenses.

A driver for growth for cloud providers

The European Commission estimates that 303,000 new businesses could be created in Europe between 2015 and 2020 through the creation of a European cloud.

In these conditions, the impact of cloud computing on job creation and employment is undeniable, and could reach up to 2.5 million new jobs between 2012 and 2015 in the most optimistic scenario.

A European cloud is clearly an engine of growth for all the stakeholders, but there are legal barriers to its creation under current laws and regulations.

Legal barriers to the emergence of a European cloud

Building on Directive 95/46/EC (3), the General Data Protection Regulation of 27 April 2016 (known as “GDPR”) (4) enshrines the free movement of personal data in the European Union.

With a view to strengthening the free movement of data in the EU, the European Commission is committed to remove all existing restrictions on the location of data across the Union. It launched a public consultation from 10 January 2017 to 26 April 2017 (5) with the objective to help shaping the future European policy agenda and freezing the rules applicable to data location.

The Commission considers that any national restrictions on the free flow of data must be justified under the Treaty and be necessary and proportionate to achieve an objective of general interest, such as public security. This approach is consistent with the one adopted by the GDPR (8).

In France, the current legal framework contains several data location requirements.

In the health industry, the Public Health Code (6) requires hosting providers to be certified to host sensitive data such as personal data concerning health.

In the defence and public security industry, some sensitive data may not be hosted outside the national territory, pursuant to the State Information Systems Security Policy of 17 July 2014 (7). While in that case restrictions are justified to protect public security, and especially the leakage of sensitive data, data location restrictions generally hinder the development of a European cloud.

Moreover, a note from the French authorities dated 5 April 2016 (9) prohibits local and regional government authorities from transferring some data — described as “national treasures” — to a “non-sovereign cloud”. Apart from the fact that this prohibition is apparently at odds with the above-mentioned free movement of data principle, it seems to create a sort of “national preference” contrary to the current challenges of the Single Market.

From the perspective of user companies, some obstacles also exist with regard to data security. Indeed, the current French Data Protection Act imposes on data controllers an obligation of security and confidentiality in relation to the data processed. Using a cloud provider may therefore seem complicated and be a concern in terms of liability, as criminal sanctions can be very heavy.

In any event, the European Commission is committed to removing altogether data location restrictions in order to allow the European economy, cloud providers and user companies to reap the benefits of a future European cloud.

Eric Le Quellenec
With the assistance of Arthur Benchetrit
Lexing Droit Informatique

 

References:

  1. Study from 12-2014 to 4-2016, “Measuring the economic impact of cloud computing in Europe”
  2. Definition given by the European Commission in its study
  3. Directive 95/46/EC of 24-10-1995
  4. Reg. (EU) 2016/679 of 27-4-2016
  5. Communication of 10-1-2017, “Building a European Data Economy”
  6. French Code of Public Health, Art. L1111-8(1)
  7. Politique de sécurité des systèmes d’information de l’Etat, 17-7-2014
  8. Post of 30-1-2017
  9. Ministerial Direction (instruction ministérielle) of 5-4-2016

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

CPC project office: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.at

VIEW PROJECT

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.